Hello, everybody. Welcome to episode number 45 off the penetration Testing simulation module Privilege Escalation. My name is Alejandro Gina, and I'll be instructor for today session. Learning our operatives of the session is to understand the main steps you need to file during this penetration testing process
and applied to techniques techniques to successfully perform
a penetration test. So let's get down to business shall way
from from the previous session, we got a allow privilege River shell. So we already have access to the system
s Oh, yeah. You can start by applying all the techniques we have seen so far to escalate Religious. Remember, there was a dedicated, dedicated module for Lennox privilege escalation. The point is that, you know,
for the sake of simplicity in this case, I'm just going to use or really famous our privilege escalation python script, which we can, you know, automate this
information gathering techniques on. We can, you know, check the script results and see we can find something useful. So let me just move Thio folder. I know we can actually use for this. So based.
Ah, you know l s and just don't get remember that we already are executed and downloaded this command. So if you have any questions, you can always go back to a previous station, then Experian that pie.
And you know it's there. So just executed,
By the way, these shells are sometime on stable, so the output might not be a, you know,
might not fit in the river shells you have. Or maybe you will get results that are not doesn't make sense, you know, been coding my might fail, you know, stuff like that dirt really unstable. And, you know, we can start by checking basic information like the colonel information. We can maybe try to find
exploits to do that. Like, for example,
maybe go here and copy this to really famous
and see if we can find gold
in that, you know, we're just copied the version. We might end up finding a lot of stuff that doesn't make sense for us, but interesting destiny colonics and, you know, exploits and certification and stuff like that. He doesn't You know, it's not risk throwing you trying us any any. Any results may be typing colonel
and we might be, you know, Colonel. Thanks, Carol. And we might, you know, try to use this exploits to escalate privileges on you. No other information. I will pass this really fastest at the end. You know,
you you composite video and check for information in there. So interface is nothing to see here. The processes are the service is running here. The routes, the mound results.
Ah, the f the armada results, the crime, jobs. Maybe something here. This looks like interesting, for example here. Same thing. You know, we can manually check off this on. And you should. I'm trying to give you all the ideas off things you have to do
to escalate privileges.
Um, you know, the log and users this super users, the environment. You know, all the user's presented in the password file. Who am I at this point? Were readable directories, you know, remember that we saw that at the sticky bit that we can actually use Thio escalate privileges.
we can try to take a look off all of other Allah. All of this, like,
for example, that's quickly, chick, if something bumps,
you know, seems different.
Ah, this seems different.
Can I actually take a look at this.
Okay, let me just copied out to see if we can actually take a look at this for later. At the end, I want to glance at the entire out, but
okay, let me take a look. That particular look, this is this seems interesting as well. Do you know what this command is used for? The C h s H man, you know, which is just a short for change. Shell is a command that is used to change the log in shell. Use their skin either supplying a path name, or you can just,
you know, call the command as it is.
And, you know, you should change the shell so that that seems interesting as well. I'm just happy that for later use as I told you, the beginning of this module, you'll have to take a note off every step you performed. Every command, every result. You know, because at the end, if you don't do that when you're trying, Thio
prepared your report and show to the customer it will not make sense. So you will. You may not A look that's so professional.
Traces or locks with Paz would work inside, You know, nothing interesting here, and, yeah, this seems like an overwhelming amount of information. Yeah, and I get that. You know, maybe your first penetration testing will be like that. You're, you know, get get overwhelmed
with all the information. But you know what time you learn to see
what information might be useful in what What information is just leading you into the rabbit hole. So, yeah, off this thesis seems like interesting at the end from seeing a lot of systems. Maybe you get to learn what are the common
salt packages and the system And why are not so common that you can actually take a closer look at that? As you can see, there's a lot of packages. And here, let me just put things up a little bit. Uh, the car and processes start running.
Let me see if something's interesting here,
it doesn't seem like it's super interesting.
everything seems in order. I mean, when I sell this team ox
Okay, this might be interesting. Let me just copy. Pays that for later.
Okay, That seems like an interesting thing.
Amuse. Go. Here. You go. Here, Here. Okay. Everything seems in order that that team marks seems interesting Apache stuff. We're really, uh no.
Got that. And that's actually how we Excellent. Actually, that's that was our way into the system. So I will not wasting time on that. And, you know, again, normal stuff are there's a V I
Yeah, we have been. That might be interesting as well. Being has a cool featured. Well, wolf depends on who you ask. Well, it lets you execute commands. So Asai was able in style tools related escape shells. Um,
so, yeah, that might be interested in you might be interested on dhe. Finally, you can actually start by, you know, maybe checking the salve. For example, Let me just copy paces for safe of example and go here
and, you know, get the exploit and see if I can execute it. I don't know if you see this person, but I remember what you know. Seeing GCC in the installed factors so we can try to actually download this and executed. You can try with all of this. And at the end
here is I have kind of a problem with this approach. Sometimes work in, sometimes done like any other. Take making privileges collision. The problem with this exploits is that you will waste a lot of time trying to modify it. Exploit. Because most of the time this exploits will not work out of the box.
You will have to make modifications. So if you're a developer, you can understand that
create creating your own code is hard. But trying to understand someone is this coat. It's even, you know, hell, eso you will have to understand someone if someone else's code. And on top of that, not all that all these employees will work in all them varmints.
For example, this might be saying that it will work in this environment, but maybe J. C C E o.
Yeah. D C. C is not installed, or maybe it's installed, but it doesn't contain the right packages. And since we're not administrators who are route, we cannot install me back just for example. So not only you will have to pass through hell to modified exploit, you explain might not even work
because, you know the system has, you know, you will have to install something different, this system,
or maybe the current situation is not exactly the wonders vulnerable. Whose exploits? Oh, yeah, you can try. I mean, I'm not know saying that you shouldn't try, but just be aware of that,
in this case, list this tea numerator and remember that we saw the ch Shh command. Let's right. Let's see if I can actually get some results from that. Such a ch Shh, Gus, Dash s And let me just point to the
Today bash location.
No, no, it doesn't work out. I'm see if I I recalled checking, uh, you know that
he was a user named Walter?
yeah. The reason A world famous eve.
I can actually get some results from that.
You might not change the shell for Weldon. So it's not working. Uh, you know, we can actually try to cut the key signed to see if we can actually
see if this will work
and, you know it will work. So we can even try to modify the SS H configuration file to receive this Kias and as a leg instead of the password. But again, you know, it seems like a bit of a stretch because you know, you'll be in a real contrition says And you will have to test all these techniques
by themselves and maybe waste two. Or maybe one day.
Oh, on And something that you thought it was gonna work, but it didn't work. But don't get frustrated. That's just part of the process. S so as you can imagine. Yeah, it will be difficult, but yeah, that lose hope. Let me just enumerated the iPod tables. Just competent command.
as you can see, that's why we were, you know, getting the results. We sold us filtered. Let me just and map again. Here, Dash B. And what was the port?
or the port for this? For they are Internet relay chat service. I recall that was a really, really long port and a strange port at the end. So let me see if I can find it out here in your notes. Remember that. What? You have to take notes.
Because at the end, this is where I know that the notes come come handy
So IRC listen, Seems like doesn't seem like
That means copy phase that
Scott it And it's filtered. So let me change that rule from, you know, uh,
filter to open. Because at the end, the rule clearly say that when when the service is anywhere drop,
uh, the connection. So let me change that.
With these simple rule, let me just copy base it
And if I go here, if I go with my old command to list the rules
you will see that it will now accept
from anywhere. So if I go here again, if I was kind of it says there is open. So this seems like I win for us. So, you know, with the IRS, see service often. You know, Internet relay chat. You can use tools. I i R s s e
uh, this is not installed by default, so you have to stall it. So let me just,
you know, show you the command. Really simple, man.
Install quite heart.
as e I already have installed. But you know that stick man. So let me just fire up that command I r
and connect to the server.
You know what? All of these Faith Server. That's fun.
Ah, you know, maybe list all the chats.
shot Seems like a something I can actually use, so I'm enjoying that.
Well, uh, these chat
and three user Walder brute and one of his body.
So maybe closed this connection.
I like to do this way. I don't know why they i r s I client is not really stable to look like, You know, I personally like to drop the connection every now and then so we can actually get fresh connections. I haven't get now to the bottom of why I get such unstable connection or behavior.
item I don't mind going to this and I'm process
So again, I just connect And, you know, as we saw inside the wall of his chat channel, you know, the users while though, is while this spot was presented. So let me just said who iss while do,
and, you know, face server idol isn't like a normal user. And maybe who is
who is, uh well, uh,
yeah, Seems like normally users will Oh, no issues in softball. Okay, that's interesting. Stop elicits a framework. Let me just
you know, something simple, Easy to use up in sort of piracy utilities. Bach written my fightin. So yeah, we can, you know, see if we can do something with that, uh, you know, supple, you know,
server. Let me just go back to the server again and just go to CD and off that a lot of the commands and, you know, scripts and folders that always access. Right now, they all, ah, came from actually running really slowly. That checking really slowly.
fighting. A delicious collision script that we run early in this video. So, yeah, you will have to pay pay a closer look to this, uh, the results from that script.
Well, you just based here,
and we'll have stop playing here, so it will be useful. So let me just cities that
Ah, Unless the shell
and you know, modules. Maybe we can actually cut this out
to see what's inside.
you will have to perform all of this. And you, Marais Shen, before in after your privilege escalation. Maybe this isn't useful right now. but it might be proved to be useful later. A apprentice process. Maybe we're trying to move to another machine or something that you should definitely write everything down. So yeah,
eso Let's city to change the modules folder.
Ah, and you know, there's ah Python script. So let's see what's inside.
Ah, it seems that this patent can be executed on Lee. If you are Walter. Um,
and you know, also from the privilege escalation piping script, there's another scripting Walter's home. So let me just copy pays that and I'm copy pasting all the commands because at the end, these shells are not quite a stable. So if I, you know, make a mistake like, try to go backwards or something like that,
you might end up failing.
So, yeah, we have this and then just cut this out.
and boom, remember that we saw Team Ox again in a pattern privilege installation script here way know that the world is using teammates for for the Irish Sea
service. So, you know, this is not, like, smart approach because the team ox are
process goes down the fire, see, connection will go down as well. So remember that we saw that. Well, I'm sorry. We were able to execute him. A spy.
It seems we have access to him. We can actually execute commands from them, So yeah, we can just find out what's the process. It is who and as you can see, is four. Uh, just copy that, Ford. 548 I'm sorry.
go back in time and just say that here so I can actually enter it later. Interpreted in her *** process. So let me just pawn a *** y shell, because otherwise I would not be able to use them. And as you will see right now, if I type,
um, I I'm still data, but, you know, I get a really cool teacher. Why shell
now? We just have to open Ah, him being filed like the one that I know that I have permissions to again from executed the python privilege escalation
I just go here and I type that and I'm inside them now. She execute commands inside them. Uh, I just have to ah, type, escape escape, As you can see, then, uh, to actually execute. I will have to type up a closer rotation to the
off the screen. So you don't miss any detail here, so I just type kill
hell. And then the process hopes
hell. And then the process that I we you know, Roe.
I have a great Britain down here. 548
And that should do the work entered for its answered your type command to continue entered. And it seems that already work. So let me just quit here again. Escape just to quit that. That there
the beam editor escape
Yeah, I'm out. So if I take who?
It seems that remember that we saw the process here before. Let me see if I can actually still check it out. Yeah, who and show the process is not trying anymore. So it seems like I win for us.
And we can actually now that the wall is not in this chat anymore. We can try to actually connect and, you know, to cover while this identity. So let me just type Nick
and you're You are now known as well, though, so it seems like to cover while this identity s o That seems like I went to me. So you seen, for example, a quick Google search gave me the idea to actually run the
throw a river shell from from this Ah, from these IRC client on. You know, this is not, like ex strange command this documentary already cell before it's actually a commanded We used thio seven a reverse a low privilege river shell back to us. Um,
when? When we were trying Thio.
Well, uh, we're trying dislocation.
So I'm just up in a Newport like and cut
Dash and 55 555 And let me just run this commanding here
and, you know, just run it
it's not working for some reason. So
Maybe joining the chat.
Well, just let me just try to win. By the way, I'm not editing something from these Vegas. You can actually, uh,
take a look How this thing, How can this thing's working sometimes fail? Like, for example, I tried here in the general farm. I'm just tried to from the wall of this
pacing here and sedentary book Phil, Seems that Waldo run this Splitting the chad. Let let me see that troll mere official in there right now. I'm I'm Wallaby. So who am I?
Well, okay, that's amazing, right? And, you know, seems from from executed the privilege escalation file. I know that this is a kind of administrator or root
command, so I just typed pseudo dash l
Oops. Pseudo dash l sorry. And it tells me the permissions that I have It seems all I have all the permissions, So I just stopped suit a suit.
And who am I? And Boom, I'm rude.
So what's performing the command? C h s h a c. I told you this command is just short for a change shell and basically just command used for changing just the shell. What were The shale is located and how you know
how do you You look into the shell.
I pick tables. Dash l is just list the current rules off firewall.
It is video. We learn a one important step. You have to perform during your penetration testing process and we apply something makes that will help you or help us perform a Penta successfully.
Supplemental materials again. Advance penetration, testing Berg, Hacking the world's most secure networks and looking forward in an expedient will cover it at final session for discourse. Reporting on next steps After your penetration. Testing. Well, that's it for today, folks, I hope in J d video and talk to you soon.