Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody, and welcome to the episode Number 35 off the privilege Escalation. Siri's latest applications and service is My name is Leandro Gonna and I'll Be instructor for today's session. The Learning Operatives of Decision is to understand the concepts behind this technique and applied and execute commands
00:19
to gather informations. Waking escalate, brutal. Just
00:22
so Let's get down to business shall way.
00:25
Let's connect back to our victim's Shane, you know, remember, this is his collection privilege serious? So it assumes that we already have control of the big time machine.
00:36
Not obviously not good administrator or root privileges.
00:42
So now we're in again whom I am not Remember. This is the same machine we use in previous video. So let me follow the same structure and give you the commands and the explanation, Forest man. We can start by, you know,
00:58
checking all the processes they're actually running or the service is there actually running. So ps dash
01:04
hopes No, no rush.
01:07
And you know, we'll see a lot of information here. Basically,
01:12
what these means is that it will show all the processes for all the Easter You might be wondering what the X man's and X is a specific user. I'm sorry, is the access you know, it means that any user it is just telling. OK, I want all the prisoners running for any user.
01:30
But maybe you want to escalate villages
01:33
or maybe changed user for whatever recent have seen cases with a file you know is executed by entertain user, Not necessarily the real user. And for some reason you want to check the file, for example, you can change the X for route. It will tell you
01:52
it will tell you all that. Let me just give you this.
01:57
It will tell you all the names,
02:01
all the processes that are, you know, running under the route user. And you can just change. For example, the user, which is the one I'm using right now. And as you can see all the bash process and that's fine. I mean, a point is that you can actually, uh, list
02:16
all the all day. All the service is on Brust This run for that
02:22
specific user, you can obviously get the same. Maybe not the same. But, you know,
02:29
uh, absurd. But that may be the same results by grabbing the output like route or something that it will tell you that word process running This anguished goes for a user.
02:42
You know nothing new here. Maybe you will get more information that way. But you know, it's up to you. The point is that you can check all the processes and service is running under specific user. You can also use the alternative option, which is the F,
02:58
um,
02:59
flags.
03:00
This will. You know, the easy option generates a list off information about every process there. There is currently Ryan on the operating system, and they have option generates a list at that. Contains fewer items off information of rich process. Maybe you're in a limited shell. Or maybe you don't have,
03:20
You know, once tro much information, you just won the basics.
03:23
You can use this. You know,
03:25
uh,
03:27
flags. Instant of the, uh, a u x flax. The other command you can use this stop
03:36
and, as you can see, is more interactive than the previous man. The top commanders used to show the limits processes. It provides a dynamic, real time. You off the running system usually disc amend shows. Ah, summary information of the system at the list
03:53
at the top of the list on. Do you know the bottom of the list? It will show you the process. They're actually running. A soon as you will run this command a CZ, you can see it will open an interactive command mode where the top half portion will contain this. That the statistics
04:10
of the process, you know, maybe the resource that is being consumed
04:15
by this process or something like that. And at lower half off a little bottom at the bottom of the list, they will contain the list of the prosecutor currently running. So, yeah, this is two to quit. Just type cube, and that's it. Maybe you can. You will. You know,
04:34
you want to find out more information about
04:36
the top process being running on. You know, that will help you to gather more information. Um,
04:46
then we have the E. T. C. Service is, for example, let me just cut it here.
04:53
And you see all the ports in here and basically in units, operate systems this file, it stores. Information about the service is that the client application might use in the computer. Maybe, you know, you see something really
05:12
different in the example of your type. Nets start.
05:16
Whoops. Sorry.
05:18
That's
05:19
that.
05:20
Does
05:25
you know, and maybe you see that port Don't know. I don't know. Import for you. For example, this one. What is that poor means or something like that? I mean, the point is that maybe you see a higher fort, maybe a port that you're not familiar with. You can actually check that out. And if I turned that the, uh,
05:44
system administrator just changed the poor to on a well known service,
05:47
you can check that out in the E t. C. Service's file. Um, you know this off
05:55
it equals include Alice is So you take that out. The port numbers are map to specific service is much like the host file on the windows computer is a map to a host name to an I P. Address. So, you know, that's the beauty of this file.
06:11
Ah, nothing that you can check is that war applications are actually stalled or versions. Are they? Are they currently running? You can easily check that by just running there. Let me just give you hear less hopes.
06:28
L s dash
06:30
a l H. Um,
06:32
Yes,
06:33
then
06:35
and, well, let me first clarify. But you know, l s dash a l h means and that the less will of list everything that is in the U. S. Years are being folder and the dash a means did not ignore interests. You know that. Start with the point. So it will basically list all
06:56
off the off the, you know, files or directors that are in that specific path.
07:01
The dash l misused a long list for mint and the dash age. It means Prince. It will print it in a human readable foreman. That's it on. We can see a lot of information here. You know what applications might be installed.
07:18
Remember the U. S. U S u S r
07:21
or the user dash being folder. You know, directory contains most of the executable executable files, you know, programs they're not needed for for booting, you know? Oh, are you know, repairing the system.
07:36
On the other hand, we can also go to direct the Espen.
07:44
It will list more information on dhe, basically, but this folder contains is, you know, executable files as well or programs, but they are mostly administrative tools
07:59
s so that should be available to any you know, to any other use or other than rude. Or did you know I administrative user
08:05
video? We can find more really good information here in just folders, and we can also use the d p k a d p k g to which is basically, you know, till to extract, analyze an impact or also install a remove files
08:24
or applications.
08:26
Um, for example, if we don't want to find out how you know the least of installed packages on that system, we can just use D p k g dash L.
08:37
And we'll print a list off installed packages on the system. Maybe we're you know, after something some, some vulnerability specific wouldn't let me let me, for example, we see that there's a party here and then again, weaken goes to copy, pays version and go to our page, you know, and just type here
08:56
a party,
08:58
something like that.
09:01
And he will tell us something. We can just
09:03
the 2.2, and it will tell something,
09:07
for example, privilege.
09:13
You get the point. I mean, we can start search for exploits, and, you know, we're just gathering information to see what exploits are available
09:22
and, you know, we can check of any other service. Is settings on DSI there, miss? Come. Figured you are there, you know, Do we have are those this system has any vulnerable plug ins attached, For example, we can just cut
09:41
that cut. The This is the seas lock.
09:46
If it exists,
09:48
it doesn't seem so existing here. Says lock that come. It doesn't exist here. But, you know, the point is that you can actually search for Miss Configure plug ins, for example.
10:00
I mean, I know that it contains a party because we just side so Apache
10:05
but you to buy tea to calm. Oops,
10:11
that comes. So maybe we can find if it has a plugin enable or installed, For example, something in pearl or a party or something. I'm starting pervert or some extension that we can actually, um, used to escalate privileges. Um, you know, you get the point. We can find
10:31
as much info. It's possible in this. For example, if we have
10:35
ah, cops service, maybe we have a printer. So waken have we can actually search for all this information in this folder. Um,
10:46
do we have any Krahn jobs. For example, Grants half grants have dash L,
10:54
uh, okay. And confirmations to do that. Maybe I can actually list
10:58
that the folder.
11:01
Since I don't have provisions to call the crown toph.
11:03
Okay, I can actually call the folder. I don't see anything here. Uh, maybe it's a C. Krahn.
11:13
Okay, Access denied. And, uh, maybe,
11:16
I don't know, crunch off
11:20
prints off.
11:22
Okay, I can see that. I can, actually, you know, check it out. So maybe
11:28
it's sea crown tough,
11:31
and we can see you know, something useful in here. The point is that crunch jobs are especially useful because maybe sometimes again, I have seen cases where the seaside means or the user itself
11:45
has configured crown job to run a specific file. But it's not. Maybe it's not placing the fire part of the file. Maybe he's using
11:52
ah, on environmental variable
11:56
that you can actually change with the set or with with set command. And you know, you don't know the crown jewel. You will get the information from the environment of environmental beautiful and, you know, get the path the file.
12:13
Since you changed that, you can actually change and create your own file to be executed
12:18
in the permission of the con job or, you know, in most of the time, with root privileges. So, yeah, the crown, the crown jobs are a good place to start. For example, if if you want to check, I mean, I just did it manually with the L s here, checking files and see Viking, for example, of this
12:37
configuration file.
12:39
But if you want to check, you know, maybe, ah, all the files on and which one contains the word bus or pas worked or something like that, You can just use this simple command
12:54
and, you know, let me just stop it right there. Uh, so I can explain to you the dash e means ignored the test. The text case. I mean, it could be opera case, lower case. Whatever the dash up the upper art,
13:09
it says recursive lee search files in subdirectories on the dash E dash l I'm sorry. I showed file names instead of fire
13:20
contents portions because if I'd indeed at
13:26
you will actually give me
13:28
with information that I need to actually need, uh,
13:33
the path to the file, like actually contains that the text that I'm looking for.
13:37
So, yeah, you can search all of that at the end. Anything that is a service or an application, it could, you know, again you can for the packages installed for the application's installed and maybe search for Boldin ability since returning cer tain application versions so we can escalate privileges.
13:58
What is achieved up by dig command PS dash a u x.
14:03
It means this command will show you all the processes for old users. You know, the X means that it will show all the persist for any of the users. You could change the X, as we saw at the beginning of the video
14:18
by something on the the user names specifically like, for example, route or other name to actually show the processes
14:26
running on there. That specific user
14:31
what is the cue? But the command rep Dash, I are elf on. Do you know the ***? You want to find it basically Well, it will, you know, search for that text the section that say that says your text to find it will search for that tax on that director, you're specifying
14:50
the dash e means ignored the text case, it could be uppercase or lower case.
14:56
The Dutch art Means means to Riker silly search files inside directories on the Dash Bell means show the file names instead, off the file content portions
15:11
in this video learned the concepts behind this technique, and we implemented it executed some commands to help us escalated privileges.
15:18
Ah, supplements materials. Also aware that this work this other book Mastering Caroline It's for a bass penetration. Testing is a good read on, and it's always the basic clinics. Brill is escalation from a block from God milk. You should definitely check that out
15:37
and looking forward in the next video, we'll cover Lennox files
15:41
off us always for the privilege escalation series.
15:45
Well, that's it for today, folks, I hope in your video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor