Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to episode number 45 off the penetration Testing simulation module Privilege Escalation. My name is Alejandro Gina, and I'll be instructor for today session. Learning our operatives of the session is to understand the main steps you need to file during this penetration testing process
00:18
and applied to techniques techniques to successfully perform
00:22
a penetration test. So let's get down to business shall way
00:26
from from the previous session, we got a allow privilege River shell. So we already have access to the system
00:35
s Oh, yeah. You can start by applying all the techniques we have seen so far to escalate Religious. Remember, there was a dedicated, dedicated module for Lennox privilege escalation. The point is that, you know,
00:51
for the sake of simplicity in this case, I'm just going to use or really famous our privilege escalation python script, which we can, you know, automate this
01:02
information gathering techniques on. We can, you know, check the script results and see we can find something useful. So let me just move Thio folder. I know we can actually use for this. So based.
01:19
Ah, you know l s and just don't get remember that we already are executed and downloaded this command. So if you have any questions, you can always go back to a previous station, then Experian that pie.
01:32
And you know it's there. So just executed,
01:36
By the way, these shells are sometime on stable, so the output might not be a, you know,
01:42
might not fit in the river shells you have. Or maybe you will get results that are not doesn't make sense, you know, been coding my might fail, you know, stuff like that dirt really unstable. And, you know, we can start by checking basic information like the colonel information. We can maybe try to find
02:00
exploits to do that. Like, for example,
02:02
maybe go here and copy this to really famous
02:08
exploit to be
02:10
and see if we can find gold
02:14
in that, you know, we're just copied the version. We might end up finding a lot of stuff that doesn't make sense for us, but interesting destiny colonics and, you know, exploits and certification and stuff like that. He doesn't You know, it's not risk throwing you trying us any any. Any results may be typing colonel
02:32
for from Ford,
02:35
and we might be, you know, Colonel. Thanks, Carol. And we might, you know, try to use this exploits to escalate privileges on you. No other information. I will pass this really fastest at the end. You know,
02:49
you you composite video and check for information in there. So interface is nothing to see here. The processes are the service is running here. The routes, the mound results.
03:00
Ah, the f the armada results, the crime, jobs. Maybe something here. This looks like interesting, for example here. Same thing. You know, we can manually check off this on. And you should. I'm trying to give you all the ideas off things you have to do
03:21
to escalate privileges.
03:23
Um, you know, the log and users this super users, the environment. You know, all the user's presented in the password file. Who am I at this point? Were readable directories, you know, remember that we saw that at the sticky bit that we can actually use Thio escalate privileges.
03:43
Uh, for example,
03:45
we can try to take a look off all of other Allah. All of this, like,
03:51
for example, that's quickly, chick, if something bumps,
03:57
you know, seems different.
03:59
Ah, this seems different.
04:00
Can I actually take a look at this.
04:03
Okay, let me just copied out to see if we can actually take a look at this for later. At the end, I want to glance at the entire out, but
04:15
okay, let me take a look. That particular look, this is this seems interesting as well. Do you know what this command is used for? The C h s H man, you know, which is just a short for change. Shell is a command that is used to change the log in shell. Use their skin either supplying a path name, or you can just,
04:34
you know, call the command as it is.
04:36
And, you know, you should change the shell so that that seems interesting as well. I'm just happy that for later use as I told you, the beginning of this module, you'll have to take a note off every step you performed. Every command, every result. You know, because at the end, if you don't do that when you're trying, Thio
04:56
prepared your report and show to the customer it will not make sense. So you will. You may not A look that's so professional.
05:03
Ah,
05:05
Traces or locks with Paz would work inside, You know, nothing interesting here, and, yeah, this seems like an overwhelming amount of information. Yeah, and I get that. You know, maybe your first penetration testing will be like that. You're, you know, get get overwhelmed
05:24
with all the information. But you know what time you learn to see
05:27
what information might be useful in what What information is just leading you into the rabbit hole. So, yeah, off this thesis seems like interesting at the end from seeing a lot of systems. Maybe you get to learn what are the common
05:44
salt packages and the system And why are not so common that you can actually take a closer look at that? As you can see, there's a lot of packages. And here, let me just put things up a little bit. Uh, the car and processes start running.
05:58
Let me see if something's interesting here,
06:00
it doesn't seem like it's super interesting.
06:05
Yeah,
06:06
everything seems in order. I mean, when I sell this team ox
06:11
Okay, this might be interesting. Let me just copy. Pays that for later.
06:15
Okay, That seems like an interesting thing.
06:18
Amuse. Go. Here. You go. Here, Here. Okay. Everything seems in order that that team marks seems interesting Apache stuff. We're really, uh no.
06:29
Got that. And that's actually how we Excellent. Actually, that's that was our way into the system. So I will not wasting time on that. And, you know, again, normal stuff are there's a V I
06:42
here we have been
06:44
Yeah, we have been. That might be interesting as well. Being has a cool featured. Well, wolf depends on who you ask. Well, it lets you execute commands. So Asai was able in style tools related escape shells. Um,
07:02
so, yeah, that might be interested in you might be interested on dhe. Finally, you can actually start by, you know, maybe checking the salve. For example, Let me just copy paces for safe of example and go here
07:19
and, you know, get the exploit and see if I can execute it. I don't know if you see this person, but I remember what you know. Seeing GCC in the installed factors so we can try to actually download this and executed. You can try with all of this. And at the end
07:38
here is I have kind of a problem with this approach. Sometimes work in, sometimes done like any other. Take making privileges collision. The problem with this exploits is that you will waste a lot of time trying to modify it. Exploit. Because most of the time this exploits will not work out of the box.
07:57
You will have to make modifications. So if you're a developer, you can understand that
08:01
create creating your own code is hard. But trying to understand someone is this coat. It's even, you know, hell, eso you will have to understand someone if someone else's code. And on top of that, not all that all these employees will work in all them varmints.
08:20
For example, this might be saying that it will work in this environment, but maybe J. C C E o.
08:24
Yeah. D C. C is not installed, or maybe it's installed, but it doesn't contain the right packages. And since we're not administrators who are route, we cannot install me back just for example. So not only you will have to pass through hell to modified exploit, you explain might not even work
08:43
because, you know the system has, you know, you will have to install something different, this system,
08:48
or maybe the current situation is not exactly the wonders vulnerable. Whose exploits? Oh, yeah, you can try. I mean, I'm not know saying that you shouldn't try, but just be aware of that,
09:01
Uh,
09:03
in this case, list this tea numerator and remember that we saw the ch Shh command. Let's right. Let's see if I can actually get some results from that. Such a ch Shh, Gus, Dash s And let me just point to the
09:18
Today bash location.
09:20
No, no, it doesn't work out. I'm see if I I recalled checking, uh, you know that
09:28
he was a user named Walter?
09:30
Oh,
09:31
yeah. The reason A world famous eve.
09:35
I can actually get some results from that.
09:41
Nope.
09:43
You might not change the shell for Weldon. So it's not working. Uh, you know, we can actually try to cut the key signed to see if we can actually
09:52
see if this will work
09:56
and, you know it will work. So we can even try to modify the SS H configuration file to receive this Kias and as a leg instead of the password. But again, you know, it seems like a bit of a stretch because you know, you'll be in a real contrition says And you will have to test all these techniques
10:15
by themselves and maybe waste two. Or maybe one day.
10:18
Oh, on And something that you thought it was gonna work, but it didn't work. But don't get frustrated. That's just part of the process. S so as you can imagine. Yeah, it will be difficult, but yeah, that lose hope. Let me just enumerated the iPod tables. Just competent command.
10:37
Copy paste.
10:39
And
10:41
as you can see, that's why we were, you know, getting the results. We sold us filtered. Let me just and map again. Here, Dash B. And what was the port?
10:52
Uh,
10:54
or the port for this? For they are Internet relay chat service. I recall that was a really, really long port and a strange port at the end. So let me see if I can find it out here in your notes. Remember that. What? You have to take notes.
11:11
Because at the end, this is where I know that the notes come come handy
11:16
for you.
11:16
So IRC listen, Seems like doesn't seem like
11:22
Okay, I found it.
11:24
That means copy phase that
11:28
here port hopes
11:30
space
11:31
and
11:33
just
11:35
transfers Ah,
11:37
Scott it And it's filtered. So let me change that rule from, you know, uh,
11:43
filter to open. Because at the end, the rule clearly say that when when the service is anywhere drop,
11:52
uh, the connection. So let me change that.
11:54
With these simple rule, let me just copy base it
11:58
Scott based.
12:01
And if I go here, if I go with my old command to list the rules
12:07
again,
12:09
you will see that it will now accept
12:11
from anywhere. So if I go here again, if I was kind of it says there is open. So this seems like I win for us. So, you know, with the IRS, see service often. You know, Internet relay chat. You can use tools. I i R s s e
12:28
uh, this is not installed by default, so you have to stall it. So let me just,
12:33
you know, show you the command. Really simple, man.
12:35
Install quite heart.
12:37
Um,
12:39
as e I already have installed. But you know that stick man. So let me just fire up that command I r
12:46
as a
12:48
and connect to the server.
12:54
You know what? All of these Faith Server. That's fun.
12:58
Ah, you know, maybe list all the chats.
13:03
Okay, Well, of this
13:03
shot Seems like a something I can actually use, so I'm enjoying that.
13:09
Well, uh, these chat
13:11
and three user Walder brute and one of his body.
13:16
So maybe closed this connection.
13:18
I like to do this way. I don't know why they i r s I client is not really stable to look like, You know, I personally like to drop the connection every now and then so we can actually get fresh connections. I haven't get now to the bottom of why I get such unstable connection or behavior.
13:39
You know,
13:39
item I don't mind going to this and I'm process
13:43
every now and then.
13:46
So again, I just connect And, you know, as we saw inside the wall of his chat channel, you know, the users while though, is while this spot was presented. So let me just said who iss while do,
14:01
and, you know, face server idol isn't like a normal user. And maybe who is
14:09
who is, uh well, uh,
14:11
base, but
14:13
and
14:16
yeah, Seems like normally users will Oh, no issues in softball. Okay, that's interesting. Stop elicits a framework. Let me just
14:26
go to these link
14:28
and show you,
14:31
you know, something simple, Easy to use up in sort of piracy utilities. Bach written my fightin. So yeah, we can, you know, see if we can do something with that, uh, you know, supple, you know,
14:43
looking
14:43
server. Let me just go back to the server again and just go to CD and off that a lot of the commands and, you know, scripts and folders that always access. Right now, they all, ah, came from actually running really slowly. That checking really slowly.
15:03
Dumb
15:05
fighting. A delicious collision script that we run early in this video. So, yeah, you will have to pay pay a closer look to this, uh, the results from that script.
15:16
Well, you just based here,
15:18
and we'll have stop playing here, so it will be useful. So let me just cities that
15:24
see the while they
15:28
city that topple.
15:31
Ah, Unless the shell
15:33
and you know, modules. Maybe we can actually cut this out
15:37
to see what's inside.
15:41
I remember, uh,
15:43
you will have to perform all of this. And you, Marais Shen, before in after your privilege escalation. Maybe this isn't useful right now. but it might be proved to be useful later. A apprentice process. Maybe we're trying to move to another machine or something that you should definitely write everything down. So yeah,
16:03
eso Let's city to change the modules folder.
16:07
Ah, and you know, there's ah Python script. So let's see what's inside.
16:12
Ah, it seems that this patent can be executed on Lee. If you are Walter. Um,
16:18
and you know, also from the privilege escalation piping script, there's another scripting Walter's home. So let me just copy pays that and I'm copy pasting all the commands because at the end, these shells are not quite a stable. So if I, you know, make a mistake like, try to go backwards or something like that,
16:40
you might end up failing.
16:41
So, yeah, we have this and then just cut this out.
16:45
I r s, I would say
16:48
and boom, remember that we saw Team Ox again in a pattern privilege installation script here way know that the world is using teammates for for the Irish Sea
17:02
service. So, you know, this is not, like, smart approach because the team ox are
17:08
process goes down the fire, see, connection will go down as well. So remember that we saw that. Well, I'm sorry. We were able to execute him. A spy.
17:22
It seems we have access to him. We can actually execute commands from them, So yeah, we can just find out what's the process. It is who and as you can see, is four. Uh, just copy that, Ford. 548 I'm sorry.
17:40
548
17:41
Still images
17:42
go back in time and just say that here so I can actually enter it later. Interpreted in her *** process. So let me just pawn a *** y shell, because otherwise I would not be able to use them. And as you will see right now, if I type,
18:03
um, I I'm still data, but, you know, I get a really cool teacher. Why shell
18:11
now? We just have to open Ah, him being filed like the one that I know that I have permissions to again from executed the python privilege escalation
18:23
a script.
18:25
I just go here and I type that and I'm inside them now. She execute commands inside them. Uh, I just have to ah, type, escape escape, As you can see, then, uh, to actually execute. I will have to type up a closer rotation to the
18:42
upper left corner
18:45
off the screen. So you don't miss any detail here, so I just type kill
18:51
hell. And then the process hopes
18:53
hell. And then the process that I we you know, Roe.
18:59
I have a great Britain down here. 548
19:03
And that should do the work entered for its answered your type command to continue entered. And it seems that already work. So let me just quit here again. Escape just to quit that. That there
19:18
the beam editor escape
19:21
Q
19:23
Yeah, I'm out. So if I take who?
19:26
It seems that remember that we saw the process here before. Let me see if I can actually still check it out. Yeah, who and show the process is not trying anymore. So it seems like I win for us.
19:38
Ah,
19:40
okay.
19:41
And we can actually now that the wall is not in this chat anymore. We can try to actually connect and, you know, to cover while this identity. So let me just type Nick
19:56
Walter,
19:57
and you're You are now known as well, though, so it seems like to cover while this identity s o That seems like I went to me. So you seen, for example, a quick Google search gave me the idea to actually run the
20:15
throw a river shell from from this Ah, from these IRC client on. You know, this is not, like ex strange command this documentary already cell before it's actually a commanded We used thio seven a reverse a low privilege river shell back to us. Um,
20:36
when? When we were trying Thio.
20:37
Well, uh, we're trying dislocation.
20:42
So I'm just up in a Newport like and cut
20:45
dash Hopes
20:48
Dash and 55 555 And let me just run this commanding here
20:56
and, you know, just run it
21:00
and see if work
21:02
it's not working for some reason. So
21:03
maybe
21:06
whoops.
21:08
Maybe joining the chat.
21:14
Well, just let me just try to win. By the way, I'm not editing something from these Vegas. You can actually, uh,
21:21
take a look How this thing, How can this thing's working sometimes fail? Like, for example, I tried here in the general farm. I'm just tried to from the wall of this
21:30
chat,
21:32
uh, you know,
21:34
and, you know,
21:37
pacing here and sedentary book Phil, Seems that Waldo run this Splitting the chad. Let let me see that troll mere official in there right now. I'm I'm Wallaby. So who am I?
21:52
Well, okay, that's amazing, right? And, you know, seems from from executed the privilege escalation file. I know that this is a kind of administrator or root
22:03
command, so I just typed pseudo dash l
22:08
And who am I
22:11
or pseudo dashi
22:15
suitor.
22:18
Oops. Pseudo dash l sorry. And it tells me the permissions that I have It seems all I have all the permissions, So I just stopped suit a suit.
22:30
And who am I? And Boom, I'm rude.
22:41
So what's performing the command? C h s h a c. I told you this command is just short for a change shell and basically just command used for changing just the shell. What were The shale is located and how you know
22:56
how do you You look into the shell.
22:59
I pick tables. Dash l is just list the current rules off firewall.
23:06
It is video. We learn a one important step. You have to perform during your penetration testing process and we apply something makes that will help you or help us perform a Penta successfully.
23:18
Supplemental materials again. Advance penetration, testing Berg, Hacking the world's most secure networks and looking forward in an expedient will cover it at final session for discourse. Reporting on next steps After your penetration. Testing. Well, that's it for today, folks, I hope in J d video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor