1
00:00:00,840 --> 00:00:06,230
Hi, within this lecture, we're going to see what is an issue wide.

2
00:00:06,840 --> 00:00:14,160
So far we have been working with the school kids and we have leverage that permission in order to gain

3
00:00:14,160 --> 00:00:22,050
a privileged escalation or escalate that privilege in the previous case that we have sold during this

4
00:00:22,050 --> 00:00:22,680
course.

5
00:00:23,010 --> 00:00:28,300
But as I said before, we're going to see in much more detail right now.

6
00:00:28,710 --> 00:00:31,290
So I said, don't worry about this.

7
00:00:31,410 --> 00:00:37,860
We're going to see whether there's later on and we're going to deep dive in the privacy escalation section.

8
00:00:38,070 --> 00:00:39,800
So the time comes.

9
00:00:39,840 --> 00:00:42,120
OK, now we're going to see it.

10
00:00:42,390 --> 00:00:46,440
So I'm going to search for as you did in Google, OK?

11
00:00:46,440 --> 00:00:51,150
And you can just select any of the tutorials over here.

12
00:00:51,300 --> 00:00:54,350
And you don't have to do that by by now.

13
00:00:54,360 --> 00:01:01,710
I'm just showing you a tutorial so that you can see that you can find it anywhere in the Internet.

14
00:01:01,790 --> 00:01:06,920
OK, so as you can see, said only user ID or S uid.

15
00:01:07,080 --> 00:01:15,610
OK, so it stands for set on the user ID is a special type of file permissions given to a file.

16
00:01:15,910 --> 00:01:21,170
OK, so it's basically this special type of file permission.

17
00:01:21,690 --> 00:01:29,700
So and normally when a Linux program runs, it inherits access permissions from the logged in user.

18
00:01:30,030 --> 00:01:37,080
So UID is defined as giving temporary permissions to a user to run a program with the permissions of

19
00:01:37,080 --> 00:01:38,310
the file owner.

20
00:01:38,850 --> 00:01:47,610
So what does this mean when you create a file or when you just put on a binary or some kind of executable?

21
00:01:47,910 --> 00:01:55,950
You can choose who gets to write it, who gets to read it and who gets to execute it in Linux.

22
00:01:56,370 --> 00:02:02,730
So of course, if your route you can just read, write or execute anything you want in the system,

23
00:02:02,730 --> 00:02:10,650
you can just give the special type of permission to yourselves or you can make it available to a single

24
00:02:10,650 --> 00:02:15,420
group or you can make it available to a single user as well.

25
00:02:15,900 --> 00:02:19,000
Right now, we're going to see how it works.

26
00:02:19,410 --> 00:02:21,600
So my IP address is this.

27
00:02:21,600 --> 00:02:29,910
And I'm going to say into it, of course, during this course recordings, I have to close this down

28
00:02:29,910 --> 00:02:31,640
and open it one more time.

29
00:02:32,040 --> 00:02:33,690
So that's the case.

30
00:02:33,690 --> 00:02:36,480
I'm going to log in, as usual, OK?

31
00:02:37,110 --> 00:02:38,910
And I'm going to clear this up.

32
00:02:39,600 --> 00:02:41,580
So here you go.

33
00:02:41,580 --> 00:02:48,810
Right now, I believe we are in the file permissions, which is task 13 over here, but you don't have

34
00:02:48,810 --> 00:02:50,100
to follow it from there.

35
00:02:50,130 --> 00:02:53,270
It's just there for not taking reasons.

36
00:02:53,700 --> 00:03:02,040
So if I run L.A., I can see a lot of information, which is very valuable to us, I think, because

37
00:03:02,040 --> 00:03:05,490
we can see whether it's a directory or file over here.

38
00:03:05,490 --> 00:03:07,970
So D stands for the directory.

39
00:03:08,010 --> 00:03:10,790
OK, if you see a dash it's file.

40
00:03:11,160 --> 00:03:14,350
So over here we can see the permissions.

41
00:03:14,550 --> 00:03:22,920
OK, so the last part this is the highlighted part over here stands for the user and the first one is

42
00:03:22,920 --> 00:03:23,730
the owner.

43
00:03:24,090 --> 00:03:27,990
OK, and the second one second, third bit is the group.

44
00:03:28,470 --> 00:03:32,060
So owner group and the user.

45
00:03:32,400 --> 00:03:36,060
So over here we see who created that file.

46
00:03:36,090 --> 00:03:38,520
Who does that file belong to?

47
00:03:38,850 --> 00:03:41,130
So this file belongs to Root.

48
00:03:41,670 --> 00:03:48,680
As you can see, this directory, I mean, belongs to root and we can see all of those things in Al-Saleh.

49
00:03:49,050 --> 00:03:51,800
OK, so this stands for read, right?

50
00:03:51,810 --> 00:03:52,580
Execute.

51
00:03:52,830 --> 00:03:54,930
OK, so this is a directory.

52
00:03:54,940 --> 00:03:56,010
This is a file.

53
00:03:56,010 --> 00:04:03,330
OK, so this file is created by user and user has given reads, write permissions, not execute permissions

54
00:04:03,330 --> 00:04:04,410
for bashe story.

55
00:04:04,730 --> 00:04:09,930
Of course it doesn't make sense to give execute permissions for a single file like that.

56
00:04:10,380 --> 00:04:17,610
But again, in this case for example, we see it has the read write execute X stands for execute over

57
00:04:17,610 --> 00:04:18,150
here.

58
00:04:18,330 --> 00:04:23,520
So the group user group can read but not write but also execute.

59
00:04:23,820 --> 00:04:30,930
And the all the old users over here can read, not write but execute over here.

60
00:04:31,260 --> 00:04:41,460
OK, so we can specify which user can do something with a file like it, can read it if it can write

61
00:04:41,460 --> 00:04:43,620
it or if it can execute it.

62
00:04:43,920 --> 00:04:46,110
For example, maybe you have seen this before.

63
00:04:46,110 --> 00:04:56,850
You can run mode plus X in order to make a file executable, OK, so that you can just write more plus

64
00:04:56,850 --> 00:04:59,790
s in order to give solid.

65
00:04:59,910 --> 00:05:05,850
Her mission, so over here, we don't see any issue IDs right now, but I'm going to show you, don't

66
00:05:05,850 --> 00:05:06,690
worry about it.

67
00:05:06,930 --> 00:05:13,800
If we see an S over there in the permissions settings, then it means that an assisted permission is

68
00:05:13,800 --> 00:05:14,680
given to us.

69
00:05:15,450 --> 00:05:23,910
So this may lead us to execute a file or just do something with a file, with a route privilege or with

70
00:05:23,910 --> 00:05:28,170
an administrator privilege so that we can take leverage off that.

71
00:05:28,500 --> 00:05:31,470
So I'm going to find some files over here.

72
00:05:31,470 --> 00:05:33,990
And we have seen this comment before.

73
00:05:33,990 --> 00:05:36,930
I'm going to search for a file types and for the permissions.

74
00:05:37,200 --> 00:05:42,660
I'm going to search for oh four oh oh oh OK.

75
00:05:42,830 --> 00:05:49,380
I'm going to go for Alice over here and I'm going to write the output in Dev.

76
00:05:49,560 --> 00:05:56,790
Now, you have seen this comment before, but I, I actually recommend to take note of this because

77
00:05:56,790 --> 00:05:59,870
you will actually need this in real Pantazis.

78
00:06:01,080 --> 00:06:06,160
So over here we see the S because these are the stupid's.

79
00:06:06,410 --> 00:06:09,690
OK, so as it stands for the issue, permission permissions.

80
00:06:09,690 --> 00:06:14,290
So this is kind of a special temporary permission that has been given to us.

81
00:06:14,940 --> 00:06:16,640
So what does it mean?

82
00:06:16,890 --> 00:06:26,400
We get to use those binaries and it happens so that a lot of these files are actually binaries.

83
00:06:26,670 --> 00:06:30,270
And as you IDs are given generally to binaries.

84
00:06:30,270 --> 00:06:38,370
Not necessarily, but it doesn't make sense to give some kind of a text or string file unless you had

85
00:06:38,370 --> 00:06:38,900
permission.

86
00:06:38,910 --> 00:06:48,060
And over here we have a lot of executables like Change Shell, pseudo, pseudo edit password and so

87
00:06:48,060 --> 00:06:49,350
many others as well.

88
00:06:49,980 --> 00:06:55,860
So having this permission isn't a vulnerability, isn't necessarily vulnerability.

89
00:06:55,870 --> 00:07:05,040
OK, but over here we have a suite as oh, this is a shared object and this is obviously put over here

90
00:07:05,040 --> 00:07:07,230
for some kind of CTF purposes.

91
00:07:07,230 --> 00:07:12,430
So maybe we can just leverage this and escalate our privilege.

92
00:07:12,750 --> 00:07:13,140
Where are you going?

93
00:07:13,140 --> 00:07:14,130
To see how it works.

94
00:07:14,130 --> 00:07:20,910
But over here, what is important is that you run this command and you see what kind of permissions

95
00:07:20,910 --> 00:07:29,640
do you have for acid's and you take a look at every executable that you see if you find one that belongs

96
00:07:29,640 --> 00:07:30,260
to root.

97
00:07:30,270 --> 00:07:38,640
And in this case, it belongs to root for every possible scenario over here and try to find a way to

98
00:07:38,640 --> 00:07:40,050
escalate your privilege.

99
00:07:40,230 --> 00:07:46,710
So it doesn't necessarily mean that you're going to escalate your privilege using chain shell, for

100
00:07:46,710 --> 00:07:47,400
example.

101
00:07:47,580 --> 00:07:52,250
But maybe it will be possible by using any of this like this.

102
00:07:52,250 --> 00:07:54,480
Sweet as over here.

103
00:07:55,050 --> 00:08:00,420
OK, so you now know what is in this UID and how to search for it.

104
00:08:00,780 --> 00:08:08,520
And now we're going to see how to actually become route using the vulnerable binaries over here.

105
00:08:09,030 --> 00:08:13,590
So in this case, it belongs to root, as you can see.

106
00:08:13,890 --> 00:08:16,550
And for the group, we have the staff over here.

107
00:08:16,560 --> 00:08:17,830
I don't know what it means.

108
00:08:17,830 --> 00:08:22,000
So we're going to see if we can actually take leverage off that.

109
00:08:22,500 --> 00:08:28,500
So this is, again, one of the most important commands that you should take note of.

110
00:08:28,860 --> 00:08:34,340
If you see something like this in the CTF or repentance, that's the way that you should go.

111
00:08:34,740 --> 00:08:38,190
So I'm going to stop here and continue within the next lecture.