1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Pentesting and Privilege Escalation with FristiLeaks

Root

Contents

keyboard_tab
FristiLeaks
1
Fristi Leaks Setup
PREVIEW12m 10s
2
Hacking the Server
PREVIEW12m 9s
4
5
Root
12m 20s

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
1h 1m
Students
9
Description

In this course, we solve a vulnerable virtual machine called FristiLeaks in order to explore pentesting and privilege escalation techniques.

Transcript

Hi, within this lecture we're trying to finally become root by the available things that we have gathered over here. So, first of all I'm going to try to see what kind of passwords they are. So, we gathered some passwords in the previous lecture. So, far here I'm admin so, I'm going cat the password over here to see what kind of users we have. We know we have root but I don't believe those passwords belong to root because there were hints about fristigod and fristi themselves so, most probably one of them belongs to fristigod and because we have seen this who is your god now? That's why I thought that this belonged to fristigods, of course we're going to try and see. So, we have gathered this password, we have gathered this hash over here and we decrypted it over there. So, LetThereBeFristi! should be the password of the fristigod but we don't know, we're going to try and see. So, I'm going to copy this one and come back over here and I'm admin over there so, I'm going to run su fristigod and see what happens. It says that standard in must be a tty. So, we don't have a shell over here for some reason. I'm going to try and spawn a shell and then we can just try and run this one more time. So, I'm going to open my notes over there, you know the python codes that spawns a shell import pty, so I'm going to do that. So, let me just try this one or this one you can try either with bash or sh and if one doesn't work the other might work. So, I'm going to start with the sh over here. I believe we're in an essay shell, but let me try and see. Just make sure you pause the video if you don't have that already. So, I'm going to come back over here and paste this thing in and let me paste the clipboard,  here you go. Now I hit enter it seems like it worked where my admin. Let's see su fristigod here you go, it asks for a password so it worked. So, I'm going to come back here and take the password one more time. I'm going to copy this one, come back here and paste the password in and hit enter, here we go. Now we are presented with a bash and if you're on who am I? We are fristigod. So, this is the third user that we are in. So, if you're on PVD, we are in the home admin, so I'm going to go back. We cannot even run at ls-la I believe, so let me run an ls-la over here, yeah here we go. We have the cd fristigod directory over here, I'm going to cd into that and if I run on ls-la, nothing seems to be here in fact. So, we have the bash log out profile and bash rc but I don't think this will do much in our case. So, we're going to have to use our standard procedure for privilege escalation and beware that within the next section we're going to deep dive into the privilege escalation and learn about a lot more techniques than we ever learnt in this course. We're going to learn one by one. But right now I'm just going to run find slash user fristigod to see what kind of files do we have access to. And as we can see all the permission denies over here. And it seems that we have a var folder. We have a fristigod folder under var folder as well. So, this is always a good idea to see what things that we have access to. So, I'm going to go into that folder, and run ls-la. So, as you can see, we have a bash history and a secret admin stuff thingy. So, I'm going to cut this out to see what things can we do. So, this history thing might help in your CTFs and in real life as well. So, I'm going to just cut this out to see what commands that have been executed on this user. So, as you can see user previously executed ls-pwd, ls-lah and cd secret admin stuff and apparently admin stuff is a folder and inside of that folder there is a doCom and doCom test. So, doCom should be un executable. So, they have some sudo thing is going on over there so maybe doCom is some set your ID binary like we have seen before. For example over here, we see that sudo-u fristi. So, running this doCom as fristi, we are not fristi, we are fristigod, and it runs ls for every file on that server and over here we see the sudo- u fristi, fristigod secret_admin_stuff/do Com ls and exit. So, there is a binary called doCom, we are certain of that we can execute it and apparently we can run some of different things like we can execute this doCom as another user. I don't know if we can execute this as root or some other user or I don't know if this will help me if I can execute this S fristi as in this case, but it's worth a shot. So, I'm going to go into that folder, I didn't know that was a folder, I thought it was a file so, I'm going to just cd into that secret admin stuff. So, if we run ls-la, we see the doCom and okay so this belongs to root. So, it really doesn't matter if we run this as root or if we run this as fristi or something like that because it already belongs to root. If I believe we have an su ID prohibition over here. So, again in the next section we're going to talk about su IDs in a lot more detail. We have seen this in the bandit section, maybe you haven't understood yet, at least the technicalities, but we're going to try and show you much more in the following section. So, let me try to run this sudo-u fristi thingy and see if we can make it run. So, it asks for a password, let me give the password and it says that, so try again. I believe we couldn't actually get the password for the fristigod, let me copy this one and come back here and paste the selection and hit enter we can run this as you can see. I have, for just testing purposes, I ran the sudo-u fristi / doCom ls / thingy. We can run this as another user apparently. And in fact I really don't care about another user part at all because what I have in mind is that running this, executing a python, reverse shell one more time using this doCom executable since it belongs to root, we may get the chance to execute this as a root and get a reverse shell back from root user. So, that's what we did in previously and now we're going to do the same thing. At least we will attempt to do the same thing. So, I'm going to come over here to one of our tabs. I believe we have this python code or reverse shell code somewhere over here. So, I'm going to just try and find it. So, I'm going to go into my var www/html folder because that's where we put the python shell.py,  yeah here you go. That's the thing that I'm looking for. So, I'm going to nano into that and I'm going to see, my IP is correct but I'm going to change the port because we're already using that. So, I'm going to just make it 3333. So, I'm going to download this, so I'm going to start my Apache server. I'm going to download this from my Apache server and put it in a folder where I can just reach it so that I can execute it with doCom. So, I'm inside of secret_admin_stuff. Let me try to just download over here if it doesn't work, I'm going to go into the TMP and do the same thing. So, I'm going to say pythonshell.py and let me try to hit enter, yeah here you go, it worked. So, I have the python shell over here. So, by using doCom now I'm just going to do this thing over here. I'm going to try and run exact same command, but rather than ls I'm going to of course try and run the python file that we have downloaded over here with doCom. So, whether we choose the fristi as a user over here or not, I don't believe it's going to make difference but I'm just going to try this. So, I'm going to run user bin python, I know it exists because we have seen that before and I'm going to run the var and there we are, yeah in the fristi. So, fristigod and a .secret admin stuff, and finally the pythonshell.py. So, let's try and see if we can do this. So, it will run the doCom executable and so that we will get the chance to execute this with python as root user and I don't know this will work or not but we're going to see. So, I'm going to listen the port 3333 over here and let me come back and hit enter and let's see. Did it work or not? Here we go, we have an sh shell. So, if I run who am I? We are finally root. So, let me run pwd yup we are in the secret_admin_stuff. So, I'm going to go back and let me run pwd yeah. We are in root, so I'm going to cd into root folder and ls-la. And here you go, fristileaks_secrets.txt. You can cat that and get your precious flag over here. So, here we go, congratulations on meeting fristileaks. So, this is our flag. So, as you can see, it took a lot more to actually escalate our privileges than to actually hack into the server. So, I believe this was a good gate. Good bridge meant for our way into the escalation section, privilege escalation section because we're going to deep dive into them in the next section. So, the purpose of this CTF was to give you an idea about how hard this privilege escalation can get during CTFs and during real pen testing. We're going to deal with those in the upcoming section which is privilege escalation.

 

About the Author
Students
624
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.