1
00:00:00,510 --> 00:00:07,080
Hi, within this lecture, we're going to continue working on the Sedol, and also we're going to show

2
00:00:07,080 --> 00:00:10,530
you some other technique called unshowered.

3
00:00:10,530 --> 00:00:18,040
OK, so I have talked about this before and we have seen we cannot chat DHC shadow file.

4
00:00:18,510 --> 00:00:25,170
So in this lecture, we're going to see if we can get this out, how we can actually crack the password

5
00:00:25,170 --> 00:00:28,600
of the root and become RWD in a way that we want.

6
00:00:29,130 --> 00:00:35,510
So when we ran CEDO that well we have seen Apache too is in this list.

7
00:00:36,030 --> 00:00:45,930
So if you actually search for a patch or two, you can see this we can use a patch to in order to chat

8
00:00:45,930 --> 00:00:47,130
something out.

9
00:00:47,820 --> 00:00:49,420
So how do we do that?

10
00:00:49,920 --> 00:00:54,520
Let me show you, you can't run pseudo user Espina Panchita.

11
00:00:54,840 --> 00:01:00,450
And if you can use Desh F like this, you can check this out.

12
00:01:00,450 --> 00:01:05,060
As you can see, we managed to get the ETSI password over here.

13
00:01:05,670 --> 00:01:12,370
So even though it's not ideal to use this, we managed to get the first line right.

14
00:01:12,630 --> 00:01:16,960
So if I do Kedzie Password, I can just see whole thing.

15
00:01:17,010 --> 00:01:26,700
OK, so there is no point using Apache to to just get the first line of the ETSI password file.

16
00:01:26,700 --> 00:01:29,570
Right, because I can already get all of it.

17
00:01:30,300 --> 00:01:40,290
But in this case we already had the permission of Azzi password, but we don't have the permission of

18
00:01:40,290 --> 00:01:43,170
Etsi Shadow, for example, as user.

19
00:01:43,590 --> 00:01:44,140
Right.

20
00:01:44,400 --> 00:01:50,790
So rather than doing this on ETSI password, maybe we can do this on its shadow.

21
00:01:51,150 --> 00:01:58,920
Right, because since we are using this with pseudo with an escalated privilege, then it means that

22
00:01:58,920 --> 00:02:00,620
we can get the first line.

23
00:02:00,630 --> 00:02:02,000
And here you go.

24
00:02:02,610 --> 00:02:06,570
This is the shadow file, this is the ETSI Shadow.

25
00:02:06,960 --> 00:02:13,560
So you can try this on your own calendar as well in order to see your own ETSI shadow if you become

26
00:02:13,560 --> 00:02:19,890
route and if you just cut the azzi shadow, you can see what kind of things that you get and this is

27
00:02:19,890 --> 00:02:21,000
the thing that you get.

28
00:02:21,200 --> 00:02:24,600
OK, so let me show you one more time.

29
00:02:24,600 --> 00:02:27,980
If we do that C password, we have this over here.

30
00:02:27,990 --> 00:02:31,960
So this is route and this is the password of the route.

31
00:02:32,250 --> 00:02:38,380
OK, so this is the password of the route represented by X in the ATSE password.

32
00:02:39,120 --> 00:02:46,380
So now we know that this is the password and there are a couple of other parameters over here.

33
00:02:46,590 --> 00:02:47,900
OK, like this.

34
00:02:48,090 --> 00:02:54,530
So these are for the expiry of the password and for other parameters as well.

35
00:02:54,660 --> 00:02:58,830
But we are actually interested in the password itself.

36
00:02:59,040 --> 00:03:04,350
So I'm going to copy this and I'm going to show you something that you should do.

37
00:03:04,890 --> 00:03:08,670
Even though we know the hash right now, it's very obvious.

38
00:03:08,850 --> 00:03:11,370
I'm going to show you a proper way of doing this.

39
00:03:11,520 --> 00:03:13,680
I'm going to copy this, OK?

40
00:03:13,920 --> 00:03:22,650
And I'm going to open a new tab over here so that I can go into the documents and into the CTF folder

41
00:03:22,650 --> 00:03:24,930
that we have been previously working on.

42
00:03:25,350 --> 00:03:28,230
And I'm going to create a new directory over here.

43
00:03:28,700 --> 00:03:30,630
And you can call this anything you want.

44
00:03:30,630 --> 00:03:37,620
I'm going to call this try help me get the CD into that to just create a new file over here.

45
00:03:37,620 --> 00:03:44,910
So I'm going to say NENO not static and I'm going to actually not not start.

46
00:03:45,420 --> 00:03:50,910
Let me just do this one more time because we need a very explicit name over here.

47
00:03:51,180 --> 00:03:53,700
So I'm going to come back and see.

48
00:03:53,700 --> 00:03:56,190
Yep, it didn't create that.

49
00:03:56,310 --> 00:04:03,690
So I'm going to call this something like shadow, OK, shadow of the text and I'm going to paste this

50
00:04:03,690 --> 00:04:04,050
in.

51
00:04:04,530 --> 00:04:06,810
So this is the shadow output.

52
00:04:07,320 --> 00:04:13,490
So I'm going to save this with control or interim control x and here we have the shadow that texte.

53
00:04:14,010 --> 00:04:20,460
So I'm going to create a password that the steps that we did at the exterior here and I'm going to copy

54
00:04:20,670 --> 00:04:25,920
the pasta with Deol put over there like this.

55
00:04:25,920 --> 00:04:29,810
OK, I'm going to copy this and just pasted over here.

56
00:04:30,120 --> 00:04:31,140
So here you go.

57
00:04:31,140 --> 00:04:32,820
I'm going to save this as well.

58
00:04:33,300 --> 00:04:35,100
So what have I have I done?

59
00:04:35,100 --> 00:04:41,160
I have two files right now, one of which contains the password file and other one contains the shadow

60
00:04:41,160 --> 00:04:41,600
file.

61
00:04:42,030 --> 00:04:50,010
Now, since I have only one line, I can actually skip the step, but I want to show you this and shadow

62
00:04:50,010 --> 00:04:50,580
command.

63
00:04:50,850 --> 00:04:57,330
So this is a way to combine these files and put it together to see the whole picture.

64
00:04:57,690 --> 00:04:59,550
Right now, since we have one line, it's.

65
00:04:59,850 --> 00:05:07,860
Easy, but if you had, like, maybe 50 lines for password file and 50 lines for the shadow file, it

66
00:05:07,860 --> 00:05:14,760
might be hard for you to combine them and put the passwords in the right place to match, make it match

67
00:05:14,760 --> 00:05:15,630
them together.

68
00:05:16,190 --> 00:05:19,560
So Unshattered Command does this for you.

69
00:05:19,770 --> 00:05:25,540
All you have to do is just write this unscheduled password and shadow that text.

70
00:05:25,800 --> 00:05:26,590
And here you go.

71
00:05:26,590 --> 00:05:27,740
We have the output.

72
00:05:28,110 --> 00:05:34,590
So it combines the two file together and here we have the output.

73
00:05:35,100 --> 00:05:41,450
So as you can see, we actually have an output very similar to Shadow that you see.

74
00:05:41,700 --> 00:05:45,930
But again, since we have only one line, it seems very easy for us.

75
00:05:46,170 --> 00:05:51,600
But if we had multiple lines, then it would get hard for us to do that.

76
00:05:52,050 --> 00:06:00,300
Once we do this, once we get the Unshattered file or Unshattered output over here, we can try and

77
00:06:00,300 --> 00:06:06,570
attempt to decrypt this hash over here in order to find the passwords of the route.

78
00:06:06,810 --> 00:06:08,240
So this is the password.

79
00:06:08,650 --> 00:06:14,310
Of course, it is hashed and we need a way to decrypt this.

80
00:06:14,790 --> 00:06:21,240
So what we can do, we can use a lot of different tools in order to try and decrypt this.

81
00:06:21,430 --> 00:06:29,280
OK, I'm going to show you, of course, the most popular one so that you can try this on your own as

82
00:06:29,280 --> 00:06:29,490
well.

83
00:06:29,510 --> 00:06:33,890
And once you get this, it would be incredibly easy for you to become root.

84
00:06:34,080 --> 00:06:39,230
All you have to do is just run through route or through the route or pseudo through in order to give

85
00:06:39,300 --> 00:06:42,620
the route password and escalate your privilege.

86
00:06:43,410 --> 00:06:52,530
So maybe you can you may want to just take in all of this, just save this, copy this and save it into

87
00:06:52,530 --> 00:06:53,280
a file.

88
00:06:53,320 --> 00:06:54,960
The shadow output.

89
00:06:55,260 --> 00:07:02,340
Since I already have a very simple line, I'm just going to get this password over here and work with

90
00:07:02,340 --> 00:07:03,270
that, OK?

91
00:07:03,750 --> 00:07:08,990
Because this is the same thing eventually that I get from carrying the shadow that text.

92
00:07:09,810 --> 00:07:18,150
So I'm going to come back to Google dot com and I'm going to say crack root password or crack password

93
00:07:18,150 --> 00:07:19,500
hash Linux.

94
00:07:19,770 --> 00:07:21,440
OK, like this.

95
00:07:22,080 --> 00:07:28,880
So if if you just search for it, you will be presented with some kind of tutorials like one hundred

96
00:07:28,890 --> 00:07:35,510
and fifty five hundred thousand resize, one million and 500000 results over a year.

97
00:07:35,970 --> 00:07:43,280
So if you go to medium dot com, for example, any of the tutorials, you can see some kind of alternatives.

98
00:07:43,290 --> 00:07:44,320
Let me see one.

99
00:07:44,820 --> 00:07:49,140
Let me just show you what it's going on over here.

100
00:07:49,560 --> 00:07:55,350
So as you can see, it shows the output of the ATSE password and it's the shadow file.

101
00:07:55,890 --> 00:07:59,780
And it says that you can use the John the Ripper and the hash cat.

102
00:08:00,240 --> 00:08:05,350
So if you took the complete article hacking, I believe we have seen hash cat over there.

103
00:08:05,850 --> 00:08:07,110
So here you go.

104
00:08:07,110 --> 00:08:09,180
There is one example over here.

105
00:08:09,840 --> 00:08:13,430
So it says that cracking hashes with John the Ripper.

106
00:08:13,830 --> 00:08:18,870
So if you come over here, you can see all the steps in order to crack the hash.

107
00:08:19,830 --> 00:08:21,570
It does the eyeshadow thing.

108
00:08:21,570 --> 00:08:22,970
We have already done that.

109
00:08:23,550 --> 00:08:30,940
So it actually saved the output into something called password that maybe we can do that as well.

110
00:08:30,960 --> 00:08:33,510
So this is the output of the shadow file.

111
00:08:33,810 --> 00:08:35,160
Maybe you remember that.

112
00:08:35,610 --> 00:08:43,530
OK, so as you can see, John the Ripper, John, is a tool that comes preinstalled with colors.

113
00:08:43,760 --> 00:08:45,510
So you can actually use this.

114
00:08:45,750 --> 00:08:53,040
So you can say John Dash, Dash, wordlist and provide the word list and just run this against the password

115
00:08:53,040 --> 00:08:53,950
of Texte.

116
00:08:54,240 --> 00:09:01,890
It will try and break the password if, if and only if your list contains the password.

117
00:09:02,100 --> 00:09:10,050
Since this is hashed with a very secure algorithm, you need to actually use a word.

118
00:09:10,500 --> 00:09:12,400
You cannot actually reverse it.

119
00:09:13,050 --> 00:09:19,860
You can use a word list and you can get the real password out of it and this is a way to do it.

120
00:09:20,010 --> 00:09:27,740
OK, so John Wordlist just provide our list and provide text file that you have saved that.

121
00:09:28,930 --> 00:09:34,030
And then later on, you can say John Dashty show, and it will show you the result.

122
00:09:34,660 --> 00:09:40,250
So over here we have the hash cat version over here as well.

123
00:09:40,750 --> 00:09:49,900
So in order to do that, it says that hash cat dash five 500 and dash a zero dash.

124
00:09:49,960 --> 00:09:55,210
Oh, this is for the output cracked out and hashes that you see.

125
00:09:55,720 --> 00:09:59,250
And again, you need to provide the wordlist over here as well.

126
00:09:59,590 --> 00:10:06,940
So as you can see, there are two ways, too many great ways in order to solve this problem.

127
00:10:07,750 --> 00:10:12,660
So over here we see the parameter explanation of the hash cat as well.

128
00:10:13,210 --> 00:10:21,640
That simple black flag specifies the mode that we want to use over here so the flag determines the attack

129
00:10:21,640 --> 00:10:23,470
type, yada, yada, yada.

130
00:10:23,500 --> 00:10:25,510
I believe you get the idea.

131
00:10:25,510 --> 00:10:33,490
You can use either the hash cat and you can use the or the john the wrapper in your color, Linux,

132
00:10:33,670 --> 00:10:35,270
depending on your choice.

133
00:10:36,010 --> 00:10:43,320
So let's try one of these in our system and see if we can actually crack the password over here.

134
00:10:44,080 --> 00:10:48,750
So I'm going to go for the John the Ripper over there.

135
00:10:49,060 --> 00:10:53,410
You can try yourselves, but I'm going to go for this one.

136
00:10:53,440 --> 00:11:00,430
OK, so we have the output, but we didn't put it into any kind of text over here.

137
00:11:00,610 --> 00:11:03,670
As you can see, that's what it's doing in this line.

138
00:11:04,000 --> 00:11:08,230
So I'm going to go back and let's see.

139
00:11:08,620 --> 00:11:12,580
I'm going I'm going to go into my CTF folder one more time.

140
00:11:12,910 --> 00:11:14,650
So try hack me.

141
00:11:15,010 --> 00:11:21,160
So we have the password and the shadow so we can just run the command one more time.

142
00:11:21,160 --> 00:11:24,650
So I shadow password, shadow texte.

143
00:11:24,850 --> 00:11:26,380
It gives us this output.

144
00:11:26,530 --> 00:11:34,630
If we actually just put this into any other text file like password Slutsky, then it will be put over

145
00:11:34,630 --> 00:11:34,970
there.

146
00:11:35,290 --> 00:11:41,760
So if I get this out I will get the exact same result back like this a year ago.

147
00:11:41,770 --> 00:11:45,030
Now it's contained in our passwords or text.

148
00:11:45,250 --> 00:11:48,060
So let's go to the next level over here.

149
00:11:48,340 --> 00:11:56,440
So it says that just around the john with wordlist parameter over there and then run it against a password

150
00:11:56,440 --> 00:12:03,310
that you see now since we know the password, I'm going to cut it, so I'm going to cut it easy, OK,

151
00:12:03,850 --> 00:12:10,140
because I don't want to run this against like one million password wordlist.

152
00:12:10,150 --> 00:12:14,830
OK, we already know the password and you understood how it works.

153
00:12:15,160 --> 00:12:20,800
And of course, you know, there are a lot of berglas under user share wordlist folder.

154
00:12:21,100 --> 00:12:23,920
OK, so I'm going to create a list of my own.

155
00:12:24,190 --> 00:12:31,330
I'm going Ananova Wordless and I'm going to write some of the passwords that we're working with so we

156
00:12:31,330 --> 00:12:32,650
know the real password.

157
00:12:32,740 --> 00:12:37,810
I'm just going to go for these two are the four of the options over here.

158
00:12:38,440 --> 00:12:43,010
Even though we made it too easy, it's just not worth the wait.

159
00:12:43,030 --> 00:12:43,480
Right.

160
00:12:43,720 --> 00:12:49,060
Because we need to understand how this works because we already know the password over here.

161
00:12:49,540 --> 00:12:54,390
So I'm going to come up with this one and come over here and just pasted over there.

162
00:12:54,760 --> 00:13:01,630
So rather than providing the square map or school map, however, you may want to pronounce this, I'm

163
00:13:01,630 --> 00:13:06,630
going to just go for the world, start and run it against the password that you see.

164
00:13:07,360 --> 00:13:09,070
So here you go.

165
00:13:09,070 --> 00:13:11,830
It says that loaded one password hash.

166
00:13:12,310 --> 00:13:19,890
And if you say, John, that dishdasha password files required by the non-specified.

167
00:13:20,290 --> 00:13:27,070
So, yeah, we have to say John Dashty show passwords that texte and here you go.

168
00:13:27,070 --> 00:13:29,730
It says that route is James.

169
00:13:29,740 --> 00:13:30,500
One, two, three.

170
00:13:30,910 --> 00:13:33,850
So it managed to crack this, as you can see.

171
00:13:34,870 --> 00:13:43,210
So this was the let me come over here to the root and just give James one, two, three over here and

172
00:13:43,210 --> 00:13:44,080
he'd enter.

173
00:13:44,440 --> 00:13:48,010
If you if you see nothing is happening, it's fine.

174
00:13:48,310 --> 00:13:49,930
It's for security purposes.

175
00:13:50,530 --> 00:13:52,560
Just type it and hit enter.

176
00:13:52,810 --> 00:13:54,720
Let me try this one more time.

177
00:13:55,060 --> 00:13:55,930
OK, James.

178
00:13:55,930 --> 00:13:56,740
One, two, three.

179
00:13:57,100 --> 00:13:57,340
Yeah.

180
00:13:57,340 --> 00:14:00,000
It says that password.

181
00:14:00,010 --> 00:14:00,940
Try again.

182
00:14:01,600 --> 00:14:05,340
Let me just run Tudorza and try one more time.

183
00:14:05,950 --> 00:14:08,530
Let me give James one, two, three.

184
00:14:08,920 --> 00:14:09,180
Yeah.

185
00:14:09,190 --> 00:14:11,230
It doesn't work for some reason.

186
00:14:12,460 --> 00:14:17,680
I believe we have to go for cheroot rather than pseudo root.

187
00:14:17,680 --> 00:14:22,270
So I'm going to go for Cheroot and I'm just going to give the password.

188
00:14:22,270 --> 00:14:23,380
And here you go now.

189
00:14:23,380 --> 00:14:25,510
Re-route Yeah.

190
00:14:25,570 --> 00:14:28,120
It was asking for the pseudo password, which is.

191
00:14:28,180 --> 00:14:32,540
The user password, so if you're on the Who am I now via route?

192
00:14:32,980 --> 00:14:40,750
Now, we managed to crack this by getting that see shadow and most of the time you won't actually get

193
00:14:40,750 --> 00:14:42,160
to get that see shadow.

194
00:14:42,160 --> 00:14:47,160
But if you see something like this in pseudo dash, Alice, then you can cut it out.

195
00:14:47,650 --> 00:14:53,560
So I, I didn't even know we can cut things out with Apache to.

196
00:14:53,800 --> 00:14:56,050
Of course, it's a quick Google search.

197
00:14:56,320 --> 00:14:56,760
Right.

198
00:14:56,980 --> 00:15:03,340
So while they were using the pseudo dash l'Est, make sure you Google it out and make sure you search

199
00:15:03,340 --> 00:15:10,870
for ultra privileged how to do privacy escalation using this binary and it will give you the results.

200
00:15:11,560 --> 00:15:13,240
So far, so good.

201
00:15:13,270 --> 00:15:19,780
I believe this is time for us to stop here and continue within the next lecture with privilege escalation

202
00:15:19,780 --> 00:15:20,260
as well.