The course is part of this learning path
This course will walk you through how to solve a number of tasks as part of a capture-the-flag (CTF) game called Wakanda. You will learn the necessary skills to excel in penetration testing and privilege escalation.
Hi, within this lecture, we're going to try and change our user to DevOps if we can. We are currently in the Mamadou, and we found out that we have to change our user to DevOps. And most probably, we're going to make our way up to the root later on from DevOps, right? So, right now we found something called antivirus.py, and we know that this belongs to DevOps user, and we know that we have access to it somehow. We don't know yet if we can actually change it or execute it, but we're going to try and see. So, what can we do with a Python file? It's easy, right? We can write a reverse shell for Python and get a session back as DevOps. So, what I'm going to do? I'm just going to go to Google and search for Python reverse shell. So, if you got the complete Ethical Hacking course from me, you know that we can actually write one ourselves. But let's be simple. And I'm just going to go over here and write Python reverse shell code. And as you can see over here, I'm just going to call it cheat sheet. And here you go. Every time I do that, I come across with pentestmonkey and it always works. If you just see something like that, say, see details and ignore the risk. So, I'm going to go into the pentestmonkey.net. As you can see, there are a lot of reverse shells over here for different kind of programming languages like Bash, PERL, Python, PHP, Ruby, Netcat. So, we're going to use this website a lot during the course. So, as you can see, so this is Python 2.7 and we know that our server runs Python 2.7. This is how we get our shell in the first place, right? So, I'm going to take this, and I'm just going to go under the cd /srv. So, let me run ls-la, and here we go. We see the antivirus.py, it's a hidden file. I'm going to try and nano into this antivirus.py and see if that works. Here we go, it works. So, I'm going to paste the thing that we have copied from the pentestmonkey. And over here, it's actually a one liner. So, it's actually scripted in a way that you run this in terminal. But we're not going to run this in terminal; we're just going to run this as a Python code itself, right? So, I'm just going to delete everything over here and I'm just going to delete the quotation marks. And I'm just going to delete the test over here as well, right? So, if you know Python, you know exactly what I'm doing over here. I'm just trying to convert this into Python code. So, I'm just going to import the socket. So, this is a library. In order to make the connection, I'm going to import the sub process and import the OS over here. So, sub process is for running the system commands and also for a running operating system functionalities over here. So, I'm going to delete these semicolons because we don't need them anymore. Okay, we're running a Python code; we don't need semicolons in Python. So, over here I'm just going to delete those and just align everything over there. So, if you know, Python, this is very easy for you. If you don't know it, just try to bear with me and just try to make your code look exactly like mine. So, over here, as you can see, we have the IP address and the port address that we want to send this connection to. So, in this case, I'm just going to change it to our own ifconfigresults. So, I'm going to run Ifconfig over here and see it's turn out too far in my Kali Linux. So, I'm going to make this turn out to four, okay? And port is not very important; you can leave it as 1234. Just say 'Ctrl' or 'Enter' and 'Ctrl+X' to exit out of this one. And let me check this over here. I'm going to come over here and say Netcat. And we're going to listen for connections coming from port 1234. You're going to have to say nvlp for that. So, we have learned about this stuff during the completed Ethical Hacking course. I hope you got it or I hope you know what I'm doing right now. So, we're here in the antivirus.py. As you can see, it's saved, so it's good. So, we have to find a way in order to execute this. So, I'm going to run Python.antivirus.py and see if it works or not. So, as you can see, I managed to run this and here you go. Now, I have a connection from the server. So, I'm going to go to id, and seems like we are Mamadou; it's weird. As you can see, we're trying to execute this as the DevOps, but since we are using Mamadou, maybe it's not being executed as DevOps. So, it's kind of weird. So, I'm going to 'Ctrl+C' out of that one, okay. It clearly doesn't work, and I'm just going to say id again. No, it doesn't work. So, what I'm going to do here, I'm going to try and go to cd/home/devops and try to cut the flag to .txt. And obviously, it doesn't work. Even though we get a shell, we get the shell as Mamadou, so it's strange but we're going to have to try and solve this one, right? So, over here, actually when I was solving this CTF, I got a little bit confused. Let me try and exit out of this one, maybe like with quit or exit. No, it doesn't work; we lost this connection over here as well, right? So, let me exit out of this one and just run this one more time. And we managed to exit out of that one. So, we are in the user Mamadou over here, but we cannot just get this connection as DevOps, so you can try to reboot this in order to maybe trigger the execution of that Python file. You can try to do sudo reboot, but we don't even know the password for the Mamadou. And as you can see, I'm trying some other solutions over here, maybe we can try to go into our Wakanda and try to cut the notes that we have over here. Maybe we can try this password in order to reboot these file over here. And maybe the Mamadou has this password. Mamadou has this password in the server as well, but Mamadou cannot do that because he's not in the sudo's file. As you can see, we cannot reboot that. And magically, as you can see, we got the connection back from the server. So, if you're an id, we are DevOps. So, how did it happen? We didn't even do anything over here. So, it made me think that this is a cron job, right? So, it's been like running for some time so if you wait a couple of minutes, it's going to get executed. It's going to give us the connection back. So, that's why I just tried to see the cron d. Maybe we can check for the crontab as well, but again, it should have been a crontab or it should have been a cron job, because how else we're going to get this, right? Just listening for a connection and waiting for a couple of minutes, it got back the connection from the user devops. So, it doesn't work if we executed on our own as user Mamadou, it actually works, but we get the connection back as Mamadou. But if we just do nothing and if we just start listening on our terminal, then we're going to get this. So, it should have been like a crontab or cron job or something, so it's been running in the background and it got executed, and then we got back the connection. Very good. Now, over here in the shell that we have, let's try to go to home DevOps one more time. And if we cut the flag to txt now, we're going to get this flag. As you can see, we get the second flag over here, which is very good. So, I'm going to take a note of this. Okay, so I'm going to nano into my note.txt. And let me just save the flag too as well. Now, let me paste this over here and 'Ctrl' or 'Enter' 'Ctrl+X'. Here you go. Now, there is one thing left to do which is becoming root. Because we are right now devops, we're going to try and escalate our privileges one more time, right? So, that's what we're going to do within the next lecture together.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.