Try Hack Me : Linux PrivEsc
HTML-код
- Опубликовано: 19 окт 2024
- This is our continuation series of Junior pentesting learning path on tryhackme.com. We are exploiting! Lets have some fun! This is the longest of our series so far and covers in depth about linux privelage escalation!
Patreon to help support the channel! Thank you so much!
/ stuffy24
Hacker Discord
/ discord
13:40 - privileage escalation kernel
24:10 - sudo ex
30:00 - suid ex
47:19 - cron jobs ex
55:00 - paths ex
1:07:25 - nfs ex
Thank you very much! Im 28 years old video editor doing a career change into Cyber Security the past 5 months now and it was really hard some rooms in the JR pen test but with your videos it was much easier to understand.
Awesome man good to see! Do what makes you happy!
Stuffy your content is fantastic! I know you keep referring to how long the videos get but I think I can speak to everyone that we don't mind the long videos. The longer the videos the more you explain in detail certain things that new comers like myself have trouble grasping. Thanks for all the help and detailed explanations!
Thank you! I will keep that in mind! Sometimes it's hard to believe ppl wanna watch a 2 hour long video haha
I think sections or a series or more digestible for anything after an hour long :p
thank you @stuffy24 for the video. I tried to do the PrivEsc without and found some of the boxes were difficulty to do so your walkthrough was very helpful. i think the Privilege Escalation section of the course was the hardest part. I guess if you do it more often the different ways become easier to remember ?
Hey thanks so much for the kind words. Hacking is something you just remember and then thats how you do it everytime. Its something that as you do more you will have a general idea of what to try but hacking is all trial and error and curiousity.
Stuffy at it again with a FANTASTIC walkthrough! I've learned so much from you at this point it's ridiculous. Thanks for everything that you do.
Thank you so much! If there is something specific you want to see make sure to let me know!
@@stuffy24 I actually do have one question:
For SUID priv esc, can you confirm if 'user2' or 'gerryconway' are able to view contents of flag3.txt?
I've cracked the passwords for these users, logged in as them, and I'm still getting 'Permission denied...yadayada'.
I was able to use base64 to view the contents, but was wondering if you're just supposed to use cracked passwords/login as other users/view flag3.txt.
It would kind of defeat the purpose of a SUID priv esc room if you could just use john to crack the other users' access to view contents of flag3.txt, no?
Even though this video's been around for a year, I just gotta say thanks a bunch for this and your other vids! Your enthusiasm for this stuff is contagious, and I'm loving it!
I appreciate that a lot man!
Can't thank you enough!!! I've come back to your video for over a month and I've finally completed this module! One more to go!!!
Knock it out! You got this
The answers to these THM questions are in 10 different places across the internet. So the value in your videos IMO is not in your giving the answers but in your contextualizing the information --what are we really trying to do or learn in this room? What do we really need to know? Also, clearly explaining things that are badly written in THM (which is common). And spelling out the small details of the process so that we don't get stuck for some tiny detail even if we basically understand what we are trying to do. While these rooms are of course easy for you, many of us need every breadcrumb we can get to understand what we are doing and learn. I am not coming to these videos for the answers to the problems, although it's helpful that you include them. Instead, it's the clear and contextualized explanations that matter. I personally don't care how long the video is--very long fine as long as it's clearly and completely explained. (It would be great if you time-stamped them by question, though!) Anyway, thanks again for these, they are invaluable.
Thank you!
You left me speechless, I am loving the way you explained it, while letting us try our own techniques. Thank you very very much
Thank you
Hello, It took me 5 hours to follow the course with you. Take notes, understand everything, 1 month ago i had no clue what an ip was. Just finished the capstone alone in under 40 mins, all probs goes to you.
Very nice well done
You are a champ ... for soem reason I always find your video more helpful then others. Its probably the pace with which you run the lab is not so fast and I find it easier to follow your instructions.
I appreciate that thank you
Excellent video. I could usually get the flag myself, I was just missing a step or two in between. Thank you for making the video!
Finally learned privilege escalation thanks to u man. Really helpful.
Thank you for taking the time to explain and teach us what you know! This challenge was tough and this video was most helpful!
💥💥💥💥💥
Appreciate you!
It was really helpful that you were not just solving away, but also explaining! that helped a lot!
I appreciate that. Thank you
@@stuffy24 right now also I am following along your video only😂
Thank you man. Today you gave me all the reasons to become one of your patron. I will subscribe now
Thank you so much!
Thanks for doing this. Super helpful. Love reading the instructions and then hear your interpretation of whats going on.
Thank you man! That's exactly what I'm trying to do is help people who don't just instantly understand things bc that's me lol
Thanks for walking through this and posting this vid, it helped me A TON. You're an awesome teacher.
Thanks so much!
vim is the most complicated text editor ive ever used LOL. I tried for 15 minutes before switching to nano!
love your videos-- keep up the hard work
lol it seems that way but once you get used to it its very nice just has a learning curve
Thanks, Great explanation !
Only need to research about the gcc compiler
Thank you!
I'm really enjoying your content man! The explanations are great and you have a great workflow for explaining what you're doing. I am curious though, why are you not doing this with a virtual machine? Keep it up!
Thank you! I do a lot with my virtual machines but try hack me boxes I always do the videos with the attack box so that anyone watching can replicate my exact steps and not have to worry about certain versions of installs etc
loved your walkthrough ❤❤
we are waiting for offensive pentesting path now
Doing cyber defense path now then we can kill that offensive path!
Great vids. It would be nice if you didn't worry about time I'd rather watch a longer video if that means I learn more.
Also food for thought, as a beginner, I wish we didn't worry so much about "spoon feeding" answers for everything.
In school, teachers taught us HOW to run mathematical equations, step by step, and explained WHY it works the way it does.
The most important part was repitition and for us to show our work, that way we understood what we were doing.
The worst teachers were the ones that told you to look it up in your text book and sat back in their chairs.
In the cyberworld it makes sense that we should learn to be fully independent to find our own information as there is too much to learn.
However, in the greater scheme of things, I think it would benefit us all if we focused more on collaboration and understanding the fundamentals as we make it easier and easier to attract more talent.
edit:
P.S. thanks to your walkthrough, I was able to accomplish the Capstone without watching the rest. However, that's not to say I'd recommend leaving it out as a final challenge to others. I still appreciated having the fact that I could reference the capstone walkthrough if necessary to help expedite the learning. Thanks again for the vid!
I agree wholeheartedly with this idea the problem is realistically most people have short attention spans. You can see the analytics on RUclips and unfortunately longer videos equals less liked by the masses. This is why for the people that want to learn more I do the Livestreams in the discord and I do the Patreon videos for whatever topics they want. Its not perfect and I do agree finding that balance would be perfect! I just have to keep working on it. Thanks so much!
hi brother, your videos are crazy, thanks for making them
Hey thanks for the Videos, I enjoy Learning with you, and I thank you for that!
Hey thanks! That made my day!
Awesome practical explanation - many thanks! 🏆
Thanks so much for the support
although i'm sure i'm older than you: i wanna be like you when I grow up. mad skills!
Appreciate it. I'm older than I look though lol
I had a lot of problems with the virtual machine. despite that, your explanation actually put me in orbit
ps: love your dogs
Thank you man!
You're a legend dude - appreciate your help
Appreciate you!
thank you for giving the finer details!
Thank you for the kind words
big up man, dont wanna brag but. have done path to(upto) redteamer in 20 days from a complete begginer. so yes i have looked trough most of your videos on these boxes. you make most of new tasks understandable and really enjoy learning from you.
I can't get enough of you explaning things,
but apparently my girlfriend can. so from now on it no more no headset for me.
big thank you!
@hansbertilldanielsson48 hahaha that's the first time I've heard that! I appreciate it my man! If you have any requests throw them in the discord under #video requests !
Hey I love your content, seriously my favourite cybersec walkthroughs. I am planning on doing walkthoughs of picoCTF as I am currently teaching those to high school students I think it would be a lot more fun to do them on Zoom as a collaboration with another RUclipsr. My freelancer can then do the editing and we both get polished content for our channels. Let me know if you are up for it
Add the discord and add me and dm me
@@stuffy24 done
Thanks a lot man. You sure helped me learn a bunch in this one.
Thank you!
Great walktrought very clear. thanks
thanks man ..reallly appreciate this!
Really appreciate it, clarified a lot of questions
Thanks. This was very helpful!.
Thanks for another great video, my dude.
You are awesome, thank you!
Thanks man!
Frank's password's hash value is upto LR1
Regarding cron jobs - During a real pen test engagement editing existing running cron jobs cant rly be appreciated right?
Super good and informative content.
This all depends on your scope. Some companies do want to see this done but your right it is sketchy
@@stuffy24 With that being said, If I do find a vulnerability within a cron job and being able to edit a existing running job I might wanna take it with the customer first... :)
Thanks for the fast answer.
@@Boolap1337 yes absolutely lol most the time you will have consistent contact with the customer POC and before you do anything like that will be letting him know or asking
I have to rewatch these multiple times to understand. Hopefully the note taking and repetitions will click! Privilege Esc. is tough for me
Thanks
@alechernandez5506 your doing the right things then!! That's the key to keep practicing until it makes sense
I hope you don't mind if I ask a couple of questions. I'm having trouble in the crontab section. I tried editing the test.sh file with nano. I tried doing what you did with vim but I was having trouble exiting vim. I heard you say esc then w then q. I tried it and just got stuck in vim. Do I have to use vim for rewriting the test.sh file? Also if I'm incorrectly entering keys to exit vim, can you reiterate? Also I really appreciate you content! I try to do it all myself until I'm stuck, but your brain has helped me sooo much!
Thank you for the comment no worries, you can use any text editor to edit the file I just happen to use vim. So with vim you hit escape to get to the command input then you type wq enter as the command. Let me know if that works for you!
@@stuffy24 I appreciate the reply! It took me a bit but I figured it out. Turns out I had to hit esc and then type : followed by the w q and enter. Hopefully this can help someone else. Also when I get paid be ready to have a new patreon follower!
@@kyleweeks4242 love it! That's what it's all about is helping others !
Hey can you tell me what you do for a living? You're pentester or SOC or kinda like that
I do work in cybersecurity yes.
Thanks for usefull content, and you have a good dog
Thanks!
I have a question, how much time do you think it takes to get to grips with this room, I've been learning from scratch and I've only been learning for the 2nd week and I'm wondering if I haven't made progress too soon, because there are quite advanced things here, what rooms should he do in advance? I did Introduction to Cyber Security and Pre Security, is that enough?
Linux as a whole takes years so I wouldn't beat yourself up! Privelage escalation is all about knowing the systems so the more you administrate them the more you will know. Take your time and learn at your own pace
@@stuffy24 what rooms should I do in advance? I did Introduction to Cyber Security and Pre Security,what rooms would you recommend for a beginner, I would like to become a penetration tester in future,How would you recommend learning for someone from 0 ?
@@MlodyKsiaze777 you can join the discord and some of the folks can give you guidance and I can give you some resources.
So...the target's version of GLIBC is older (2.31) than the attacker's version of GLIBC (2.4). This prevents me from running the nfs executable on the target. Since I don't yet have root privileges to update GLIBC on the target, I was unable to gain root access and obtain the flag7.txt
Part of me thought I could recompile nsf.c on attacker using the target's version of GLIBC, but I'm not sure how to rollback GLIBC on attacker. I'd have to research more.
Any pointers? Surely I'm either missing something or there's a way around this.
Id have to look more into it. Your using the attack box they provide right?
@@stuffy24 Well...I'm using the Kali Linux box they provide. Does it make a difference? I would assume both Kali Linux and Attack Box they provide would be updated, but you know what happens when you make assumptions! I'll test on Attack Box and see if that works. Thanks for your reply.
@@iCyberVenom usually they tell you if you need to use the Kali box for something. Let me know if the attack box works?
Had the same issue. Compiling worked when using the attack box (gcc version 9.4.0) but didn't work on my own Kali (gcc version 12.2.0)
@@takashidoyama9333 And there it is! haha I eventually figured it out, but boy was that annoying while navigating the issue.
You rock dude!
Thank you!
You can copy/paste things to the attack box clipboard. There's a little slider on the left-hand side of the attack box about half way between top and bottom. Open it and click "clipboard" then you can paste something from your machine to the attack box, or copy/paste something from the attack box to your machine. Hope that makes sense.
Ya it does. I use it a lot in my newer videos! Thanks for the help !
@@stuffy24 alright. I'm sure i'll see your new videos as i make my way through thm and hackthebox. you've been a lot of help for me. Do you have a degree in computer science or cyber security? I'll be going to school soon and I'm trying to figure out which would be the best degree for an eventual career in pentesting.
@@drewwagner8245 hey thank you so much! I do have a degree in cyber security. I think it all depends on what interests you most
@@stuffy24 Do you ever feel like you wish you would've gone for a computer science degree to help with all the code we see while doing cyber sec?
@@drewwagner8245 that's a good question but no I don't at all but that's because when I got my degree I was already years into the field so I had already learned the things a cs degree would teach me
awesome content!
long videos are just fine ;)
Thank you
Thank you for the support!
to do do do ... tu do du... to du du... 😂😂. Now It becomes my habit.
Get 20% OFF @manscaped + Free Shipping with promo code STUFFY24 at MANSCAPED.com! #ad #manscapedpod
Yo, I kinda like how you don't answer everything. It's a reminder that I gotta really try to take it all in and jot down some good notes with Cherry Tree.
Appreciate you my man
I wish you zoomed in
the words and letters are very small!
Yep this is an older video. I do that in my newer videos
I appreciate your hard working @@stuffy24
Im having a problem at task 11, mount -o rw
mount: only root can use" --options" option
Can you hop in the discord and try and troubleshoot? It's too hard to tell just with that info.
@@stuffy24 Ok, I will join the discord. Thanks
incase anyone else runs into this problem. Make sure you're running mount -o rw command on your attackbox and not on karen's ssh connection
THANK YOU BRO
Thank you for the support!
Privilege Escalation "PATH" is not working like in your Video. You need to create a file named "thm" with the content "/bin/bash" in it. then you add this file to the path. now it can be executed by ./test from /home/murdoch
@towel598 this is an older video they could have changed the box since I did this. They do that a lot lol
Task 9 is not working for me. I edit the backup.sh file using nano to contain the reverse shell code as mentioned in the task and it doesn't work as a Cron job. When I enter the script directly on the command line it works just fine and the reverse shell connects back to the attacking machine. How do you go about triggering the Cron job?
Cron jobs are scheduled so it will auto trigger at a certain point
@@stuffy24 thanks for your reply, I’m liking your vids and they’ve been helpful. The problem was actually that I didn’t do chmod +x on the file.
@@fernandovega4816 thank you! Nice catch and glad you fixed it
get the doggo involved lol what its name?
Haha I have 3 actually so they would get too involved!
Is there a Linux priv ESC cheat sheet somewhere?
There are a bunch of them just Google it. Nothing specific I use. Most are just my homemade ones I use.
@@stuffy24 is using linpeas maybe bad practice for a beginner
@@joshh4005 I wouldn't say bad practice it's a good tool that finds things you may forget but I think take all the things its looking for and check manually will teach you much more! Also keep in mind linpeas will almost always be caught in today's environments if you don't change things
thx bro
someone managed to install gcc co-compiler on linux target?
This video was a long time ago I don't remember what I had to do
@@stuffy24 thank you anyway for answering me, it was a bug because gcc was installed on the target by default
Plz, writeups New room Windows Privilegie Escalation
I plan on it but I will finish the defense path first since people are waiting on that. I upload quite often so shouldn't take long.
In task 12 i try exploit in kernel
gcc 42887.c -o final
42887.c: In function ‘main’:
42887.c:430:14: fatal error: rootshell.h: No such file or directory
430 | #include "rootshell.h"
| ^~~~~~~~~~~~~
compilation terminated.
and i dont know why i can't use this file
You explain it better than tryhackme's description
To be fair they have to use just text where I can verbalize it but thank you so much for the support