1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Pentesting and Privilege Escalation with Wakanda

Gathering More Information



The course is part of this learning path

Start course
1h 7m

This course will walk you through how to solve a number of tasks as part of a capture-the-flag (CTF) game called Wakanda. You will learn the necessary skills to excel in penetration testing and privilege escalation.


Hi. Now we completed our gaining access, okay?

So we are one step ahead, and now we're going to see who we are and what we can do. And what we can do to actually leverage our privilege escalation techniques or escalate our privilege in a way, so that we can be root in this CTF. Now as you can see, I'm in the server but I cannot even type 'ls' and it says that 'ls' is not defined. So, it's not good. Let me try 'whoami,' and here you go. I cannot even run 'whoami' which is not good at all. So we don't have a shell over here, okay? We are in the system somehow, but we don't have a shell. We cannot actually run any comments, like any Linux comments actually in order to see who we are or what we can do. Let me try to define my name, okay? And let me try to print 'myName'. Here you go. It works. I believe this is a python shell, and as you can see it says so over here it's a python shell, it's Python 2.7.9. So, we are in a situation that we can run python comments in the server that we hacked, but it's not a shell. Again, now, if you know how to create shells with python, it's very good. If you don't know, I'm going to show you how it's done. So, I have a file. Let me find it. I use it like taking a note, like for the most generally used, most common used comments in my CTF. So, okay? So, I suggest you do the same thing as well. So, let me find then you will see what I mean. I'm going to find it over here. here you go. It's called CTF challenge. And these are the common comments that I use during CTFs. As you can see, there are a lot of things over here. And there is a way to spawn a shell to Python. So, in order to do that, we're going to use python -c 'import pty; which is a library, okay? So, python library. And over here we're going to call the pty, and say spawn("/bin/bash")' or spawn("/bin/sh")' So, whether we get sh shell or bash shell, it will be great for us. So, of course, I'm going to go with the bash first and if it doesn't work, I'm going to go with the sh shell. So, let me come over here since we are still in python, we can just write this like that, okay? import pty; and pty.spawn and ("bin/bash"). All you have to do is just write this, okay?

So here you go, now we have the shell. We exited out of this one and I can clear it and I can run 'whoami.' Here you are. So, I'm Mamadou, and for the id I belong to my own group, I believe. It doesn't seem like I have the administrative privileges like root privileges over here. But of course, we're going to try. So, if you run 'ls' you can see we get the first flag. So, I'm going to cat this out and here you go. I'm not even going to bother with submitting this flag to anywhere, but I'm just going to make note of it, okay? Since we're keeping notes. So, let me just go back here to CTF folder, and under Wakanda I have the note.txt. And over here I'm just going to paste this in, and I'm not going to submit this to anywhere, but maybe later on I will need it for some reason for proceeding in our CTF. So, I'm just taking a note over here. So, we got the first flag but we have two more to go. If you remember the description of the CTF, we're going to have to find the second flag and we're going to have to find the root flag as well. So far, so good. Now let me check if we can find the flag2 over here. So, I'm going to call 'locate flag2 .txt' and here you go. It's under /home/devops/ flag2.txt. So, maybe we can read this. Maybe we can go over here, let me just say 'cd /home/devops and over here let's try to cat the 'flag2.txt'. And here you go. Just as expected, it says that permission denied, even though we know it's over here, we cannot read it because it belongs to some other user called developer, okay? So, actually devops but the group of the developer is the developer. So, over here we don't have that permission to read it, only devops user can read it as well, okay?

So, let me see what we can do over here. So, what we can do actually is try to escalate our privilege into the devops user, right? So, we're going to try and go to that user. So, I'm going to just say 'cat /etc/passwd' and see what users we have over here. So, of course, we have root, we have the Mamadou, we have the devops, and we're going to try and be the devops in this case. So, what I'm going to do over here is that you should do for I believe every penetration test or every CTF that you're going to come across, and we're going to talk about this a lot during the privilege escalation section of this course as well.

And in fact, we're going to see a lot of different techniques in order to escalate our privileges in order to become root, and this is actually one of them and it's a very valid one and it actually is valid in the real life examples as well. So, what I'm going to do, I'm going to try and see if we can find a file that we can just run and execute that belongs to the devops, but we can run it from the user Mamadou as well. Maybe that file will give us some kind of leverage in order to change our user, okay? Maybe it will, maybe it won't, but it's worth a shot. And by the way, there are a lot of tools that we can use for privilege escalation, like LinEnum or lin sh. So, we're going to see some of those in the following sections, but it's always a good idea to look for this manually. So, you can run a 'uname -a' for example, and see what kind of kernel that you're in. And you can see if you have any kind of kernel exploits in order to escalate your privilege.

We're going to take a look of those and we're going to take so much more steps in order to learn about privilege escalation. Right now, I'm just going to show you one, okay? And if it doesn't work, of course, we're going to go and see other ones as well. We're going to see what kind of steps should we take in order to escalate our privileges in a given Linux environment. Right now, let me show you what I mean. We're going to use 'find' and you know how to use 'find' because we have learned it in the previous section, So, we use this comment in order to find some files and folders that belongs to some kind of user or that belongs to some kind of group or that is inside some kind of size. So, I'm going to just run 'find' dot or slash, we better add slash because we're just running for the whole server. We have seen that, remember. And I'm going to search for user devops. So, I'm not user devops right now. I'm user Mamadou, but it's a good idea to run it.

And as you can see, Linux gives us the files and also the permissions that we need or that we have in order to run or see or just write to that file. So, over here, as you can see there are a lot of files over there, but these are all permission denied. So, we cannot do anything with them. Maybe we can use it for information gathering purposes, but we cannot see them, we cannot write them, or we cannot execute them. So, I'm going to try and find something that we can actually run or see or execute. And over here we see the flag2.txt. It doesn't say permission denied, but we have seen it, right? We cannot see that. So, over here we have some other file called antivirus.py and it's under srv folder over here. So, its worth a shot to look at that if we can see it or if we can write it or if we can execute it. It's a little bit suspicious to seek some kind of antivirus python file that is going on over there, right? So, we better take a look at that. And also we have these tmp folder called test or tmp file. I don't know what it is yet, test. And we're going to take a look of those. So I'm going to copy this file, because I will try to see the content of it and I will try to see what we can do with it. So, what I'm going to do, I'm going to copy this file and also bear in mind that we have this tmp test file as well. So, maybe we can take a look at that and see what we can do with it. And if you do find something like that in a real-life pen testing scenario, of course, take a look at those as well. If you can find anything that you can run or see or write as another user, it's better to take a look at those. So, I'm going to come over here and see if we have something like test over here. we have test but it only says test. So, I believe there is nothing interesting over here. Maybe you can cat this out and here you go, for the srv folder, for the antivirus.py, we have this script. So, it opens tmp test and it writes it, it opens it to write it and it writes test. So, it's connected, right? So, when this antivirus.py is executed, then we will see this test folder or test file appearing, and it seems that it's already been executed for us. Maybe user devops already executed this before, or maybe this is kind of a cron job. So, I'm going to go into the cron.d, and just run 'ls -la', and see what kind of things that we have over here. We have the placeholder, and I believe which it's nothing, but if we go for the anacron and if we cat the anacron, then we can see it's a cron job and over here it actually runs something, okay? Let me see what it runs. So, I'm going to cat the php here as well. So, yep. So, this is for every 30 minutes, it's for cleaning the session I believe. And I don't think this is related with the antivirus.py, let me just get the placeholder here as well. So, this is just a placeholder. So again, I don't know if we have this over here, we can see and we can take a look at that later on. But again, we know that this antivirus.py has been executed. So, what I'm trying to do over here is actually, we can run this file, we can run this. Let me see this antivirus.py file as another user. And we don't know actually if we can execute this, but we can try to see it. We can try to write it and change it. So, maybe we can manipulate this and run it as a devops and get a session back from devops as well. Let's stop here and test all of this within the next lecture and see if that works or not.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.