Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode number 38 off the privilege escalation Session limits, Miss Configuration,
00:08
My name is Alejandro Gonna And I'll be instructor for today's session.
00:12
The learning our objectives of the secessionist understanding concepts behind this technique and applied and execute commands to gather information squeaking escalated privileges.
00:22
So let's get down to business, shall we?
00:26
Ah, So the question is the question you should first ask yourself is Thio What can I How How inward can I gather? Confidential information and users, you know? Who are you? Who is locked in? How do you know? Who are you? Are what credential did you steal
00:45
to get ah lot privilege shell,
00:48
uh, who has been locked in? Who else is there? You know, what can you do about that?
00:53
So first you can start by simply typing. I d which is you know, I command
00:59
which complain. Ah, the user I d or you're using the group? I do. You belong to
01:06
and you know Ah user, I d you know I made a light fire for for a user and identified for you, sir. Ah, while I grew by Deacon consists of more than one user. You know, simple, simple logic. You can just type I d.
01:23
Thank you can looking us. Well, let me just Ah, sshh to our victim
01:27
again.
01:30
In the previous video, I use Kali, But you know who makes things up a little bit. Let me just Gould, I'm sorry. Shh to another. Ah, Davie A machine. So I d As you can see, I'm not rude in this mission. Um, you can also type the command who?
01:48
Ah, the hookah man lets you display the user that currently locked in into your unit's computer. Um, you know, the basic hook a man with not command line arguments shows the names of the user that are currently locked in defending Of which you, sir, or leaning system.
02:06
I'm sorry, units, a living system and you're usin thes e mails to show you
02:09
the terminal or the shell that they're locked in on and the time they locked in.
02:16
In this case, you can see there is pretty obvious the time I log Danning, who is locked in again.
02:22
Ah, You can also use the GC buzz word file which well known you know this. But this You know this up text file a text file that contains the attributes, like, you know, like basic information about each user account on the Delaney's computer.
02:40
The permissions for the easy password are by default
02:46
said, too. That is war readable. I mean, that is anyone in the units system or in the linens can actually read it. Each line contained Server seven attributes. You know, the name the buzzword. Obviously, the possible is not in clear text.
03:01
Um, and not present in most of the times in the possible command. That's where we have the shadow command. Um,
03:08
the user i d the group, I d. You know, home directory shell. And you know, all the field that you can possibly imagine that you can actually see. Let me just cut that out for you. Although I think you have seen it several times in the past. Ah, maybe you went to Ah, cleaner output.
03:28
Um, you can let me just copy pays the command that I have here. Um,
03:32
we already are close enough Dash D hopes
03:40
and you can find a list of users. You don't want to see all the older output you can find out. And you can even grab that out to find more specialized information. Let me just copy paste this exact man.
03:57
Yeah, this command is to list off all the super users. We tend to assume that route is the only super user presented in a system, But we might be missing something. So it is worth run commenced like this. So we can actually see, um,
04:12
if there's another super use it use of presented in the operating system that you can actually use to escalator privileges.
04:19
Um, another thing that you can view is Thio Cut the super's file. Um, you know, the super files contained information regarding privileges for different users on groups on the server. For example,
04:34
cut me T c
04:36
two divers.
04:39
And, you know, as I said, I'm not a route in this case. I cannot see it, but you can. We can always go to our limits are Kali machine and see what you know
04:50
and see what's this will contain. And you can see that it contains very useful information. So we're going escalated privileges.
04:58
Ah, another question. Just as yourself is what sensitive files can be found, for example? Ah, the TC group. You confined. Let me just cut that out for you as well. It's you see
05:12
group.
05:14
And you can in this file, you can see Ah,
05:17
the group's ah to which user belong, Um, on this Lindus operating system. Ah, and these might be used. Ah, good information for you. Maybe you're looking to escalate privileges not necessarily to route, but to another, a specific user that has permissions for a file for a folder or whatever.
05:35
Eso this fire can help you
05:38
find that information. Um,
05:41
do you have access to the shadow file? Most possibly. I mean, most likely you will laugh how permissions if you have a lot of privilege, terminal or show. But let's give it a try.
05:54
We never know
05:56
Shadow.
05:58
And, you know, in publishing the night it is expected. Because if you actually have provisions to this file, um, from ah lo terminal shell, you can actually brute force or, like, performed some kind of a possible attack. Remember, we saw that in a previous module
06:14
you can actually perform a possible attack. Like using tools like John to repartee
06:18
or just John. Ah,
06:20
for example,
06:24
Thio actually brute force. These either would like a rainbow table attack which, you know, using pre hashed passwords. Or, you know, just brute. Force it like it's starting with 1111111 And you get idea. Ah, yeah, You can force that. Ah, maybe ah,
06:42
to see if there's a male
06:44
in there. I've seen you on being in cases where I didn't find any, you know, obvious way to escalate privileges. But as I told you before, there are more than one way to escalate. Brutal, just. But I've used several times that the male the bark mail folder let me just
07:02
showed you that
07:04
hopes.
07:12
And you can see that know the information. I don't have any mail that I have any mail server on this specific machine. You know this folder eyes with the user's mailbox files I've allocated. So I've seen Ah, I have, you know, being able to get you see information
07:30
from from from these folders
07:32
and I even once I was able to ask all the privileges because the positive word was given t to the user be at this email and he didn't change it at all. So yeah, justice impossible. Tonight it was just you just type this to command and changed user necessities. And that was sit.
07:53
Ah, another question. You as yourself. Is there something interesting in the home directories? Maybe we're trying to go for the root. Um,
08:03
folder
08:05
does a h l our
08:09
Okay, All tries keys. Maybe we can actually leaves that.
08:16
Nope. Seems that we cannot let that. Let me see if I can go to that
08:33
victim s H. What is that
08:37
Cat victim s h
08:41
Permission tonight. Okay, Okay. But you can see that we can actually find really juicy information in there. Um well, let me just anyways, cut that out the rice
08:54
keys.
08:58
No such file directory. Okay, Anyways, you get that yet you can get used information from the root folder. Um And what about the home folder? Maybe we can
09:09
go back a couple of man's
09:11
and Chai pum.
09:13
And maybe there's some useful information. For example, this
09:18
this seems like a get, you know,
09:22
go with good
09:24
place to go and find information to see being actually captured out. Oh, and we can cut. I was missing that part. Not Shh.
09:33
Authorized you kiss
09:35
and you can see we confined pretty useful information in here. Yeah, I I get You're saying this a public a ah. Played me. You can look down and sometimes ah, to NSX service. You said the keys are not necessarily using Ah, password. And most of, you know, most of the time, it's sometimes this
09:56
the path to this private to the private kiss to locked into, um, no, to the keeper itself. Meaning the public and the private key is not properly creating, you know, was not properly created. And, you know, you can
10:11
doubt the recession to to read that those files was not properly created.
10:16
But, you know, you get the idea. You can get that information from those folders in and see if you can use it to escalate your privileges.
10:24
And you know, another question you should ask yourself is What has the user being doing? Is there any possible implant IX? What have they bean editing, for example?
10:35
Ah,
10:37
let me just try to see if we can find use information here. God,
10:43
um, go to the home folder.
10:46
Um,
10:46
and see to see, we came by here for help, for example, bash history.
10:52
Well, all right, we're ready to talk about this but history
10:56
and you don't exit. Um, Bush, look out. What? No,
11:01
we can find more useful information.
11:03
Ah, and you can see that there are a lot of files and and
11:09
folders that you can actually use t get that information for you in order to escalate your privileges.
11:16
What? The user information can be found. Ah, again, All of this can throw you and show you for jump for example, that bash HCR
11:26
Ah,
11:28
more useful information for you to actually take a look at. Ah, maybe there's a pas were in clear text by mistaking here, you know you can.
11:37
This is for for a specific user behavior questions. Again. What has the user being doing lately? Maybe he was logged into a plain text service. Like tell that. And in the vise history, you can actually see the command he used. And maybe, you know, he locked into an FTP or something that he put the password
11:56
directly into command.
11:58
And, you know, you can see the password in there, So yeah, Another another thing that you can take a look at. Ah, Can you, uh can you find private key information? You know. So you can actually, uh, take a look at them
12:13
what this will look like. How are you know, for example, maybe you're trying to look into a necessary service?
12:22
Shh.
12:24
And you know, for example shh.
12:26
Comfy?
12:28
He will give you a good idea. What the what? The service Sexual expecting to do. Or maybe you can You can, you know,
12:35
modify this foul and accept public. I am privet keys. A select in has a legit information. Maybe not necessarily. Just paz words.
12:45
And you can get an idea of what to do next.
12:48
Um, for example.
12:50
Nice age.
12:52
I don't know. Host
12:54
do us a key or something at that pub.
12:58
And you can get that information. Maybe there isn't. There is a keeper scented.
13:03
Oh, yeah, it is. Ah. And you can get the idea, for example, maybe
13:07
not
13:09
year. Actually, tonight obviously, is the private key. But there's for example, there's several inability in some Sshh. Persians openess age to be more specific, what you can actually the number of private keys or keepers that were created Ah ha ni limited the number
13:26
like I don't know if you would like tree millions or something. I mean, I know
13:31
it sounds like a big number, but, you know, with powered on the resources we have nowadays, you can go to that list or create at least really quickly. So there was a limit number of keepers that you can generate with this specific up in this expression.
13:48
And you were able to just get the public key and find all the
13:52
all of possibles bride, the key combinations. Ah, and obviously, there's one just one match to that specific Molicki. So you were able to find out what specifically prohibit private key waas. You know, a matched that public eu your you know, watching right now. So let's assume I'm a get again.
14:11
So let's assume that these was
14:13
ah, Pawlicki that you off this Ah, vulnerable up on this stage version, you were able to just copy that. And, you know, compared to your list, the web generated again, like three million records or some plain that and that Elizabeth told you what a specific, um
14:31
private Key West, able to you know what? The match to that public E
14:37
Ah. And you know you can you get the idea now? I know that we have bean
14:41
checking a lot of commands. We have bean, you know, using a lot of techniques. And I hear you're screaming to to to my to my monitor saying, um,
14:54
King, we actually create a script. Do that. I mean, I know that sometimes sometimes we're in a hurry because which is need to escalate privilege just really quickly. And yeah, you can actually download. Ah, really simple command. There's someone that already thought on this, and, you know, um,
15:11
let me just
15:13
get that for you.
15:16
Uh, let me just just a technique that I have used several times before because sometimes the machine don't have, um Or maybe there is a proxy in the middle. Ah, so maybe you can just go to this directory and jewel seed script,
15:30
which is lean us proof checker, That pie, obviously important. Ah. Oh, and you know, I can put it on my web page and, you know, um,
15:39
I can, you know, downloaded from my from my debut machine.
15:43
Ah, but the point is that Davian doesn't have, for example, images go and keep you the core example as I from a PDS module, I learned our previous session. We learned that in this machine we only have rehab permissions to ride to the temp folder, which is the case most. Most of the time.
16:02
Let me just stop you get that for you.
16:11
You know Lena's
16:12
p A
16:15
That pie
16:15
permissions deny. Oh, I didn't get the provisions, OK, ch mood
16:21
or I'm not done lighting to the Tim folder, am I?
16:26
Oh, no, I'm not allowed into Tim Polder on Slim. You just go to two. Obviously, you don't have permission to write to the roof. All there will be awesome city temp
16:37
and just type the same command. And I don't love it, but I don't have a fight on the style in this machine. So you can just go ahead and start fightin or, you know, again you can just try to find another script that achieves the same wall which is just running an Alfa mated fashion. This Ah, So let me just here.
16:56
Ah, run that command and let me just just see, too,
17:00
to the other use, which is not privileges.
17:03
I don't have privileges. And let me just execute that Faison,
17:08
What did I said? This one
17:11
in the do. Okay.
17:15
And how did they call it? Limits privilege, Escalation by.
17:18
And he will give you a lot of information. It will given it will, you know, even give you some.
17:26
Let me just go to the beginning for these long, long length list.
17:33
You know, you have to learn how to read all this outfit and see what is the most beautiful results for you. For simple mt. Mouth information nets that the interfaces,
17:48
um,
17:49
three crime jobs way you can take a look at. What is this doing? Actually, Google Crumb, can you modify it? Ah, users. I, um you know, information from the liners machine Super user found. Maybe there's more than a root, Are you, sir?
18:08
The Mormon and variables
18:11
old users. You know, current user were real directories. Um, you can take a look of your gun right over this war readable files
18:22
and you get the idea A lot of files in this machine
18:26
Let me just
18:29
go back, go little bit down in here.
18:32
A lot of fires, a lot of files, a cz You idea. Remember that we talk about distinctive it. Ah, where we can actually modify it and running at us root or arts administrator? Well, there's a lot of files. Um, maybe we cannot modify some of them, but we can run it or maybe
18:51
change the path or something.
18:52
Blocks containing the keyword bhai's word, for example. Ah, a lot of files containing the keyword password court, the car and processes. And, you know, let me just skip to the bottom of the list. And, you know, the following exploits are ranked higher in probability of success. Because this is script detective,
19:11
I released running process operating system or mountain of file system.
19:15
So isn't this amazing? I mean, um,
19:18
they describe is basically telling you. Okay, go to this specific weapons downloaded on any living. It's even giving you, Ah, the language. Go to specific webpage downloaded and use this script to escalate privileges. So this is amazing.
19:36
I mean, no, you can get all of the all of the automatic
19:41
information that we gather before in this fashion. Now, the problem is that not not not all the time. You get access to the Internet when you're, um,
19:51
actually escalated privileges or maybe, ah, the machine doesn't have There's a proxy in the middle. I will attack. You're you're trying to actually download Ah, script a malicious python strip. Or maybe this an anti virus. Or, you know, you can face all these problems. So
20:07
this might be an option sometimes. But your other times you will have to go through all the steps that I show you so far,
20:17
what is that was achieved by the command cat and just basically cutting out the password in cutting to the failed to the first field Well, is it will list all the users, um, their eyes, their percent in the operating system in the linen operative system.
20:34
Um, what is the tube? But the command grabbed, you know, gripping the password file again. But, you know, given this, um,
20:42
other command, it will list all the super users. Most of the time. This will only return route. But, you know, you could get surprised by just using this command and see if there's another super user that you can actually use to escalate privileges.
20:59
And this video will learn the concepts behind this technique, and we implemented and executed some commands to help us escalate privileges.
21:07
Supplemental materials, as always, the master and colonics for Vance penetration destined and basically necks, privilege, escalation from God, milk And obviously you can. I'll also give it credit to the creator of the bravest collision Checker Python script. You can take a look at the page. I already gave you the link happening this dispute
21:26
and you know you can use it for your advantage
21:30
and looking forward will cover the Windows operating system will be switching from Lenox the windows. And you know I will not repeat all the techniques are all the questions you should ask yourself, because at the end, the same questions apply to two are not the same. At most of the question that I told you
21:48
during this clinics Miss Compute Lennox Privilege escalation
21:52
will apply to the Windows bullish Escalation world, and I want to be redundant and ask you the same questions for Windows. You can actually ask yourself the same questions. And Google what will be the command? Orwell will be the technique toe playing windows, so I will try to give you some different ideas of what to look for
22:11
and windows specifically.
22:12
So that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor