Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 36 of the Privilege Escalation series. Lennox Files. My name is Alejandro Gonna and I'll be instructor for today's session.
00:12
The Learning operatives of this session is to understand the concepts behind this technique and applying the next kid commands to gather information so we can actually escalated privileges.
00:22
So let's get a starter, shall we?
00:27
First again, let me connect to back to their victims machine,
00:34
and I will follow the same structure as we have done so far, which is just me type of the commands and explaining to you what the commands are. Well, first limb, you should ask us questions like which configuration files can be written
00:53
in the E T C directory.
00:55
Are they able? Are you able to reconfigure a service? Perhaps, You know, the 80 see folder usually contains the configuration files for all the program, the run on your leanings or UNIX operating system. So they are checking this out. You will yield
01:14
some useful information like, for example, let me copy paid this command.
01:18
I will be copping based on mother the comments because they have way too many options for me to type it out. Like, for example, in this case, we're fighting again. If there's a configuration file that can be written by anyone in this case,
01:36
Oh, are at least readable by anyone
01:40
so we can just
01:42
see what they are. And, you know, maybe we can find something here. Rick, for example, the open SSL configuration that's, you know, really dangerous to live it like that. Uh, and by the way, I would like to live. Clarify. We're gathering as much information as possible.
01:59
So when you're actually going to exploit that vulnerability
02:02
here, you can you know, you have all the information. There's always there's always more than one way to actually escalate privileges. It could be by exploiting a vulnerability in an existence of word or tool or program that is running on the operating system.
02:20
But you can also take advantage of Ms Configuration or something like that. So
02:24
yeah, well, we have we're we're doing in this series is to gather as much information as possible. So you can, you know,
02:34
take a look off all information you have gathered so far it and decide what's the best way to escalate privileges because you don't want to go down the rabbit hole trying todo no exploit a liability in a in a searching version off an application. And you can if you can just easily,
02:52
like get, for example the sticky bit, which we will see later in this video.
02:57
Uh, just just a couple of you know,
03:00
let me give you another command to achieve the exact same thing.
03:04
Um,
03:06
hopes didn't go back fine. Again. It's evil, Max. Depth.
03:10
Um,
03:13
just type it out and we'll see more information about this at the end. You can also type this other command to again find configuration files that can be written. Or at least you can read rhythm with permission because they have permission for anyone
03:31
again, another command to achieve the exact same thing.
03:35
Ah, it could be as juicy. Uh, you can read your way. At least we can read it this week. Ing read and execute this one. Uh, did you get the idea?
03:46
Maybe for a specific owner?
03:50
Um,
03:51
I mean,
03:53
copy. Paste it this one out.
03:55
If you want to actually see that the files for a specific owner. Ah, here. Maybe for the specific group
04:04
O R. Can be written by right by your group Berjaya Group. I'm sorry
04:10
we're here.
04:11
Or maybe it could be. You know,
04:15
that's the point. You can find files configuration file that can be access it or written or executed, or at least read it by anyone by a specific owner of a specific group. You get the idea,
04:29
Uh, and we can also go to the bar directory. Bark Azul, Reno. The bar contains files to which the system writes that data during the curse of the operation. You know, the bar or the beautiful data such as logs, news, male spool
04:47
files his own,
04:48
which is constantly being modified by the programs of the tools running on your system and by the way, bar specific for its computer. I see. No, it cannot be shared in the network with other computers in concerts to other directors that, you know, you can actually shared them.
05:06
So let me
05:09
copy base. A couple of command sing here is if we can actually find walking, we find in the bar directory,
05:16
for example, logs
05:19
Ah, we can see, for example, Apache. Maybe we can take a look at some specific low locks for example, if we have mail, This is really dangerous because I have seen cases where the mail he saved in there and you can actually see conversations between a,
05:38
uh
05:39
the user in memory, their boss or something like that.
05:43
So, yeah, we can actually get all this command. I'm just copy facing them because I don't want to waste any time, actually type in it. But, you know, you can just stop the BDO and, you know, copied it commands. But again, what I'm trying to do uh, guys right here is to actually give you ideas,
06:02
what to look or how to look it out
06:04
and not just commands. And, you know, I don't want you to exactly repeat what I'm what I'm typing or when copy pasting three more precise. I want you to give you I want to give you a D s so you can actually search for for commands for You know, Thio, you can cover face the commands, of course, but I want you to
06:25
you get the idea.
06:26
And once you get the idea, you can search for more commands or maybe specific flax for that Commander. Specific options for Decca manned so you can give you the information you're looking for. For example, are there Do we have any sevens or files hidden
06:43
in a website? Maybe. You know, sometimes I have seen that once I'm in the system,
06:48
I I saw the one where I was scanning that the web service or they were server. I'm sorry. I saw that there were more files, but, you know, they're not presented in, you know, the directory. So we can actually check this out like
07:04
sound. Let me this copy. Paste it right here.
07:09
We have any hidden file that we might meet. The check, for example. Key that PNG. That might be useful.
07:15
Um,
07:16
let's go that directly
07:18
to the Apache,
07:21
for example. This one right here
07:25
again, I'm just copy facing the command after I, you know, used there. They were the course of my penetration testing career. But, you know, some some files, some some commands will work in some commands, will not, because at the end, just not not everything is saved or created on the same directory. So, for example,
07:45
there's one here
07:46
on that's the *** such file directory
07:49
barred, for example. We can see that everything is in here at mean. For example, That sounds interesting. Ah, harker dot PNG Robbie that j b d b
08:01
j uh, you know, and maybe
08:05
some of this is interested, but you get idea. Uh, maybe those were hidden files so we can search for everything in that directory. Another question is that Is there anything in the locked files? You know, remember that we saw the remote filing collision
08:24
and local file inclusion
08:26
attack. Well, we can actually write to any specific file. Or maybe we can see that there's some PHP code being executed in those files. Or maybe expecting some input we can actually take a look at and see. We can perform local final inclusion. So,
08:46
for example,
08:46
these are simple command. You guys, I just want you to get the idea of what to look for. Access locks on such file directory. Let me just
08:56
finding here. What? Oh, no. No one.
09:01
So this out. Maybe locks
09:05
box Wouldn't have any locks here. Apache, maybe
09:11
botching locks. Have anything called logs in here. Nope.
09:16
Apache dot com for a sample or me. Any kind of loves you can think off, maybe
09:24
let me see
09:26
bar
09:26
logs
09:28
long and Apache, for example. Hopes
09:31
how much? Oh, my gosh.
09:35
What's happening?
09:37
Something got wrong with my keyboard. You guys that judge me,
09:41
we can actually take a look of everything. He hopes
09:45
Ox is denied anyway. Uh, yeah, you can. Oh, my God. Again. That bar.
09:50
Come over here.
09:52
You can actually take a look at any different logs that you might be. It could be interesting. For example, Bar
10:01
Www. Maybe we have something for logs in here. No, we don't.
10:07
Ah, maybe you know, the admin could contain something useful. Anything that it's actually locks. You could you know anything that I can actually generate data or save data or anything that you can think off for each service. Maybe you found Ah, my SQL service wine.
10:26
And you can take a look at the logs and see we can actually,
10:28
right Or maybe read from those logs and maybe credentials. Or, you know, you can include informations that you can actually perform local file inclusion or a remote. Finally collusion.
10:41
Another question you should ask yourself is ah, maybe I ever seen cases work. You get a reversal, but it's kind of a limited shell. It is not running a full bash or a full shell, like you know
10:58
you can. This attack is known as break out of the Yale Shell. Um, so you can Maybe it's pawn. Ah, pipe and shell. I really know this doesn't contain fight on pie turn.
11:11
No, we'll locate. It's not even there, but yeah, I ever recall not not saying fighting in this operating system.
11:20
Yeah, it doesn't invite him, but, you know, let me just cover basic a man. But this is just a commander you can actually find in every possible source soup. I turn on the command and import No pipe,
11:35
Petey. Why, That's pawn and being bashed. And that's it, right? Maybe
11:43
you can echo your way out off the Yale Shell, for example. Something like the echo s
11:50
you bash? No,
11:52
you get the point
11:54
and are just a simple B m s h Dash E.
12:03
Yeah, And we already have a shell when my I'm still user, cause at the end, I haven't changed or escalated privileges at all. Um, how are you know? Are the file system mounted?
12:18
You can just type the word mt
12:22
and get more information? Um, the FDs dash h
12:28
more information for death. Um,
12:33
maybe Ah, you know,
12:35
there's on our mounted file system, like we can just cut this file
12:41
and
12:43
for information,
12:46
right? And maybe we can, uh we can escalate privileges by exploiting something not necessarily related to the operator system. But, you know, to how the operation system was configured or maybe something was amounted.
13:01
You can mountain and, you know, see, it has more information, more more files or something like that.
13:07
Ah, we can actually also search for the famous and well known sticky bits as you I D or D u I d. You know, And this kind of the question is what advance limits file permissions are used, for example,
13:26
we can let me just copy pays the commanding here,
13:30
and I was planning to you right away,
13:35
so ah, stick a bit. This is the famous stick a bit on Lee, the owner of the directory or the owner of the file can delete rename here, but, you know, we basically need to know what files are executed with root, but it could be Could be, you know, modified by you know, anyone
13:54
outside
13:56
or or, you know, for trouble on a normal use or something like that. We could see temp. This was kind of expected, but, you know, there are other files that might not be as expected at a temp,
14:07
Right?
14:09
Another command.
14:15
You see the group in here? Not necessarily the user.
14:22
And we can see more files in here. Um, no. Uh, for example, this Let me just copy paste. This Ford is four loop,
14:31
and I was lying to you
14:33
right away. Uh, this will look in the common places like being has been years. Are being a user s been years local being, you know, another the god of the common places to see, uh uh if we can find something with the sticky bit, are you know, s u I D.
14:54
Uh,
14:54
it will be with you will help us like, Oh, I didn't put something correctly in this, but this is the command. That's a point.
15:05
Ah, Another question you should ask yourself is where king I write or execute from, You know, the common places again, the temp.
15:16
It's a common place, but, you know, sometimes you find yourself not being able to maybe already fine. What exploit to use to actually escalate privileges? Because you already, you know, performed other techniques we have seen so far. And you find out that there's an application running within specific version that is actually vulnerable
15:35
to Berlitz escalation.
15:37
Ah, are you find out, um, exploit for that specific colonel version or that specific operating system version. So you just want to find our files or location where you can write so we can see that And we can ride up to all of these locations
15:56
again. The temp is the most common one. But, you know,
16:00
maybe you can find world. What we found right now is the world readable folders. There's a bunch in command you can actually use for that. Uh, for example, you don't want to use the word riddle used one to use
16:17
the numbers. You can just,
16:19
uh, execute this command
16:22
against you guys. I'm going on a real little a little bit quicker in HPD. It is.
16:29
I want you guys thio understand the concepts and nonsense. Charlie, cut the commands. You can always pause the video and check all the man's.
16:38
Um,
16:41
for example, let me just were give you another commands were agreeable
16:48
files. See here
16:51
and, you know, permission that I and everything. But you get the point. You can write to these files and everything, so yeah, this could, you know, dis commands are just show you how not how to. But you know what question? You should ask yourself, too, when you're actually escalated. Pretty religious
17:12
in this video. Well, first, let me ask you a couple of questions about the video. What is achieved by the command PS dash ox.
17:26
What scene?
17:29
I think I didn't execute the correct
17:32
script right now. So my apologies for that, guys. What's the chief of the command? Fine. And that combat. I mean, I don't want to say to you out loud, because it's kind of difficult set. Um, what's the cheap by DI command, you can You can always cheat and go back in time to see the video
17:51
and that that that will be fine,
17:52
because I understand that those commands are really long, a real NT and, you know, trained for memory. It might be difficult. So this is no. The IT easy folder usually contains the configuration file for the programs and what we're doing with the first command is Thio. Fine. Try to find
18:11
which files can be written
18:14
or at least access it or reading from the PC folder in this case by anyone in this specific man. What is the chief of the commander in the second command? You guys that judge me? I don't wanna read all that. Uh, where's Chief? But I command, actually, that's one of the late that the
18:33
the command with Saudi. At the very end,
18:36
this command would point, you know, were readable files that you can actually see. Maybe the file is executed with privileges were permissions, but it can be written by your user, and I will give you a good advantage seeking escalated privileges
18:55
in this video. We'll learn the concepts behind this technique,
18:59
and we implemented on executed some comments to help us escalate privileges.
19:04
Ah, some material you can check again the book master and colonics for advance penetration Testing. Good. Read on. Basically Nick's privilege escalation from the got milk post
19:18
Looking forward in the next video we'll cover Lin. It's networking. All that's it for today, folks, I hope in your day video and tactician

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor