1
00:00:00,810 --> 00:00:08,850
Hi, within this lecture, we're going to see what we should do when we first hack into a system and

2
00:00:08,850 --> 00:00:14,910
then we are trying to enumerate some information, we're trying to gather some information related to

3
00:00:14,910 --> 00:00:19,360
that system in order to find various ways to escalate our privileges.

4
00:00:19,770 --> 00:00:24,900
So if you run Al-Saleh in our Debian system, you will see a folder called Tool's.

5
00:00:25,200 --> 00:00:31,770
If you go over there and write Al-Saleh, you can see there are a lot of tools over here available for

6
00:00:31,770 --> 00:00:32,860
your convenience.

7
00:00:33,180 --> 00:00:40,210
So these are placed in the vulnerable machine for you so that you can understand how to use them.

8
00:00:40,530 --> 00:00:47,400
But again, these are tools that you can actually use within a real pantheist as well.

9
00:00:47,610 --> 00:00:49,610
But I will try to avoid it.

10
00:00:49,800 --> 00:00:57,300
I will try to avoid using them, at least in an intense way in the section, because we want to learn

11
00:00:57,300 --> 00:01:06,270
how to actually manual works, manual ways work in a better way so that we can do whatever we want to

12
00:01:06,270 --> 00:01:08,520
do in any given environment.

13
00:01:08,820 --> 00:01:16,170
For example, Linux exploits GISTER is a fantastic tool, but maybe you cannot download anything when

14
00:01:16,170 --> 00:01:20,180
you hack into a server, even in the TMB folder as well.

15
00:01:20,430 --> 00:01:26,460
So maybe it's even though you know how to use it, even though you know it's a very good tool, maybe

16
00:01:26,460 --> 00:01:28,350
you will not be able to use it.

17
00:01:28,560 --> 00:01:35,120
So you should understand what you should do in order to enumerate, in order to gather information.

18
00:01:35,490 --> 00:01:38,820
So first of all, let me show you what I mean by Linux.

19
00:01:38,970 --> 00:01:39,930
Please register.

20
00:01:40,170 --> 00:01:46,260
If you search for Linux exploits, register in Google, you will be presented with a lot of options.

21
00:01:46,260 --> 00:01:48,530
And this is the one that we are looking for.

22
00:01:48,990 --> 00:01:52,280
As you can see, this is a Basche script, OK?

23
00:01:52,920 --> 00:02:01,920
It actually tries to gather information related related to a given system and search for ways to exploit

24
00:02:01,920 --> 00:02:09,840
and search for ways to escalate your privilege so you can just run it here and see for yourselves.

25
00:02:10,260 --> 00:02:17,640
But again, doing all of those things manually will be better for you, at least for discourse.

26
00:02:17,820 --> 00:02:23,880
And after that, if you learn about this stuff, you can always come back and just or you can always

27
00:02:23,880 --> 00:02:30,060
use Linux exploits adjuster in a real world example or in a real CTF as well.

28
00:02:30,460 --> 00:02:36,780
OK, so I'm going to go back and say, clear, so what should we do when we first hack into system?

29
00:02:37,380 --> 00:02:38,720
Of course you may want to run.

30
00:02:38,730 --> 00:02:39,330
Who am I?

31
00:02:39,750 --> 00:02:46,320
Because you may want to see what kind of user you're in and you may want to run ID to see the groups

32
00:02:46,320 --> 00:02:50,370
that you belong to or what kind of ID that you are using right now.

33
00:02:50,850 --> 00:02:57,540
You get run, you name A in order to understand what kind of Linux version that you're currently in

34
00:02:57,810 --> 00:03:03,090
so that maybe you can understand the kernel exploits, that you can take leverage.

35
00:03:03,360 --> 00:03:06,540
We're going to see about that in a couple of lectures.

36
00:03:06,660 --> 00:03:15,840
OK, of course you can go for Cat version to gather maybe a little bit detailed, more detailed version

37
00:03:15,840 --> 00:03:17,760
of the Linux that you're in.

38
00:03:18,180 --> 00:03:25,650
You can also get the Etsy issue to see if any description or any kind of useful information is over

39
00:03:25,650 --> 00:03:26,610
there or not.

40
00:03:27,330 --> 00:03:36,120
And then later try to do this when you just take into a system, OK, just do this automatically around.

41
00:03:36,120 --> 00:03:36,690
Who am I?

42
00:03:36,690 --> 00:03:39,390
You name a cat proc version cat.

43
00:03:39,390 --> 00:03:40,530
That's the issue.

44
00:03:40,770 --> 00:03:44,910
And try to understand what you can do with this information.

45
00:03:45,330 --> 00:03:51,390
There are a lot of currently exploits that can be used in cats and also in real life.

46
00:03:51,390 --> 00:03:52,350
Pantazis as well.

47
00:03:52,770 --> 00:03:56,850
You can run oh like this o u x a u.

48
00:03:57,060 --> 00:03:57,630
Sorry.

49
00:03:58,320 --> 00:04:06,120
So this is a u x will give you the current processes that is going on in the system.

50
00:04:06,360 --> 00:04:09,450
So you can see if there is anything funny going on.

51
00:04:09,660 --> 00:04:16,830
Ah, you can see what kind of users are running, what kind of operations, what kind of process.

52
00:04:17,130 --> 00:04:19,710
Maybe we can gather some information over here.

53
00:04:20,070 --> 00:04:27,450
Maybe you can see the Apache server is running under this user and some other process is running under

54
00:04:27,450 --> 00:04:28,290
this user.

55
00:04:28,500 --> 00:04:34,440
So if I can do with something with that, it may lead to privilege, escalation, something like that.

56
00:04:34,530 --> 00:04:42,210
It's always a good idea to ramp's or PSA ukes in order to see all these details over here.

57
00:04:42,540 --> 00:04:50,460
OK, so maybe you can create a not static C as usual and just put all of this information in there in

58
00:04:50,460 --> 00:04:55,560
order to keep your notes in a constructed way, in a simplified way.

59
00:04:56,100 --> 00:04:57,060
But it's your call.

60
00:04:58,050 --> 00:04:59,790
Maybe you can just catch.

61
00:04:59,890 --> 00:05:01,040
That's the password.

62
00:05:01,060 --> 00:05:04,090
Of course, you can do that and of course, you should do that.

63
00:05:04,300 --> 00:05:10,840
You can see different users over here and you can see what kind of things they're doing over there.

64
00:05:11,140 --> 00:05:19,570
And be aware that even though we actually kept the ETSI password all the time, we see all this basher's

65
00:05:19,570 --> 00:05:22,720
we see all these shells, but we don't see the password.

66
00:05:22,720 --> 00:05:23,050
Right.

67
00:05:23,470 --> 00:05:30,260
Even though it's called a password, it doesn't contain any password in this file.

68
00:05:30,670 --> 00:05:35,290
So it used to it's used to contain the passwords actually over here.

69
00:05:35,650 --> 00:05:41,710
But then Linux actually separated this password into another file.

70
00:05:42,250 --> 00:05:48,270
So ETSI Password only contains this information, whereas etsi shadow.

71
00:05:48,280 --> 00:05:51,160
So make sure you kept the outside shadow as well.

72
00:05:51,340 --> 00:05:58,450
It's Ishido actually contains the passwords over there and most of the time we're going to have to become

73
00:05:58,450 --> 00:06:01,780
rules in order to see the ATSE shadow.

74
00:06:02,140 --> 00:06:03,400
But it's worth a shot.

75
00:06:03,400 --> 00:06:09,550
If you hack into something like some server, make sure you check the cat ATSE Shadow as well.

76
00:06:09,730 --> 00:06:15,920
If you can get the passwords over there, then it would be very easy for you to decrypt this passwords.

77
00:06:15,940 --> 00:06:17,260
Of course, it's going to be hashed.

78
00:06:17,260 --> 00:06:20,620
It's not going to be like in a simple string.

79
00:06:20,830 --> 00:06:28,090
But again, you can try to decrypt it and then you can actually use the root password to become root

80
00:06:28,090 --> 00:06:30,430
or any other passwords that you can gather.

81
00:06:31,270 --> 00:06:37,000
So if you're on the config, of course, you can see the current IP addresses and stuff.

82
00:06:37,690 --> 00:06:41,500
So far over here, we don't have any fancy thing going on.

83
00:06:41,680 --> 00:06:43,840
We only have the 88 zero.

84
00:06:44,050 --> 00:06:52,570
But if you have some other networks connected to each other, like in a complex network, maybe if you

85
00:06:52,570 --> 00:06:59,470
hack into a corporate server or something like that, you can always run IP route in order to understand

86
00:06:59,710 --> 00:07:01,840
how they're connected to each other.

87
00:07:01,990 --> 00:07:09,190
And if you can actually go from here to another network or something like that, it's always a good

88
00:07:09,190 --> 00:07:11,120
idea to check it as well.

89
00:07:11,650 --> 00:07:12,130
OK?

90
00:07:12,710 --> 00:07:21,160
And of course, we can check for the AARP tables if you get the complete ethical hacking course for

91
00:07:21,160 --> 00:07:21,610
me.

92
00:07:22,180 --> 00:07:28,470
We have checked that a lot during the men in the middle of framework attacks, if you might remember.

93
00:07:28,900 --> 00:07:35,290
So you can just run AARP, of course, in this case, you can just run the AARP as well in order to

94
00:07:35,290 --> 00:07:40,520
see the Mac addresses and the IP address pairings over here.

95
00:07:40,550 --> 00:07:44,650
However, in this case, we don't get much because it's simple.

96
00:07:45,430 --> 00:07:47,890
It's a simple CTF over here.

97
00:07:48,010 --> 00:07:49,240
It's not even a CTM.

98
00:07:49,250 --> 00:07:52,840
We just hack in and try to escalate our privileges.

99
00:07:53,020 --> 00:07:55,750
But make sure you take in all of that.

100
00:07:55,750 --> 00:08:02,510
You can just look for if config AARP, AARP and IP route in the networking section.

101
00:08:03,010 --> 00:08:06,190
Of course, you can locate the passwords like this.

102
00:08:06,190 --> 00:08:13,270
You can just run locate password to see if a user, for example, just saved a file called password

103
00:08:13,270 --> 00:08:16,240
that protected in order to unsecured.

104
00:08:16,240 --> 00:08:18,040
He saved their passwords.

105
00:08:18,220 --> 00:08:22,720
And as you can see, there are a lot of password dot files over here.

106
00:08:22,870 --> 00:08:26,890
It's worth a shot to check it to see if you can get something out of it.

107
00:08:27,250 --> 00:08:29,520
And this is real life example.

108
00:08:29,540 --> 00:08:36,910
Okay, people do this every time, so maybe we can just get this out and try to see if we can get something

109
00:08:37,240 --> 00:08:38,370
useful over here.

110
00:08:38,860 --> 00:08:41,630
So even though in this case, we don't get it.

111
00:08:41,800 --> 00:08:47,130
Make sure you check for the passwords so you can check it with locate or find.

112
00:08:47,140 --> 00:08:50,020
You can just find name, password.

113
00:08:50,230 --> 00:08:57,880
If you do that, you will get a lot of results like this because libraries or the limbic system files

114
00:08:57,880 --> 00:09:02,680
and folders contains a lot of things called password as well.

115
00:09:02,800 --> 00:09:10,450
So it really doesn't mean that you get something useful out of this, but also you may simplify defined

116
00:09:10,870 --> 00:09:12,310
command that you run.

117
00:09:12,460 --> 00:09:18,460
And I believe I did something wrong because we are getting a lot of things over here.

118
00:09:19,030 --> 00:09:20,860
It won't be useful at all.

119
00:09:21,400 --> 00:09:22,260
Yeah, Périgord.

120
00:09:22,270 --> 00:09:30,580
So I misspelled the name password, so it should be something like this, the name and the password

121
00:09:30,580 --> 00:09:31,150
like that.

122
00:09:31,300 --> 00:09:40,390
OK, so maybe we can just actually write this into them as well so that we get rid of the output over

123
00:09:40,390 --> 00:09:41,010
here.

124
00:09:41,590 --> 00:09:48,100
OK, and here you go at this we found one, OK, that, that, that is the one that we have found with

125
00:09:48,100 --> 00:09:49,900
the locator as well, I believe.

126
00:09:50,740 --> 00:09:58,510
But again, just make sure that you run it like this or you can actually search for the ID, RSA, for

127
00:09:58,510 --> 00:09:59,610
example, you know.

128
00:09:59,750 --> 00:10:06,980
To find any file that may lead you to another server or maybe in a privileged way in the same server

129
00:10:07,130 --> 00:10:09,920
as well, but in this case, we don't have that.

130
00:10:10,670 --> 00:10:17,780
So these are some basic steps that you need to do for enumeration once you get into a system so you

131
00:10:17,780 --> 00:10:20,030
can gather much more information over here.

132
00:10:20,040 --> 00:10:22,450
Of course, you can use the exploits register.

133
00:10:22,640 --> 00:10:26,300
You can use some other automated tools as well.

134
00:10:26,570 --> 00:10:33,680
However, make sure you take in all of those and do this manually in order to learn this stuff, at

135
00:10:33,680 --> 00:10:36,300
least for the seats that you're working on.

136
00:10:36,620 --> 00:10:38,900
After that, you can run an automated test.

137
00:10:38,900 --> 00:10:44,300
Of course, that will be much faster and that will be much more comprehensive than what you generally

138
00:10:44,300 --> 00:10:44,740
do.

139
00:10:45,020 --> 00:10:52,400
But again, to understand the theory, to understand what each what you should do, it's always a good

140
00:10:52,400 --> 00:10:53,960
idea to run this manually.

141
00:10:54,590 --> 00:10:58,310
So another comment that you should run is history, as you can see.

142
00:10:58,310 --> 00:11:06,680
It gives me it gives us the history of the comment that has been executed in this show.

143
00:11:07,040 --> 00:11:09,470
And over here we see a lot of things.

144
00:11:10,100 --> 00:11:12,880
Maybe it will do much, maybe it won't do much.

145
00:11:13,040 --> 00:11:14,480
However, it's worth a shot.

146
00:11:14,750 --> 00:11:23,810
OK, so you can maybe see some, like, passwords or maybe some useful comments that the previously

147
00:11:23,810 --> 00:11:26,150
logged in user has executed.

148
00:11:26,300 --> 00:11:30,940
And we can just leverage that as well in our testing.

149
00:11:31,940 --> 00:11:33,120
So far, so good.

150
00:11:33,140 --> 00:11:34,450
I believe it's done.

151
00:11:34,460 --> 00:11:40,580
We're going to disappear and continue within the next lecture with our first leverage, first escalation.