1
00:00:00,570 --> 00:00:06,610
Hi, within this lecture, we're going to explore the kernel exploits.

2
00:00:06,960 --> 00:00:14,640
So these are the most common ways of privilege, escalation that you will encounter during RCTs or real

3
00:00:14,650 --> 00:00:15,420
pentathletes.

4
00:00:15,630 --> 00:00:22,050
So in order to understand is we're going to do a lot of practice and we're going to see some different

5
00:00:22,050 --> 00:00:25,310
tools that you can use in this case.

6
00:00:25,680 --> 00:00:30,030
So I'm going to go into the tools folder that we have over here.

7
00:00:30,240 --> 00:00:36,770
And as I said before, we're going to avoid using these tools in this current section.

8
00:00:37,020 --> 00:00:47,610
But again, you should know how to use them in order to understand usage, in order to actually leverage

9
00:00:47,610 --> 00:00:51,820
these tools if your environment is supporting them.

10
00:00:51,960 --> 00:00:58,290
So if you can download some tools, if you can use Vignette, for example, then it's a very good way

11
00:00:58,290 --> 00:01:00,500
to explore this kernel exploits.

12
00:01:00,630 --> 00:01:02,820
We're going to talk about the kernel exploits.

13
00:01:02,820 --> 00:01:03,900
Don't worry about it.

14
00:01:04,470 --> 00:01:11,190
So I'm going to go into the topic folder and I'm going to try to download something to see if we can

15
00:01:11,190 --> 00:01:13,320
actually do that.

16
00:01:13,330 --> 00:01:19,250
So let me try to Google dot com and see if we can get an Internet connection over here.

17
00:01:19,530 --> 00:01:28,490
As you can see, it seems that it starts pinging, but I'm not very sure about this, OK?

18
00:01:28,980 --> 00:01:35,190
It seems like it starts pinging this thing, but it doesn't actually get a response back.

19
00:01:35,370 --> 00:01:38,430
So I don't know if we can connect to the Internet or not.

20
00:01:38,910 --> 00:01:47,580
So, for example, we can just stop this with control, see, and we can come over here and try to find

21
00:01:47,580 --> 00:01:50,500
some exploit suggests that we can use.

22
00:01:51,120 --> 00:01:53,760
So I'm going to share those things with you.

23
00:01:54,210 --> 00:01:56,580
And there is a tool called Lenn in them.

24
00:01:56,580 --> 00:02:01,020
So it stands for Olympic's and Numeration and Lenn piece.

25
00:02:01,260 --> 00:02:06,580
And there is a VIN piece as well for Windows Privilege Escalations Adjuster.

26
00:02:06,900 --> 00:02:15,390
OK, so this Linux privilege escalates, escalations register and the lint in them is actually very

27
00:02:15,390 --> 00:02:16,250
strong.

28
00:02:16,260 --> 00:02:19,080
And also the Linux exploits register as well.

29
00:02:19,260 --> 00:02:22,380
So there are a lot of tools that you can leverage over here.

30
00:02:22,620 --> 00:02:26,210
So search for Lin and them and just find this, OK?

31
00:02:26,250 --> 00:02:34,650
So this is under reboot user and you can just gather dust leedham that S.H. in order to run it and try

32
00:02:34,650 --> 00:02:41,910
to find the kernel exploits over here again, I'm going to show you what is a kernel exploit.

33
00:02:41,930 --> 00:02:43,270
Don't worry about it yet.

34
00:02:43,770 --> 00:02:50,250
For example, you can even copy and paste this thing if you want, but you can, of course, copy the

35
00:02:50,250 --> 00:02:54,160
link over here and try to download it that we get.

36
00:02:54,600 --> 00:03:01,210
OK, so if you run this, as you can see, I believe we're connecting to that Web site.

37
00:03:01,410 --> 00:03:03,620
Let's see if we can download it really.

38
00:03:04,050 --> 00:03:08,970
OK, and if we can, very good that if we cannot, then we cannot use this.

39
00:03:09,180 --> 00:03:14,940
Maybe we can try to copy and paste, as I said before, or maybe we can use the Linux exploit suggested.

40
00:03:14,950 --> 00:03:19,060
That comes with the tool that comes with the box itself.

41
00:03:19,560 --> 00:03:22,080
But again, this is not working.

42
00:03:22,090 --> 00:03:27,280
This doesn't seem to be working in this case because we cannot connect to the Internet.

43
00:03:27,870 --> 00:03:36,000
So this is this can be the case in many penetration tests that you actually take part.

44
00:03:36,270 --> 00:03:40,730
And again, if you cannot download it, then you should know what to do.

45
00:03:40,830 --> 00:03:41,230
Right.

46
00:03:41,250 --> 00:03:44,850
So that's why we are focusing on the manual side of things.

47
00:03:45,240 --> 00:03:50,310
That's why we are not only seeing the automated things over here.

48
00:03:50,580 --> 00:03:57,770
So I'm going to control Sead of this and I'm going to go over to my user directory over here.

49
00:03:58,410 --> 00:04:00,900
So let me just go to home, sorry.

50
00:04:01,320 --> 00:04:10,820
And we can go into the user directory and just say let's and let's go into tools and let's use this

51
00:04:10,830 --> 00:04:13,000
Linux exploit suggested, for example.

52
00:04:13,470 --> 00:04:20,910
So pretend that you were able to download this and you were able to get the best script over here.

53
00:04:20,910 --> 00:04:28,260
Or you may just try to copy and paste the thing that you can just now it and just create it yourself.

54
00:04:28,530 --> 00:04:35,100
You can just change it to executable by running C.H. Mod seven seven seven on that file.

55
00:04:35,110 --> 00:04:35,460
Right.

56
00:04:35,760 --> 00:04:42,100
So if I execute this, OK, if I execute this S.H., then it will give me some result back.

57
00:04:42,300 --> 00:04:44,010
So what are those results?

58
00:04:44,040 --> 00:04:49,130
So this is exactly what other tools do as well, maybe the more comprehensive way.

59
00:04:49,440 --> 00:04:53,910
But again, over here we have a lot of explicit suggestions.

60
00:04:54,570 --> 00:04:56,840
So these are kernel exploits.

61
00:04:57,180 --> 00:04:59,910
So our Linux has a kernel and.

62
00:04:59,950 --> 00:05:06,850
You might already know and this colonel might be vulnerable to some privileged escalation attacks,

63
00:05:07,120 --> 00:05:14,200
and if we can leverage that, then we can become route or we can become more privileged in a way so

64
00:05:14,200 --> 00:05:16,330
that we can complete our task.

65
00:05:16,570 --> 00:05:22,510
And as you can see in our case, we get a lot of different explicit suggestions over here.

66
00:05:22,870 --> 00:05:26,770
So Dirty Cow is actually one of the most popular ones.

67
00:05:26,980 --> 00:05:29,610
And dirty cow, too, as well.

68
00:05:29,920 --> 00:05:35,200
And it doesn't mean that these are all going to succeed.

69
00:05:35,890 --> 00:05:39,160
Even though we get a lot of suggestions over here.

70
00:05:39,310 --> 00:05:42,550
Maybe some of them will work, maybe some of them won't.

71
00:05:43,060 --> 00:05:47,930
But it's our duty to actually try and see if they've worked or not.

72
00:05:48,130 --> 00:05:52,360
So this engine through that S.H. is a lot of popular.

73
00:05:52,800 --> 00:05:55,340
It has a lot of popularity here as well.

74
00:05:55,750 --> 00:06:03,250
OK, but anyway, in any case, we can try to just leverage them all one by one.

75
00:06:03,550 --> 00:06:11,880
OK, so these are all vulnerabilities that is or that may be related to our Linux version.

76
00:06:12,190 --> 00:06:21,280
So if you're Pentax, if your target server doesn't have the most updated version, which they currently

77
00:06:21,280 --> 00:06:28,780
are, which they hardly ever do, you can try to just go to the guitar page or of one of the exploit

78
00:06:28,780 --> 00:06:35,140
suggestions like this and download the exploit itself and try to use it.

79
00:06:35,530 --> 00:06:40,840
So in this case, I'm trying to download the dirty cow itself.

80
00:06:40,850 --> 00:06:43,330
OK, it gives us a C code.

81
00:06:43,540 --> 00:06:48,570
So I'm just going to close this one because I want to show you the page itself.

82
00:06:48,580 --> 00:06:52,290
So let me try to find the page itself.

83
00:06:52,300 --> 00:06:56,160
Let me go to Google and search for dirty cow exploit.

84
00:06:56,560 --> 00:06:58,130
OK, and here you go.

85
00:06:58,330 --> 00:07:00,250
This is a Linux kernel exploit.

86
00:07:01,150 --> 00:07:05,730
So in the exploit database, we can see the actual code itself.

87
00:07:06,100 --> 00:07:07,410
So maybe you don't know.

88
00:07:07,420 --> 00:07:10,110
See, maybe you don't understand all of this.

89
00:07:10,120 --> 00:07:11,500
It really doesn't matter.

90
00:07:11,770 --> 00:07:18,310
As you can see, there is a C code over here that takes leverage off that vulnerability and try to escalate

91
00:07:18,310 --> 00:07:20,740
the privilege by running some code.

92
00:07:21,250 --> 00:07:27,960
It's OK that you don't understand it, but you should understand how to execute this on your own server,

93
00:07:28,120 --> 00:07:37,390
OK, because if you find an exploit, if you find an actual possible exploit like dirty cow or any other

94
00:07:37,870 --> 00:07:44,800
exploits that we have seen in that list, then you should go to exploit DBI and try to download the

95
00:07:44,800 --> 00:07:46,900
code and execute it yourselves.

96
00:07:47,410 --> 00:07:52,120
And again, maybe it won't be possible for you to download the whole code by running.

97
00:07:52,120 --> 00:07:59,110
We get maybe you can just copy and paste and if you're a psycho, you can just write it by looking over

98
00:07:59,110 --> 00:08:02,820
here on your own to your target system as well.

99
00:08:03,190 --> 00:08:09,180
But again, if you can find a way to download it, it would be much more faster for you.

100
00:08:09,580 --> 00:08:14,530
So theoretically, we have found a possible vulnerability over here.

101
00:08:14,530 --> 00:08:21,750
I mean, we are trying to exploit it by executing some code and we are getting this code from the exploit

102
00:08:21,790 --> 00:08:23,110
database itself.

103
00:08:23,650 --> 00:08:30,550
So let me just come back over here, OK, to our suggestions.

104
00:08:30,700 --> 00:08:34,330
Again, you can try all other ones here as well.

105
00:08:34,570 --> 00:08:42,730
And again, this Linux exploits register is a very good tool that you can actually use in your own Panthers.

106
00:08:43,210 --> 00:08:46,600
You can try to use all other exploits over here.

107
00:08:46,840 --> 00:08:51,310
I'm showing you the dirty cow because it's one of the most popular ones.

108
00:08:51,760 --> 00:09:00,280
So if you run, you name a you can try to search for this exact version over here on Google in order

109
00:09:00,280 --> 00:09:06,390
to understand if there's any vulnerability related to that rather than Linux exploits register.

110
00:09:06,530 --> 00:09:07,930
It's like this.

111
00:09:08,110 --> 00:09:14,470
OK, as you can see, it's already been searched within the Google for a lot of times.

112
00:09:14,620 --> 00:09:15,730
And then we search it.

113
00:09:15,730 --> 00:09:19,720
We can directly go to the article that we have found before.

114
00:09:20,320 --> 00:09:26,980
So if you cannot reach clinics, exploits Algester in a real life example, then it won't matter a lot

115
00:09:27,130 --> 00:09:30,250
because you can actually find it online as well.

116
00:09:30,790 --> 00:09:33,970
OK, so this is the logic behind it.

117
00:09:33,970 --> 00:09:39,610
If you can reach the automated tools, then it's very good that you can get the exact results.

118
00:09:39,730 --> 00:09:42,460
But if you cannot, again, you know how to run.

119
00:09:42,460 --> 00:09:43,360
You name a you.

120
00:09:43,360 --> 00:09:49,690
Now you know how to get the current version of the Linux that you are in so that you can search for

121
00:09:49,690 --> 00:09:53,910
it in an expert DB or any other database as well.

122
00:09:54,520 --> 00:09:59,640
So in this case, we're going to try dirty cow to see if this works or.

123
00:09:59,890 --> 00:10:03,440
And I believe these are the same things over here.

124
00:10:03,730 --> 00:10:07,230
So, again, there are a lot of quotes over there.

125
00:10:07,240 --> 00:10:08,760
I'm not going to go over them.

126
00:10:08,890 --> 00:10:16,750
Maybe you don't even know how to write Seeb, but we can try to download this tool and use it in our

127
00:10:16,750 --> 00:10:21,330
own actually tools in our own server over here.

128
00:10:21,820 --> 00:10:26,020
And for convenience, again, I place the dirty cow over here.

129
00:10:26,170 --> 00:10:28,120
So you can just into that.

130
00:10:28,120 --> 00:10:30,190
Anyone else to see that?

131
00:10:30,190 --> 00:10:30,560
See.

132
00:10:30,910 --> 00:10:33,610
So this is the file that has been given to us.

133
00:10:33,800 --> 00:10:36,460
Again, if you can we get it, then it's OK.

134
00:10:36,940 --> 00:10:38,420
Maybe you can get on it.

135
00:10:38,420 --> 00:10:39,940
Then again, it's OK.

136
00:10:40,420 --> 00:10:42,070
Maybe you can copy and paste it.

137
00:10:42,070 --> 00:10:42,910
It's OK.

138
00:10:43,060 --> 00:10:47,790
Just make sure that you have the tool available in your target server.

139
00:10:48,310 --> 00:10:50,340
So this is a C file.

140
00:10:50,430 --> 00:10:58,210
OK, first of all, we make to make we need to make sure that we can execute it so we cannot actually

141
00:10:58,210 --> 00:11:02,120
run the codes by just typing the C codes.

142
00:11:02,170 --> 00:11:03,760
OK, we need to convert that.

143
00:11:04,960 --> 00:11:14,710
So if you go to GCG over here, you can just search for Jack online, you can see the dirty cow use.

144
00:11:15,350 --> 00:11:24,590
OK, so first of all, we need to actually convert this into an executable using a tool called GCSE.

145
00:11:25,000 --> 00:11:32,640
So this GCSE actually takes in the C codes and gives an output, OK?

146
00:11:32,980 --> 00:11:40,150
And it used some parameters like Petrella parameters can actually change from exploit to exploit and

147
00:11:40,150 --> 00:11:47,080
you can see how to use them in their respective GitHub sites or in exploit DB as well.

148
00:11:47,560 --> 00:11:54,090
So in this case, as you can see, we are using examples for 32 bit and 64 bit.

149
00:11:54,340 --> 00:12:00,830
So I'm going to go for over here DCC call that C and this O is with zero, I believe.

150
00:12:01,240 --> 00:12:09,820
So over here we're going to use BITRATE again and we need an output file to just give an output, an

151
00:12:09,820 --> 00:12:11,990
executable of the C file.

152
00:12:12,340 --> 00:12:15,180
So I'm going to call this dirty cow.

153
00:12:15,460 --> 00:12:18,550
Obviously, you can call this anything you want.

154
00:12:18,550 --> 00:12:21,710
In this case, I just called a dirty cow, as you can see.

155
00:12:22,240 --> 00:12:29,530
Let's check to see if we can execute this or maybe we should run more 777 on that.

156
00:12:30,010 --> 00:12:31,060
Let's check and see.

157
00:12:31,060 --> 00:12:31,740
Here you go.

158
00:12:31,750 --> 00:12:33,160
We can execute this.

159
00:12:33,490 --> 00:12:40,180
And as you can see, it says that dirty cow root for the privilege escalation backing up.

160
00:12:40,450 --> 00:12:45,940
So it's trying to back up some kind of password file into a temporary folder.

161
00:12:46,270 --> 00:12:49,410
And we're going to wait until it's finished.

162
00:12:49,630 --> 00:12:51,340
It may take time.

163
00:12:51,340 --> 00:12:53,710
It may take a little bit of time over here.

164
00:12:54,070 --> 00:12:56,740
So make sure you wait until it's completed.

165
00:12:57,040 --> 00:13:00,630
And I believe I have used this before.

166
00:13:00,970 --> 00:13:08,140
If it doesn't complete within a minute or something like that, we can try to exit out of this one.

167
00:13:08,350 --> 00:13:15,110
But I'm going to wait and see, OK, it shouldn't take more than one minute or something like that.

168
00:13:15,670 --> 00:13:21,640
Meanwhile, make sure you understand what we are doing over here, OK?

169
00:13:21,640 --> 00:13:25,150
We have just selected Dirty Cal as a test.

170
00:13:25,150 --> 00:13:27,250
Maybe it will work, maybe it won't.

171
00:13:27,460 --> 00:13:33,670
We have a lot of suggestions over here and we can just use any of them.

172
00:13:34,090 --> 00:13:35,050
And here you go.

173
00:13:35,260 --> 00:13:37,870
I believe now it's completed again.

174
00:13:37,870 --> 00:13:43,990
If it takes more than one minute, maybe you can try to control see over there somewhere, run password

175
00:13:43,990 --> 00:13:44,650
over here.

176
00:13:44,800 --> 00:13:54,910
And once I run password, as you can see, I became root so and I actually lost the connection for some

177
00:13:54,910 --> 00:13:55,480
reason.

178
00:13:55,630 --> 00:13:58,120
I don't know why we lost the connection.

179
00:13:58,390 --> 00:13:59,350
Let's see.

180
00:13:59,350 --> 00:14:01,510
Let's come over here and here you go.

181
00:14:01,750 --> 00:14:07,090
We have lost the connection because my virtual machine expired over there.

182
00:14:07,330 --> 00:14:14,440
So I should have added one more hour over here, but I believe we missed that opportunity over there.

183
00:14:14,890 --> 00:14:20,290
So it is not related to the experts think that we have done.

184
00:14:21,070 --> 00:14:27,040
I believe I should have told that a long ago and added that one hour before.

185
00:14:27,400 --> 00:14:36,160
OK, but maybe you have seen that we route we were actually route in that case.

186
00:14:36,670 --> 00:14:40,960
So I'm going to do this one more time so that you can see it in a better way.

187
00:14:40,960 --> 00:14:48,460
And you can see it's not related to our previous escalation process, but it's related to be reelecting

188
00:14:48,460 --> 00:14:54,370
me, being reluctant to add one more hour over here in a given period of time.

189
00:14:54,370 --> 00:15:01,960
OK, so I'm going to copy the IP address as far as we can see it over here.

190
00:15:02,260 --> 00:15:08,180
Let's wait until it's shown to us and then we're going to get the IP address over there.

191
00:15:08,530 --> 00:15:09,130
Here you go.

192
00:15:09,130 --> 00:15:13,120
Now it's ten ten one thirty one 37.

193
00:15:13,300 --> 00:15:15,160
So I'm going to switch into that.

194
00:15:15,190 --> 00:15:17,470
OK, our IP address has been changed.

195
00:15:17,770 --> 00:15:22,330
We know that it's user, so it's user at something like that.

196
00:15:22,330 --> 00:15:29,920
Let me try to post a clipboard and say yes and give the password so you know the password.

197
00:15:30,130 --> 00:15:34,390
If you can't remember the password, you can always look for the room over there.

198
00:15:34,780 --> 00:15:39,700
So I'm going to go into tools and run KDA dirty cow.

199
00:15:40,030 --> 00:15:41,260
And here you go.

200
00:15:41,260 --> 00:15:45,340
It doesn't seem to be persistent over here.

201
00:15:45,340 --> 00:15:50,680
Of course, we terminated the machine and now we can see our files.

202
00:15:51,160 --> 00:15:53,050
But again, it's not important.

203
00:15:53,620 --> 00:15:56,410
It's even more practice for us, so it's better.

204
00:15:56,560 --> 00:16:04,240
So we're going to have to use one more time in order to create our own executable over here.

205
00:16:04,960 --> 00:16:07,420
So remember the comment, we need to run.

206
00:16:08,770 --> 00:16:16,030
And just give the cow that C over here as an input and we need to specify the P tread over here.

207
00:16:16,030 --> 00:16:19,990
And for the output, I'm going to call this dirty cow one more time.

208
00:16:20,500 --> 00:16:25,660
So after it's been generated for us, I'm going to run the dairy cow.

209
00:16:26,050 --> 00:16:27,780
So it will take a minute.

210
00:16:28,060 --> 00:16:33,930
Then, as you can see, it says that it's trying to do something with the password over here.

211
00:16:34,180 --> 00:16:42,880
So once we execute the password comment user being password tool, actually, then it will make us root.

212
00:16:43,240 --> 00:16:45,010
And how do I know that?

213
00:16:45,010 --> 00:16:49,270
Of course I get it from the Exploit DB or from the GitHub.

214
00:16:49,450 --> 00:16:56,760
It actually shows you how to run the tool and how to become root after it's been executed.

215
00:16:57,130 --> 00:17:03,310
So it's different for every suggestion, if it's different for every tool that you have seen in the

216
00:17:03,310 --> 00:17:05,100
Linux exploits suggested tool.

217
00:17:05,410 --> 00:17:12,880
So you need to check the GitHub pages or you need to check the exploit DB pages in order to understand

218
00:17:13,060 --> 00:17:18,040
how different tools work by dirty cow generally works.

219
00:17:18,520 --> 00:17:22,750
OK, and that's why I'm showing you this first.

220
00:17:23,350 --> 00:17:28,600
It's also common in the CTF as well as well as a real pentathletes.

221
00:17:28,930 --> 00:17:33,730
So if you think that everybody keeps their Linux system updated, then you are wrong.

222
00:17:33,730 --> 00:17:35,080
Of course they do not.

223
00:17:35,320 --> 00:17:41,860
And this is one of the most common things that you will encounter in real life as well, as I said before.

224
00:17:42,010 --> 00:17:49,210
And also that is one of the reasons why people actually keep their passwords in files, closed files

225
00:17:49,210 --> 00:17:50,380
called password data.

226
00:17:50,850 --> 00:17:56,050
That's why we are trying to locate the passwords or find the password that the files again.

227
00:17:56,740 --> 00:17:58,150
So here you go.

228
00:17:58,450 --> 00:18:01,590
I believe we can do some internal controls.

229
00:18:01,600 --> 00:18:02,580
He over here.

230
00:18:02,890 --> 00:18:06,220
Let's see if we can actually do that.

231
00:18:06,610 --> 00:18:07,360
Yeah, here you go.

232
00:18:07,360 --> 00:18:12,030
Once we run password, it became now via route.

233
00:18:12,040 --> 00:18:16,210
If I run it now, we can see we are route over here.

234
00:18:16,210 --> 00:18:17,350
If I run, where am I?

235
00:18:17,530 --> 00:18:18,820
We are route one more time.

236
00:18:18,820 --> 00:18:24,250
So we managed to get this flack or we managed to become route in some way.

237
00:18:24,880 --> 00:18:31,780
OK, so this was the first task in the section we have seen the colonel exploits.

238
00:18:32,260 --> 00:18:38,140
Now you can go to user by running through user anytime you want, because once you become rude, you

239
00:18:38,140 --> 00:18:41,440
can just switch between the users like that.

240
00:18:41,740 --> 00:18:45,970
And for some reason, clear doesn't work, but it's no big deal.

241
00:18:46,660 --> 00:18:53,020
Again, we're going to see a lot, much more than kernel exploits, but be aware that this is one of

242
00:18:53,020 --> 00:18:54,070
the most common ones.

243
00:18:54,250 --> 00:19:02,500
So check for kernel exploits with Linux exploits register or by doing manual search in Google by looking

244
00:19:02,500 --> 00:19:04,120
at the you name a output.

245
00:19:04,480 --> 00:19:10,810
So see you in the next lecture for continuation of this privilege escalation techniques.