Linux Hackers Become Root with CURL & Sudo
ฝัง
- เผยแพร่เมื่อ 3 มิ.ย. 2024
- jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! jh.live/pwyc
Play my "Book Store" challenge on HackingHub: app.hackinghub.io/book-store
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
Appreciate the shout out John! This was a really interesting privesc. :D
What interesting. He could just directly do ls -l . Cat /etc/passwd
In real enterprise environment he tricks wont work
Oh hey! I think I remember seeing you do an interview with Spycast or someone in the vet community. I recognized the avatar
@@davel202 lol
@@davel202 Sorry, haven't done an interview with Spycast or the vet community.
Your first python3 web server is running as "user" which is why "user" needs access to /home/fry/.bash_history to successfully serve the file. There's no security exploit here. Hence why you needed to adjust the file permissions. I would expect users wouldn't run that server since it doesn't give them anything they don't already have.
Edit: The second python3 server running as fry is better since you smuggle in a file fry has access to into /root/ using curl as root. But ultimately you could have done the same by using curl as a fancy cp.
You could also rewrite the /etc/shadow file, edit the uid of a user u have in /etc/passwd…
I just removed the hash of root then overwrote shadow; then just ran su :)
@@aerozine2389 Mostly, only root is approved to write, even read a file.
man, I love your videos :)
keep up the good work :)
Hey John, is there anyway to reach out to you about setting up vulnerable servers?
6:00 Doesn't python server read the file and serve it? How can curl having the sudo perms make python be able to serve a forbidden file?🤔
6:35 ah should have watched ahead😂
so he overcomplicated reading .bash_history 😅
Great work, John!
wait a min. i didn't get that, when we access that file via curl its requesting python server for that file and python don't have perms to read that file, how the hell curl suid perms allowed that?
its not requesting python server, curl can do that on its owm , since it had root perms. we dont need pythonserver, at all after the fry shell
Always great videos. Thanks John!
Edit: I often make the same mistake when doing links 😂.
Nice!
Thanks for sharing John!
That was neat, the only downside is that this way if the authorized_keys file does exist you'll be overwriting it, so the original user wouldn't be able to access anymore using their key.
Also root ssh access could have been disabled for safety reasons.
3:10 lmao I am watching at 23 pm and i got flashbanged
Hi. Just a quick question. If you had access to write, is there a possibility to overwrite the/etc/shadow file with a new hashed password that you actually know for the root account?
Yes! That is an even better technique, so it all stays local and you don't have to rely on SSH. If you remove the hash entirely, you can su to root without even needing a password 😎
@@_JohnHammond Exactly, thanks for the answer 😉
If you fixed up the perms, then this wouldn't work, because the HTTP server would need to run as fry or root to read any of fry's files.
Could've just "cat /home/fry/.bash_history" at this point instead to save time.
great stuff! really clever
please put the nahamcon ctf hosted somewhere.....
John, what do you think of Tcm security training?
They're solid.
how to access one system to another system
Great stuff. I now have more CTF problems than I have time. LMAO 😅
Nice idea. Thx.
Awesome !!
Someone once time me the order of the params for ln is the same as mv and cp and i have never forgotten it since.
mv
cp
ln -s
ln -s will overwrite the old file with a blank new one. I discovered this trying to move my .bashrc into .config and symlink it into ~. That was a fun hour 😂
The first curl example does not make any sense. The web server that reads the symlink will do it as the same user as is running curl and the web server. Curl simply does nothing in that case, just that the permissions were set incorrectly.
Love your videos !! Thx !!
Is this Kali on bare metal or in a VM ?
vm
@@user-mk3zz8zn9b thx bro
john never disappoints !!
nice!
Cool 😊
Privilege escalation, in MY sudo? It's more likely than you think.
You are amazing
if he's already running commants using fry and using sudo then where the heck is the privilege escalation
Thanks a lot for this valuable and enjoyable content 🥰
Glad I'm not the only one who consistently fucks up the ln command.
I do the same with mklink on Windows -_- oh the pain
Commands I've used a million times but always need to look up:
ln
tar
find
Hey, John, let's get OSEE.
I want to learn Exploit development, any suggestions mates..
Buffer overflows, Azeria Labs and Liveoverflow's Bin series
@@Jarling-so4oi mate, any prerequisite
You can just become root with only needing sudo..... sudo passwd -d root && su and now ur root. Way faster..
I can't see the subsibe button 😂
Not me doing a symbolic link CTF just before watching this video 😂
6:13 pepePains the password
conclusion - no ssh no problem :D
❤❤❤
mmm hamham-yumyum-tumtum
👍👍👍👍👍👍👍👍👍👍👍👍
Second
First 🥇
for some reason I hate when you say "tac" instead of "dash"
Really?!? I love it!
Brother, why are there no Turkish subtitles? Do you have a problem with Turks?
there's also no Persian, probably unintended
Ask TH-cam, they are auto generated
Why race-baiting? That's VERY low IQ.
very good