Linux Hackers Become Root with CURL & Sudo
Рет қаралды 61,882
Ай бұрынjh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! jh.live/pwyc
Play my "Book Store" challenge on HackingHub: app.hackinghub.io/book-store
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZfaq ALGORITHM ➡ Like, Comment, & Subscribe!
@TheMAZZTer Ай бұрын
Your first python3 web server is running as "user" which is why "user" needs access to /home/fry/.bash_history to successfully serve the file. There's no security exploit here. Hence why you needed to adjust the file permissions. I would expect users wouldn't run that server since it doesn't give them anything they don't already have. Edit: The second python3 server running as fry is better since you smuggle in a file fry has access to into /root/ using curl as root. But ultimately you could have done the same by using curl as a fancy cp.
@Tib3rius Ай бұрын
Appreciate the shout out John! This was a really interesting privesc. :D
@ytg6663 Ай бұрын
What interesting. He could just directly do ls -l . Cat /etc/passwd In real enterprise environment he tricks wont work
@davel202 Ай бұрын
Oh hey! I think I remember seeing you do an interview with Spycast or someone in the vet community. I recognized the avatar
@ytg6663 Ай бұрын
@@davel202 lol
@Tib3rius Ай бұрын
@@davel202 Sorry, haven't done an interview with Spycast or the vet community.
@almog4373 Ай бұрын
You could also rewrite the /etc/shadow file, edit the uid of a user u have in /etc/passwd…
@aerozine2389 Ай бұрын
I just removed the hash of root then overwrote shadow; then just ran su :)
@AlejanroDelHierro Ай бұрын
@@aerozine2389 Mostly, only root is approved to write, even read a file.
@aalbatrossguy Ай бұрын
man, I love your videos :) keep up the good work :)
@DHIRAL2908 Ай бұрын
6:00 Doesn't python server read the file and serve it? How can curl having the sudo perms make python be able to serve a forbidden file?🤔
@DHIRAL2908 Ай бұрын
6:35 ah should have watched ahead😂
@RandomGeometryDashStuff Ай бұрын
so he overcomplicated reading .bash_history 😅
@rogerioabreu3081 Ай бұрын
Great work, John!
@algorithmblessedboy4831 Ай бұрын
3:10 lmao I am watching at 23 pm and i got flashbanged
@liveting4579 Ай бұрын
Hey John, is there anyway to reach out to you about setting up vulnerable servers?
@ToyeTuning Ай бұрын
Always great videos. Thanks John! Edit: I often make the same mistake when doing links 😂.
@Adkali Ай бұрын
Nice! Thanks for sharing John!
@gabrielex Ай бұрын
That was neat, the only downside is that this way if the authorized_keys file does exist you'll be overwriting it, so the original user wouldn't be able to access anymore using their key. Also root ssh access could have been disabled for safety reasons.
@ChillstreamCentral Ай бұрын
wait a min. i didn't get that, when we access that file via curl its requesting python server for that file and python don't have perms to read that file, how the hell curl suid perms allowed that?
@user-mk3zz8zn9b 14 күн бұрын
its not requesting python server, curl can do that on its owm , since it had root perms. we dont need pythonserver, at all after the fry shell
@Trilipop Ай бұрын
great stuff! really clever
@carl313313 Ай бұрын
If you fixed up the perms, then this wouldn't work, because the HTTP server would need to run as fry or root to read any of fry's files. Could've just "cat /home/fry/.bash_history" at this point instead to save time.
@NANa-nz2pz Ай бұрын
John, what do you think of Tcm security training?
@xCheddarB0b42x Ай бұрын
They're solid.
@mihaiciocan59 Ай бұрын
Hi. Just a quick question. If you had access to write, is there a possibility to overwrite the/etc/shadow file with a new hashed password that you actually know for the root account?
@_JohnHammond Ай бұрын
Yes! That is an even better technique, so it all stays local and you don't have to rely on SSH. If you remove the hash entirely, you can su to root without even needing a password 😎
@mihaiciocan59 Ай бұрын
@@_JohnHammond Exactly, thanks for the answer 😉
@gregorh5658 Ай бұрын
Awesome !!
@xCheddarB0b42x Ай бұрын
Great stuff. I now have more CTF problems than I have time. LMAO 😅
@nickg.7275 Ай бұрын
Nice idea. Thx.
@sluuny Ай бұрын
Love your videos !! Thx !! Is this Kali on bare metal or in a VM ?
@user-mk3zz8zn9b 14 күн бұрын
vm
@sluuny 13 күн бұрын
@@user-mk3zz8zn9b thx bro
@lltheblankll3024 Ай бұрын
nice!
@definitelyno Ай бұрын
The first curl example does not make any sense. The web server that reads the symlink will do it as the same user as is running curl and the web server. Curl simply does nothing in that case, just that the permissions were set incorrectly.
@hacker4fun Ай бұрын
john never disappoints !!
@wrathofainz Ай бұрын
Glad I'm not the only one who consistently fucks up the ln command. I do the same with mklink on Windows -_- oh the pain
@beardlyinteresting Ай бұрын
Commands I've used a million times but always need to look up: ln tar find
@an3ssh Ай бұрын
please put the nahamcon ctf hosted somewhere.....
@RuggMatt Ай бұрын
Someone once time me the order of the params for ln is the same as mv and cp and i have never forgotten it since. mv cp ln -s
@paultapping9510 Ай бұрын
ln -s will overwrite the old file with a blank new one. I discovered this trying to move my .bashrc into .config and symlink it into ~. That was a fun hour 😂
@tametov Ай бұрын
Cool 😊
@amnahidhasan Ай бұрын
You are amazing
@JustenCase Ай бұрын
You can just become root with only needing sudo..... sudo passwd -d root && su and now ur root. Way faster..
@AUBCodeII Ай бұрын
Hey, John, let's get OSEE.
@petermoras6893 Ай бұрын
Privilege escalation, in MY sudo? It's more likely than you think.
@luis-rv8jj Ай бұрын
how to access one system to another system
@thespecialchannel Ай бұрын
if he's already running commants using fry and using sudo then where the heck is the privilege escalation
@ahmedazizabbassi Ай бұрын
Thanks a lot for this valuable and enjoyable content 🥰
@yajusgakhar6969 Ай бұрын
Not me doing a symbolic link CTF just before watching this video 😂
@Apple_Beshy Ай бұрын
❤❤❤
@ramprasadmuppana5002 Ай бұрын
I want to learn Exploit development, any suggestions mates..
@Jarling-so4oi Ай бұрын
Buffer overflows, Azeria Labs and Liveoverflow's Bin series
@ramprasadmuppana5002 Ай бұрын
@@Jarling-so4oi mate, any prerequisite
@false_positive Ай бұрын
conclusion - no ssh no problem :D
@rigsshiver823 Ай бұрын
6:13 pepePains the password
@nightwalker83 Ай бұрын
I can't see the subsibe button 😂
@temolantern9091 Ай бұрын
mmm hamham-yumyum-tumtum
@bertosudu9506 29 күн бұрын
👍👍👍👍👍👍👍👍👍👍👍👍
@meanjellybean8963 Ай бұрын
Second
@stylo__boy Ай бұрын
First 🥇
@proveryourpoint_8554 Ай бұрын
for some reason I hate when you say "tac" instead of "dash"
@Quick.history27 Ай бұрын
Really?!? I love it!
@abdullahgunduz2656 Ай бұрын
Brother, why are there no Turkish subtitles? Do you have a problem with Turks?
@RadicalInteger Ай бұрын
there's also no Persian, probably unintended
@hawks5196 Ай бұрын
Ask KZfaq, they are auto generated
@MI7DJT Ай бұрын
Why race-baiting? That's VERY low IQ.
@paradoxlord Ай бұрын
very good