With less experienced hackers, being able to use a programming language like Python to privilege escalate is not usually one of the first things that comes to mind. It's not that we don't see those types of security vulnerabilities but typically other application or system misconfigurations, and vulnerable software versions tend to be the types of attack vectors we think of most commonly. Like anything, as your knowledge evolves, you start to identify some of these seemingly innocent paths.
This video isn't really meant to dive deep into the why but if you want to learn more you will want to research SUID and Python. At a high level, typically programming languages like Python have the ability to interact with the operating system and can be abused if permissions aren't very strict.
Absolutely! I recommend grabbing a free copy of my eBook ( www.jongood.com/getstarted/ ) where I go into more detail about skills that you should develop.
Coincidentally, I was working on a beginner ctf on thm when this video dropped. I was stuck at the end and had to look up a command that was mentioned, sudo -l. And I was stuck on this for a good while😅 if I would’ve watched this first I could’ve finished it a lot sooner.
Why python is consider as an interesting or weird file? Is there any reason for that? And should we know the python command by heart or GTFOBins our best friend?
Although certainly not a video diving deep into the reasons why it's interesting, I highly recommend researching vulnerabilities in Python that you can exploit to help you in your journey. There's no rule in this career field that you have to memorize commands or usage syntax, but you should know where to find them.
The scope of this video was to show you how to complete the tasks successfully, not necessarily to break down super technical details. You have the answers, so now it's crucial to improve your research skills to dive deeper into those answers.
CTFs tend to stick with common lists, but sometimes you just need to try different lists to see what works. It's very uncommon for a lab or CTF to use a list that is not widely available because the point is to see if you know what you're doing process-wise and not necessarily if you have some secret list.
Hi Jon, really enjoyed the CTF content. Would enjoy seeing some more in future.
Awesome, thank you!
Why was the python path considered weird?
With less experienced hackers, being able to use a programming language like Python to privilege escalate is not usually one of the first things that comes to mind. It's not that we don't see those types of security vulnerabilities but typically other application or system misconfigurations, and vulnerable software versions tend to be the types of attack vectors we think of most commonly. Like anything, as your knowledge evolves, you start to identify some of these seemingly innocent paths.
I’m new to this. Can you explain why the python folder is considered weird ? Thanks
This video isn't really meant to dive deep into the why but if you want to learn more you will want to research SUID and Python. At a high level, typically programming languages like Python have the ability to interact with the operating system and can be abused if permissions aren't very strict.
hi John , Can you do more videos like this .what else do you suggest one does to improve cybersecurity skills?
Thanks ,
Estefy
I also think that if he does many videos on this will be great!
Absolutely! I recommend grabbing a free copy of my eBook ( www.jongood.com/getstarted/ ) where I go into more detail about skills that you should develop.
Coincidentally, I was working on a beginner ctf on thm when this video dropped. I was stuck at the end and had to look up a command that was mentioned, sudo -l. And I was stuck on this for a good while😅 if I would’ve watched this first I could’ve finished it a lot sooner.
Bummer! Well I'm glad that I will at least help other people in a similar situation.
Why python is consider as an interesting or weird file? Is there any reason for that? And should we know the python command by heart or GTFOBins our best friend?
Although certainly not a video diving deep into the reasons why it's interesting, I highly recommend researching vulnerabilities in Python that you can exploit to help you in your journey. There's no rule in this career field that you have to memorize commands or usage syntax, but you should know where to find them.
More videos like this please
I'm glad that you enjoyed the video and thank you for the feedback!
He really didn't explain alot in this video like how did you use 2> to find a file and how the Heck was that Python file weird out of All them files?
The scope of this video was to show you how to complete the tasks successfully, not necessarily to break down super technical details. You have the answers, so now it's crucial to improve your research skills to dive deeper into those answers.
Waka Flocka Flame
I'm glad that you enjoyed the video!
How the heck did you know what wordlist to use?!
CTFs tend to stick with common lists, but sometimes you just need to try different lists to see what works. It's very uncommon for a lab or CTF to use a list that is not widely available because the point is to see if you know what you're doing process-wise and not necessarily if you have some secret list.
@JonGoodCyber OH!!! So at the risk of sounding like a novice, is there a list somewhere OR does this just come with experience 🤔
@@IncredibleDev88 Several lists are preloaded in Kali. You can also download lists or create your own if you want.