Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to episode number 37 off the privilege escalation sessions. Lennox networking.
00:09
My name is Alejandro Gonna, and I'll be your instructor for today's session.
00:13
Learning objectives is to understand the concepts behind this technique and applied and execute commands to gather information so we can escalate privileges in latex. So let's get down to business, shall we?
00:26
So, uh, let me again follow the same structure, which is basically telling you what questions you should you should ask yourself. And you know what commands you can, you know, execute to actually try to answer those questions. So,
00:42
for example, you can ask, um, what network interface card is in? The system is presented in the system is connected to another network. You know, you can start by the, uh,
00:55
using that the if convicted man, you know, a simple if convict, she did it work.
01:00
And, you know, if you want to see more information just at the dash A
01:04
now, uh,
01:07
some operating system of some flavored off the units and Lennox don't directly understand our maybe that path is not comfort you directly. So you can just go to the s being folder and just call the eye the eye config command directly, then
01:26
dish age doesn't matter.
01:26
You will show you the same result. Now, you can also check a couple of fires
01:32
where you know you can trow or print more useful information like the interface is filed, for example. Ah, this file contains network interface configuration information. You know, for the Linux operating system,
01:49
this is where you can figure how your system is connected to the network. Just
01:53
cut that out so you can actually see what it looks like.
01:57
You go to the beach, see folder network,
02:00
uh, interfaces, hopes, story
02:05
interfaces,
02:07
and you will see, you know, this will, of course, and tasting vexing basic information. But if you were actually trying Thio Scully, bree religious on a server, you might find more information more, more, more. You know, output from this command
02:22
and you can also go to the A. T. C. Says conflict network file.
02:27
And what this filed us is that it contains additional information
02:30
for the network interfaces on the system, for example, of you can define I pee before network working I p v six networking the host name of the system that be addresses the default gateway. You know all the information you can to find out in the fallen from Let me just cut it out for you
02:51
so you can see what I'm talking about.
02:58
Oops, she's a TC holder, says Convict Folder.
03:04
It seems enough. It's not presented in this operating system in this flavor. No, but you can also try to locate on the metal file.
03:15
Or you can just go to, you know,
03:17
different information or try to locate different files that I actually contained information you might want to. You're you're actually looking forward. So that's that.
03:30
Ah, other questions you should as yourself is to let me just clear this.
03:37
Another question you should ask yourself is Teoh, you know, what are the network configuration settings? What can you find out about the network eyes? Do you have any D h E B server service or do you have any D n a service? Do you have? Can you find out what's the getaway?
03:55
Um, you know,
03:58
you can start by using a simple command or cutting the file that might contain that information which is located in here,
04:11
and you can see you know some useful information here. Search the local domain. You know, the name server with which, in this case, it's obviously they had provide, sir, in, You know,
04:21
because this is a little machine, you can find more information about this system. You know, these resolve dot com file is used to configure the since the system's D. N s result. Burt. You know, as you can see, it's plain Tex, and you can actually interact with it and neither modify it if necessary.
04:41
Another fire that is useful is this cease CT elk filed.
04:46
I just got that out for you while I explain what it is
04:49
C c t l that come.
04:53
And this file what this file contains or, you know, it's used to configure the systems. Um,
05:00
well, it allows you, um, to make changes to run in Arlen, Ex Colonel.
05:06
You know, with this configuration files, you can actually come figure Behrooz limits never working, and system settings such as,
05:15
you know, limit the network configuration for before for a p B six turn, You know, uh, maybe prevent against common attacks like they've seen Fallujah. That pink flute. You know, you can do a lot of stuff which are good for the system, but you can also find information that can actually help you
05:33
escalated privileges
05:34
in here.
05:35
Ah, also, when, uh, you can't actually again go to the networks file, which is here
05:45
networks.
05:46
And you know what this file contains is that, uh
05:50
the purpose of this file is to translate between ivy ranges on network names is used to for tools like nets that on route, for example. Um, it only you know works in class A Class B or C networks, and you know, it does not work on submits.
06:10
You can find useful information also, by looking at this file
06:14
Oops. Sorry.
06:15
And another thing get you king you can actually apply Is Thio
06:20
the i. P. Table stashed l and this will display the rules on the firewall.
06:28
Be tables,
06:30
Phil.
06:31
And you know it will. It will show you the rules that we select, you know, in the selected chain to be more specific. And finally Ah, simple command ho's name.
06:43
Maybe you can run this. Ah, beginning. But you know this You should be you know,
06:48
setting aside all the information so you can give it an order after after your you know all the process. Because, as you can imagine, you will be getting a lot of information from this mine from like getting information from networks or network configuration, which is what we're looking at in this session.
07:09
But you can go back to the previous beaters and you'll see that you will gather
07:13
Ah, lot of more information. And you know, if you don't put that in order or you don't put it in a way that makes sense to you, you will just end up with a lot of information without knowing what to do. Maybe this super information is not useful, But this information combined would maybe something you find out about the colonel or an application service running
07:31
in the operating system. You can, you know, help you escalate privileges.
07:35
So another question you should ask yourself is what other users on hosts are communicated with system, for example, you can start. You can start by, you know, simple. If you know that port I don't know, maybe 80 is enable You can just grab that out and put foot for a cigarette.
07:54
It to see service is
07:58
or if you're more comfortable with the command service is and just fly the route grip
08:03
80.
08:05
You're seeing yourself. Whatever he was for you.
08:07
Ah, yeah, you can see Ah, some useful information here. You can also at the nets that command, which is You know, we have been using that for a while now. Nets that
08:20
and you can use different file flax on T p u p
08:26
and you will show you some information. Maybe you don't want to see that. And you change your Auntie p X
08:33
and you will see more information.
08:35
Maybe t u L p m.
08:39
And he can just, uh uh I'm sorry, man. Nets that and see what all the flax mane and what what information you will actually see when using those flags. I'm just trying to give you examples of what the flags look like and what information you might get from those flags. The point is that you will be able to actually
08:58
see what boards and open where surfaces are being used.
09:03
Ah, and maybe even the location or what? Those servers are started, and in the process, I d information as well. Do you see that you can
09:11
God. There are a lot of information from using this simple command.
09:16
And ah, finally, we have the last command, which is basically ah, commanded this place. A list of last luck in users. Let me just put lasting here. And you will see this list. This might be useful. Maybe there's more that why user presented.
09:33
Maybe there's this is your escalating privileges on a server
09:37
that he actually has, I don't know, 34 administrators and maybe one of them forgot to, you know, maybe use that complex spies work or something like that. You can see who was locked in as the s a user. And finally the w just the letter W w and this command, um,
09:56
you know, it's used to show
10:00
who is loved. Ah, look down on what they're doing. I mean, you know who was last looked in, but who's locked on? And as you can see, I'm again. Come on, man was happening to me today.
10:13
Ah, As you can see, I'm using the use of root and no, obviously route is logged in.
10:18
So you get the point.
10:20
Another question you should ask yourself is to ah, what's Ah, cash it was cashed. And, um,
10:30
I, p or Mark addresses. Maybe for simple. You can use the route command. The right command is used to show our manipulate they'd be routing table.
10:39
Um, it's primarily used to, ah, set up starting routes to specific host. That or networks be an interface. So, for example, wrote
10:50
and you will see that what's the route these machines following, You know which is again not that long, because again, this is a beautiful eyes environment. But if you can imagine if you're actually escalated privileges, maybe on a Web server on that of a server, this this table will look a lot larger.
11:09
That
11:09
what I'm displaying right now on our command is ah, again, just like the if can fake if it's not presented, I'm just using that this command SKUs I've seen some time about the route and they come thinking some specific amounts are not presented in the path or the path is not defined. For example,
11:28
the path to the S been which
11:30
I'm pretty. In a previous video, I told you what the as being is.
11:33
I said you can just go to the as being folder and colder command directly. Maybe add a couple of
11:41
flax in here. You know, the doubtful doesn't change here, but again, this is because I'm using
11:48
really, you know, standalone environment.
11:52
Another question you should ask your cell is if you have a shell. Maybe, you know, I don't know this case. I'm showing you in. Colin is directly ah were previously using ah, the Or Or Davian operating system. But, you know, I decided to stay here too.
12:11
Mixed things up a little bit. The same commands will work in Davian
12:15
or in Cali, though I mean, it will not change anything. So another another question you should ask yourself is if you have a shell, can you interact with the system? Ah, maybe through a river shell back to you. You know, the Net cat and L B p. Ah, that will be a bit very useful for you to actually
12:35
get that information. Or maybe, ah, you're in a in a shell that is not a stable or your maybe are not. You know, the shell is not playing along with you. It's, you know, not getting the input from your keyboard or something that you can always send you a reversal back to you like it's
12:52
checking if if Net cat is actually presented,
12:56
um, seeking a controlled your virtual or you can actually even create ah, buying shell. Um, if there's a fire will confuse oration or restriction over that. For example, let me just Shh.
13:11
Real quick, too.
13:13
The server
13:18
group's changed.
13:20
L a missive. The I could pick works.
13:22
Yeah. Seems to be working.
13:28
Shh.
13:30
Let me just going like that.
13:33
Is it possible that some was doing something nasty and, yeah, we were doing something less in your previous videos, so yeah, just do not bore you with that. And fixed in that I will just continue with Carlin Is. But if you have a shell, uh, you can actually connect back to you. Let me just, uh, simulate the shell here. So were the victim.
13:52
So you can now was
13:54
Yeah.
13:56
Started Listener. If you go to your DV in ah, very system, you can Net girl, which is presented in this case,
14:05
and
14:07
you can just
14:11
connect to to Carly
14:13
and you have a shell.
14:16
So you see the point here. You can easily get that configuration and actually
14:22
use that for your advantage.
14:24
So another question You should ask yourself again. You can also achieve that with their Tell that by the way, you can actually tell that Dad, for example, Let me just grab here again and tell it
14:37
right? Telling it. Hopes
14:41
telling that. Or let me just do this the other way around. I'm just put Tell nothing. Here.
14:48
Tell that, um,
14:50
for example, in introduced the Attackers AP
14:56
port for four for four on dhe. Fight that out too.
15:01
Being location. I'm just giving you ideas. Ah, this is, you know, a common you can actually google that, um,
15:09
and search for reversal. We tell them. Remember that we saw that with Peyton and Pearl. Um, Hope Sir
15:16
s. Oh, yeah,
15:18
it did.
15:20
You can actually use this technique. Or you can use the other thing is way we saw in the reversal. Ah, and bide shell module in a previous session. I mean, in a previous module,
15:33
you can hear with Attackers AP and I don't want to. To Ford
15:37
and
15:39
okay is because I don't have talent naval in this machine
15:43
in the victim's machine. But you get the point you can actually enter deck Amanda's well, and just, you know, let the telnet pipe the tell internal, do the work and give you a reversal.
15:56
Ah, you can, actually, if S h is enable. You can remember that we saw local local port forward in a remote pour forward and dynamic for forward, and you can check if that is enable. And if it's not enable you can actually try to use the n key, not command.
16:15
Ah, the M cannot. Command creates creates in a special final land
16:19
off a given type. But, you know, combining that with, uh, let me just try to tie this command. Um,
16:26
don't judge me. I'm just doing this on the fly. As you know, I just
16:33
used this technique
16:34
Ah, two for penetration, distant, where the operating system was really old and getting half. And that cat, I'm sorry, didn't have s h installed. And, you know, they saved my life. I was able to get a reversal, right? Just type in this exact amount that I'm showing you Raina
16:52
on our port for four for four
16:56
and we create a Bach pipe here
16:59
and maybe
17:00
net cat
17:06
Don't know
17:06
eight or something like that. That depends on the A p you're trying to connect to and, you know,
17:11
back pipe again.
17:15
And it will create something, you know, so you can actually connect that. Let me try to connect from my DVR machine
17:22
and what board I gave it to. You know, get 4444
17:27
And it seems very strange. Connect. The point is that you can actually get everybody shell for from that from that command,
17:36
you can either. Ah, try with
17:41
Let me just kill that. I'm sorry.
17:44
You can either. Ah, try to create
17:48
at Eternal would tell that what would python as we saw in the previous video, You know, either plans on what's naval on the system And what your approach to doing that
18:03
what is achieved by the command cat and just basically showing showing you the network file. Um,
18:10
contents. Remember that we saw at the beginning of the session that the network system fish never work. File contains special, you know, additional information that is
18:22
that they will show you information about network interfaces on the system.
18:27
For example, you can define I before you can define or re naval I before networking, Emphasis not working. You know, the host of the name the system there p addresses are the default getaway, for example. You can find a lot of information in that file
18:47
was a shoot by the command and keen on back pipe. We saw that m keynote is not naturally. I commend to troll river shells or to create, you know,
18:57
um,
18:59
talk tunnels, but you can you can actually combine it. And we'd met God and stuff like that to actually create a bagpipe so you can get a reversal or a poor. Really? If you like the name, um, you know that this command king works can work as a proxy. And, you know, this is
19:17
I will recommend you to go first with the S S H approach.
19:21
If, if enabled, you can just use S S h. But if not, this is another cool option they can use
19:27
in this video. We learned the concepts behind this technique. We implemented and executed some commands to help us escalated privileges as well.
19:37
Ah, the supplemental materials, always the book mastering Caroline. It's for Vance. Penetration testing and the post are the block from got milk, which is basically an expiry alleged escalation.
19:48
Looking forward in its in an X video will cover linens, Miss Configurations. And how can we take advantage of those miss configurations to escalate privileges?
19:59
Well, that's it for today, folks, I hope indeed a video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor