Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode Number 34 off this new our privilege escalation serious Linux operating systems.
00:09
My name is Sandra Gina, and I'll be instructor for today's session. Learning operatives of this session is to understand the concepts behind this technique and apply on execute commands to gather information so we can actually escalate privileges. So let's get down to business, shall we?
00:28
Well, first of all,
00:31
I will start by, You know, I will give you as much information as possible. There are a lot of man's you can use on and some of them my work in some operating systems, for example, some of them my work in deviant. They might not work on red hat on the other way around
00:51
and, you know others have into theirs. I know Fedora, and you can start naming out the leanings and UNIX operating systems,
01:00
and there's a lot of information out there, so I'll give you my best to actually point you in the right direction. So you know, I'll execute a couple of man's, and you can, you know, actually search for any specific operating system
01:15
commands and, you know, maybe you can start you start in other ideas or, you know, other folders
01:23
or in other files
01:25
A D N uh, escalated privileges is just gathering as much information as possible of the big steam system. Whether that means that you know that you already have a root or an administrator account you can you show steel
01:41
around the commands are to gather as much information as possible because some exploits
01:46
would actually give you direct access to the administrator account or the route account. And you don't not no longer need to actually escalated privileges. That doesn't mean that you cannot run the commands. I'm about to show you, um,
02:01
because you will gather more information about the system which will prove useful, maybe later, to come back to the system or, you know, to actually move to another machine. I've seen cases where machine saves, you know, maybe some e mails or some notes, or some text messages
02:22
between other machines or other users actually exchanging credentials or something like that.
02:28
So if you can find all the information, you we will help you to go through a forger in your penetration testing process. So
02:37
let's start by, you know, a simple command, which is just finding out distribution type and maybe the version. For example, you can cat
02:49
the issue file,
02:53
and it will give you some information. You know, Callie, Nick's rolling. You know what? Why don't we actually try to? I don't really have root privileges in this machine, so let me just connect to, ah, another machine dressage. Remember that To escalate privileges, it means that we already have.
03:13
Ah, shell a reversal or a bind Shell. Whatever. You have remote control off the system,
03:17
but not with ah, administrative are re privileges. So let me just connect
03:23
to this machine real quick.
03:30
And it's supposed to give us, you know, access to to this machine, eh? So we can actually see ah,
03:38
that
03:40
how to actually escalate privileges in a machine that doesn't have hopes. I could see they were use,
03:47
not the user.
03:51
Ah, So as you can see, I'm not root. And as you can see,
03:55
there's ah
03:58
ah.
03:59
I used her call route.
04:00
Uh, it will be good if we can actually capped the shadow file, but, you know, I don't have privileges for that. So, uh, let me again run the command they cat,
04:13
um,
04:15
that you got the issue file
04:17
to find The Parisian says you can see I'm running in, Davy. Um um you can also you know, I'll talk to give you some of our other commands that minor work in this specific operator system. But it will in my work in yours. So, for example, this one will do the same. I mean, it will not work here.
04:38
For example, if you're in a red hat,
04:40
you can just,
04:42
uh
04:43
before you are executed, this command and we'll give you the information as it is will, of course, failed is at the end. I don't have that file here. Upper every system. You for some who can actually see what's the colonel version?
04:58
For example, that started with the first command, as I always try to actually execute the commands and give you some idea of what the That Amanda's and what it is performed by this man. So, for example, I can cut this out,
05:13
Brock? Nope. Sorry.
05:15
Oppression.
05:17
And it will give us all this information. What this commanders are with these files contents is ah, then you know the make the actual operator assistant release uh, and they will get Give us specifics
05:33
about the Lenox colonel that is being used or the distribution that has been used
05:39
on confirmed, You know, the version off the G C C. Compiler. Remember, we saw that a J C C compiler when we actually compiled a C program, so it will give us, you know, uh, some versions again. We can see the operator system here and the verse in everything.
05:57
And we could see the more information about the colonel
06:00
of the of the linens machine we're using right now. Uh, example these other command here name
06:08
that's a
06:10
and, you know, it will give us a lot of more information. The name, Which is, by the way, the shirt for UNIX name. You know, it's a UNIX program that brings the name diversion and other details about the machine that we're currently on, you know, and the operator system we're running,
06:27
um, we can actually show ah, little less information with this. This flax enable maybe, for some reason, you want to print on this specific information that maybe their architecture and everything and maybe
06:41
you just what? You just need to print that so another command that it's really useful. That's been proved useful for me.
06:48
Is that
06:49
this command? I'll just
06:51
read this for linens.
06:55
And this is this. Ah, the message Command is used to ride to the Colonel. Right, Colonel messages, you know, And linens. Obviously, uh, two and a standard output, for example, the screen jersey. And right now, the message of chains. You know, it's state about reading
07:14
the colonel ring buffer.
07:15
Remember that? We tell the buffer over four. And we also would say that the buffers and a portion off the computer's memory, that is, you know, set aside
07:25
for so you can hold data or, you know, play the data that is being sent or received from an external device or between programs. For example, one problem program trying to receive or sell information to the hard drive or something like that. Maybe a printer or keyboard.
07:42
Well, the ring buffered is a a PSA buffered, you know, off cer tain side or fit size,
07:47
for which, you know you can override the all this data in that buffer s Oh, this This is what this message does, and they will bring some useful information for you on Finally,
08:01
uh, you can actually, Alice,
08:05
the book folder
08:07
may be ripped up
08:09
for there. Be and believe this.
08:15
And, you know, this is the good folder contains all the blood related info files unfold. There's such as the bm Leanness, which you know, is also known as the Colonel. Um, you know, it will contain a lot of more information. You just want to rip it out and and see more of this.
08:35
It will show you some useful information.
08:39
So that's that. Let's continue. Maybe you want to learn some environmental, but variables that you have and maybe your missing. For example, Let me just cut the first man or give you the first man,
08:54
by the way, uh, again, you guys, uh, this is for this specific operator system, but, you know, I bet there's kind of more or in different commands. Or maybe the ones that I'm using right now will not work for you. But as long as you get the idea What? Why am I doing this? And what kind of information? I'm actually looking for it.
09:15
You can actually use a movie of the commands. And you know how you
09:18
find out that the linens are the colonel information in red hot. Or maybe it's hilarious, which, you know, maybe you're using and spark
09:26
processor. So, you know, that's that all I want to give you all the, you know, the techniques and commands, an idea that you can so you can find it in your specific operator system s. Oh, yeah, First thing this e TC profile. I mean, this profile file
09:46
contains that Lennox system white
09:48
environment on and start the programs is usually, you know, used to set the path variable. You know, easier limits and other sentence for the user. So you can find some good information here. Maybe you're after something specific. So you can also grab that out.
10:05
For example, the bash source or I'm some sort of the brush our c
10:11
I just
10:13
copy. Paste this command.
10:15
See, you could make you could make more sense. Thio.
10:18
These are maybe two quick things command. You know, it's a shell script that bash Rance or the runs over whenever it started. Um, you know, you started the nervous system. It initiates Ah ah, Nectar Interactive social shell session.
10:39
You can put any commanding that file
10:41
you know, as you'll type in the common prompt as you'll type in the common prompt, you put commands here to set up the shell for using your particular moment or to customize things for your preferences. You know, a common thing that people d'oh in this file is they put the aliases.
11:01
So, for example, you don't want to use the
11:03
The funny is gonna have seen so far. It is someone that they didn't want to use the word shooter to actually call now task in administrative Martha or in road mode. And they changed at work for the word police. So every time you know, police run something instead of saying suitors,
11:22
something is believes something. It was
11:24
kind of funny. So, yeah, you can put the Alice is in this file. Another thing that you can actually cut that cut out is
11:35
I'm sorry. I just
11:37
exciting here.
11:43
This'll look out file, You know, we're logging out of a living system running the bash l this file this bash underscore Lug out. It's executed. This file usually is usually very short and contains commands. Users want to execute up living the account.
12:01
For example, the clear command could be here. But, you know, you can also find other other useful commence. Maybe the user whenever he wants to look out. The wants to. I don't know.
12:11
I call some
12:15
for So let me give an example. For example, maybe the user, whenever it looks, it looks out here reiterated a Krahn job on this front job is executed two maybe saying an email saying Okay, I will be lugging out. This is kind of a clock out email or reminder, maybe to his boss.
12:33
But, you know, he's using administrator account, and maybe the crime job was not created, you know, with the right permissions and you as a normal user, can actually modify that grunge off. So maybe you can actually
12:46
modify the crown job and actually turn throw you back a revision river shell or modified, you know, the crunch of it Say okay when to start American listener. So whenever the usual lives, I'll see us through this. You know, this crime Jarvis executed because he's actually, you know,
13:07
called
13:07
from these low gout underscored. I'm sorry. Bash on score. Look out file. He could he could, you know, work. Execute your your net cat back dirt with root privilege is something that you know you can take advantage of. That
13:26
information and other things you can actually check is the environment of our variables, for example AM and it will tells you no all information we might need. For example, I have seen I have used this technique in some cases where I can actually modify the home or the path
13:45
so you can actually point
13:46
to two other other things or other scripts. For example, I what time someone left left. I'm script saying that he wants to actually open a backdrop, not a factor, but, you know, on that conditioner. But it was obviously pining to their home, uh, bath.
14:07
So I modified the pot bearable,
14:09
and I pointed out to my to the temp file the temp folder, and I created my own net cut listener. You know, you can you can figure it, figure it out. What happened from there on Do you can also say I use the worst set in order to come and set,
14:26
you know, getting more information. And I know the major difference between the M and the set command
14:31
is that the Air Command will never mighty five shells on environment wild. You know, the second my wheel
14:41
and you know, again, you guys, this is just summary of some some commands you can use to actually try to escalate privileges. And when I say try to escalate privileges, What I really mean is to gather as much information as possible. So you can actually, uh, you know, do that.
14:58
For example, I remember that the command to thio Show Is that the colonel version
15:05
or some more information about about the disappearance system, for example, you named a
15:11
for example. I can just take a look at this and put for examples Carpet days. Remember that did up the database we talk about in the beginning. Exploit Devi
15:24
I can go here, and I can actually you know, uh, Lennox
15:30
on dispersion.
15:31
And I bet there's a couple. Okay, look at this. Little care No. 2.6. And that's actually the one I'm looking for. *** X, which, you know, it doesn't matter what it's followed next and, you know,
15:46
privilege escalation, so I can actually take a look at, and he's in ze. I can actually just download this and try to execute it. I also sometimes it will work, and sometimes it will not work because of the em. You know, you cannot actually see or know that if
16:06
you know,
16:06
for some, let me Let me just give it a try. I don't know of any species in style here,
16:11
Okay? It's not installed, so I'll have to install it. And since I'm normal user, this might or might not work. But you get the idea. You can look for trouble. Let me see if there's a spike in here now. It's not a style. Swell. So, Pearl, maybe.
16:26
Oh, yeah. Pearl seems to be installed.
16:30
Whoops. Okay. Um uh,
16:33
so, yeah, maybe you can find ah PERL script to escalate privileges. Or you can actually, um,
16:41
get this this this, uh,
16:44
this exploit compile it in your operating system and see if you can actually send, um, the exit. You know, execute herbal file back to your victim system and see if you can actually, uh,
16:59
escalated privileges. That's the point. So, uh,
17:03
you know, this is how you gather information and how you can actually, uh,
17:08
try to escalate privilege from the operating system. Point of view. And finally, you can actually look for something specific to the operator system. Maybe, you know, there's a printer connected. Eso Let me just execute this command.
17:22
You'll probably fail because I don't have any printer here. A piece that
17:29
hopes,
17:30
uh,
17:33
for example,
17:33
that's okay.
17:34
Okay, Now it's not even farm. The command. You can just take command to actually see if there's a printer, and maybe there's ah, job, you know, assess this command. What? What it does is that it prints are, you know, check the status off the L. P. Print service is. And when I say I'll go pee and mean
17:53
the files for Brenton,
17:56
um, you know, or maybe pending print jobs there is, You know, they're not bring that just yet. And maybe they were trying to print something, you know, confidential or something like that that will help you to escalate privileges or to do something else. The point is that you need to gather as much information as possible.
18:15
What is it, Chief? But the command cat, uh, e TC issue. Remember what we talked about that? What is what is saved inside the issue file? Well, this issue file is a text file that contains a message or system it into identification to be printed
18:34
before delegate prompt. So we can cut this out and maybe find out
18:40
more about this information.
18:42
What is the chief of the command you name Dash, eh? Well, who said that? The This at the beginning of the video. Believe your name is the short for you know, unit's name, and it will tell us. Ah, you know,
18:57
like more information of the pretty system, like the name, the version and other details
19:03
about the machine. And, you know, again, the operating system we're running now.
19:10
Well, and this video will learn the concepts behind this technique, and we implemented and executed some commands to help us escalate privileges. Supplemental materials wth this book, this book will be yours. This book for the rest of the sessions for privilege escalation mustering colonics for advance penetration. Testing.
19:30
Uh, I read it a while ago, and it contains really, really useful commands
19:34
and ideas, because at the end, this is what I'm trying to give you ideas off. How to escalate privileges. You cannot close your mind and tell. Tell me that you're just going to execute the command that I gave you today. I just I just tried to give you, you know, ideas. I've had Thio gather information for your privilege escalation process,
19:53
and it's always this guy got meal coming in, hands down his one of the best guys they know
19:59
in the business.
20:00
Basically next privilege escalation. He has opposed about this and talks about this commands and more, many more than many, many other commands to escalate privileges. And you don't get other information.
20:12
Looking forward in the next video, we'll cover linens, applications and service is again in the foolish escalation. Siri's well, that's it for today, folks. I hope you enjoyed the video and tutti soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor