1
00:00:00,750 --> 00:00:07,140
Hi, within this lecture, we're going to see the details of the Enumerations section that we have done,

2
00:00:07,440 --> 00:00:13,920
and previously I've mentioned that a lot of people actually store their passwords on the passwords are

3
00:00:13,920 --> 00:00:21,350
text files and also maybe without knowing they actually log their passwords in the system.

4
00:00:21,570 --> 00:00:27,410
So we're going to try and see what we can do with that and make sure you're logged in with user.

5
00:00:27,570 --> 00:00:31,850
OK, not rude because we previously became rude.

6
00:00:31,860 --> 00:00:39,740
So make sure you choose to user or just access into the system one more time.

7
00:00:40,290 --> 00:00:48,030
So we have seen that we can actually take leverage of historical command or we can search for the passwords

8
00:00:48,030 --> 00:00:51,750
with defined command or locate commands previously.

9
00:00:52,110 --> 00:00:53,760
So let me run SLA.

10
00:00:54,090 --> 00:01:02,340
As you can see, we have some kind of bad history over here so we can try to see what kind of things

11
00:01:02,340 --> 00:01:04,860
that have been executed on this show.

12
00:01:05,250 --> 00:01:11,470
And we can get this out or we can run history in order to see it in a more clear way.

13
00:01:11,760 --> 00:01:13,590
So let me first cap this out.

14
00:01:14,220 --> 00:01:17,310
So I'm going to the back story over here and here.

15
00:01:17,310 --> 00:01:21,700
We see the history that has been logged in this show.

16
00:01:22,170 --> 00:01:30,480
So over here, if we came over to the top of this historic thing, we can see a lot of comments have

17
00:01:30,480 --> 00:01:34,170
been executed by previously logged in users.

18
00:01:34,410 --> 00:01:39,300
And we can find even some passwords over here if we look carefully.

19
00:01:39,600 --> 00:01:47,490
For example, in this case, my sequel has been executed and over here it has been executed with user

20
00:01:47,490 --> 00:01:51,650
route and for the password password one, two, three has been given.

21
00:01:52,050 --> 00:01:57,960
And for the purpose of this cause, I've changed the password to James one to three, as you might remember,

22
00:01:58,170 --> 00:02:03,470
by if I had to change it, then we could have just used a password one, two, three to become root.

23
00:02:03,870 --> 00:02:08,670
So this may not be that easy, but again, it's worth a shot.

24
00:02:08,850 --> 00:02:14,610
And you can check the BASHE story any time in order to find clues at these clues.

25
00:02:14,760 --> 00:02:21,810
Maybe not the password itself, but some clues to give you privileged escalation ideas in that case.

26
00:02:22,150 --> 00:02:30,840
OK, so maybe you cannot see the bad history file over there, but of course, you care history in order

27
00:02:30,840 --> 00:02:33,540
to see in a more clear way.

28
00:02:33,540 --> 00:02:38,010
Actually, as you can see right now, we get the line numbers over here.

29
00:02:38,010 --> 00:02:44,430
So 30, 30, second line, first line, second line so we can see it in a more clear way.

30
00:02:44,760 --> 00:02:47,040
So it's very easy shot just around history.

31
00:02:47,040 --> 00:02:53,340
Once you become user, you hack into the server and just search for clues over there.

32
00:02:53,340 --> 00:03:00,540
We can find some passwords or we can try to find the passwords or locate the passwords, as we have

33
00:03:00,540 --> 00:03:01,410
seen before.

34
00:03:01,680 --> 00:03:04,320
So maybe you know how to run find.

35
00:03:04,320 --> 00:03:11,100
But I'm going to show you another way of executing this as well in a much more complex way and in a

36
00:03:11,100 --> 00:03:13,080
much more sophisticated way.

37
00:03:13,260 --> 00:03:21,690
So if you if a user actually logs the password in a system or in the lock file, maybe we can grab that

38
00:03:21,810 --> 00:03:24,630
and we can actually use that as well.

39
00:03:25,380 --> 00:03:28,770
So maybe you may want to take a note of this comment as well.

40
00:03:29,100 --> 00:03:31,140
So I'm going to run find help.

41
00:03:31,500 --> 00:03:38,220
As you can see, there are a lot of parameters over here and we have seen, I believe, many of them,

42
00:03:38,220 --> 00:03:44,610
but we haven't actually run this execute thingy or some other things as well.

43
00:03:44,610 --> 00:03:46,170
So let me show you what I mean.

44
00:03:46,470 --> 00:03:53,130
I'm going to run this fine and we're searching for the type F and for the execution.

45
00:03:53,130 --> 00:03:57,270
I'm going to grab some things over here, OK?

46
00:03:57,510 --> 00:03:59,550
And forward the parameters.

47
00:03:59,550 --> 00:04:05,490
I'm going to write I password with curly braces over here.

48
00:04:05,490 --> 00:04:09,420
OK, open and close like we have seen in the documentation.

49
00:04:09,600 --> 00:04:11,280
I'm going to show you one more time.

50
00:04:11,280 --> 00:04:12,420
Don't worry about it.

51
00:04:13,140 --> 00:04:20,030
But after that, after we run this, we can just put the output into that final as well.

52
00:04:20,160 --> 00:04:29,820
OK, so taking note of this comment and make sure you put a backspace back curly back slash at the end

53
00:04:29,820 --> 00:04:32,550
of this line and put a semicolon over here.

54
00:04:32,940 --> 00:04:34,560
Now, if it hit, enter.

55
00:04:34,560 --> 00:04:35,730
Let's see what it does.

56
00:04:35,940 --> 00:04:39,120
As you can see, we get this password three to one.

57
00:04:39,630 --> 00:04:42,990
I actually change this to be James, three to one as well.

58
00:04:42,990 --> 00:04:49,560
But anyway, and it's logged in in the config file for some reason.

59
00:04:49,560 --> 00:04:52,080
And as you can see, we gathered it.

60
00:04:52,440 --> 00:04:58,680
OK, so again, find comment has some other uses over here as well.

61
00:04:58,830 --> 00:04:59,560
So you.

62
00:04:59,840 --> 00:05:06,620
This curly brace notation and make sure you just take taken all of this so that you can actually find

63
00:05:07,190 --> 00:05:12,470
the passwords like that, we have seen the password one, two, three in the history, but we haven't

64
00:05:12,470 --> 00:05:13,910
seen the other one.

65
00:05:14,240 --> 00:05:14,660
Right.

66
00:05:14,670 --> 00:05:19,910
So maybe this would be helpful for you in a real life scenario as well.

67
00:05:20,660 --> 00:05:27,350
So anyway, as you can see, we're doing enumeration and all this information that we gather might lead

68
00:05:27,350 --> 00:05:29,240
us to privacy escalation.

69
00:05:29,510 --> 00:05:36,820
Of course, we can try to do much more stuff in here, but don't forget to run fine.

70
00:05:36,830 --> 00:05:38,790
Don't forget to find history.

71
00:05:39,050 --> 00:05:44,180
Don't forget to run to see if you have bashe story logged in here as well.

72
00:05:44,630 --> 00:05:52,660
So if we run Al-Saleh on ETSI Password, this is one way to check to see if we can read the ETSI passwords.

73
00:05:52,820 --> 00:06:01,040
And over here we can see that we have read privilege for every user over here so we can easily check

74
00:06:01,040 --> 00:06:03,830
this out to check, to see.

75
00:06:03,830 --> 00:06:09,950
And we have talked about this a little bit, but I want to get into details right now and then we're

76
00:06:09,950 --> 00:06:16,190
going to later on during this section, we're going to see how we can actually hack the password by

77
00:06:16,190 --> 00:06:18,310
using the shadow file as well.

78
00:06:18,530 --> 00:06:23,010
So this part is for every user, as you might already know.

79
00:06:23,150 --> 00:06:27,710
So we have the read permission over here not to write or execute permission.

80
00:06:27,720 --> 00:06:29,690
But again, we don't need right.

81
00:06:29,690 --> 00:06:33,310
Permission in order to view the ATSE password.

82
00:06:33,440 --> 00:06:35,990
So if you see there are over there done, it's OK.

83
00:06:36,170 --> 00:06:44,720
Just run cat etsi password like this and you can see all the users and some bashes are like some shells

84
00:06:44,990 --> 00:06:48,310
and some other information like groups over here as well.

85
00:06:49,100 --> 00:06:52,160
So let's see what it does in this case.

86
00:06:52,160 --> 00:06:56,800
We have a lot of information like we have the user name over here root.

87
00:06:57,050 --> 00:07:00,680
OK, so you're wearing the ETSI password as usual.

88
00:07:01,160 --> 00:07:05,870
And as I said before, it used to contain the passwords here in this case.

89
00:07:05,870 --> 00:07:10,400
But right now we only see an X in the place of the password.

90
00:07:10,760 --> 00:07:13,350
So we see the users over here, OK.

91
00:07:13,700 --> 00:07:17,090
And so this is the user and this is the password of the user.

92
00:07:17,090 --> 00:07:20,150
But we don't see the password in the ATSE password.

93
00:07:20,420 --> 00:07:22,480
So where is the password located?

94
00:07:22,490 --> 00:07:26,450
It's located under the Nazi shadow, as I said before.

95
00:07:26,840 --> 00:07:34,100
So right now, the Linux actually moved the passwords to another file and we cannot see them over here.

96
00:07:34,220 --> 00:07:41,540
If we can actually get that shadowfax with using some kind of method, I don't know yet, then we can

97
00:07:41,540 --> 00:07:45,920
actually just combine them together and find the passwords.

98
00:07:46,460 --> 00:07:48,680
If you're on the list, are they on that C shadow?

99
00:07:48,920 --> 00:07:56,540
As you can see, we don't have that right permission over here, so we cannot even see the content of

100
00:07:56,540 --> 00:07:57,650
that C shadow.

101
00:07:58,160 --> 00:08:00,680
If we were root, of course, we would have seen it.

102
00:08:00,890 --> 00:08:04,040
But right now, if you're on Cat, it's the shadow.

103
00:08:04,250 --> 00:08:06,680
You will get permission denied over there.

104
00:08:07,250 --> 00:08:16,340
If you can find something to give you that like a binary set uid binary for cat or something like that,

105
00:08:16,940 --> 00:08:24,320
maybe you can see the content of the ATSE shadow, then you can get the password for the root Arab password

106
00:08:24,320 --> 00:08:27,320
for the other users as well.

107
00:08:28,070 --> 00:08:30,770
But in that case we're not seeing it.

108
00:08:30,950 --> 00:08:37,580
And it's mainly it's actually a most probably what you're going to see in the real CTF or real Pentax

109
00:08:37,880 --> 00:08:46,490
because no one forgets to just delete the permission for aready information or just it's comes in a

110
00:08:46,490 --> 00:08:48,380
default way like that.

111
00:08:48,500 --> 00:08:52,010
So no one gives you permission to see shadow to every user.

112
00:08:52,250 --> 00:08:54,110
But again, it's worth a shot.

113
00:08:54,620 --> 00:09:00,620
So later on during this section, we're going to see how we can actually see that C shadow and how to

114
00:09:00,620 --> 00:09:05,780
combine them together to get the root password over here as well.

115
00:09:06,230 --> 00:09:09,080
But these are all for enumeration purposes.

116
00:09:09,290 --> 00:09:16,390
So make sure you kept that C password and just see that C shadow if it works or not again.

117
00:09:16,910 --> 00:09:18,800
So here you go.

118
00:09:19,430 --> 00:09:21,380
We're going to stop here.

119
00:09:21,530 --> 00:09:27,500
And within the next six years, we're going to explore some other ways of privilege, escalation as

120
00:09:27,500 --> 00:09:27,830
well.