Linux Hackers Become Root with CURL & Sudo

Рет қаралды 61,558

Ай бұрын

jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! jh.live/pwyc
Play my "Book Store" challenge on HackingHub: app.hackinghub.io/book-store
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZbin ALGORITHM ➡ Like, Comment, & Subscribe!

Пікірлер: 73

@TheMAZZTer 29 күн бұрын

Your first python3 web server is running as "user" which is why "user" needs access to /home/fry/.bash_history to successfully serve the file. There's no security exploit here. Hence why you needed to adjust the file permissions. I would expect users wouldn't run that server since it doesn't give them anything they don't already have. Edit: The second python3 server running as fry is better since you smuggle in a file fry has access to into /root/ using curl as root. But ultimately you could have done the same by using curl as a fancy cp.

@Tib3rius 29 күн бұрын

Appreciate the shout out John! This was a really interesting privesc. :D

@ytg6663 25 күн бұрын

What interesting. He could just directly do ls -l . Cat /etc/passwd In real enterprise environment he tricks wont work

@davel202 25 күн бұрын

Oh hey! I think I remember seeing you do an interview with Spycast or someone in the vet community. I recognized the avatar

@ytg6663 25 күн бұрын

@@davel202 lol

@Tib3rius 25 күн бұрын

@@davel202 Sorry, haven't done an interview with Spycast or the vet community.

@almog4373 29 күн бұрын

You could also rewrite the /etc/shadow file, edit the uid of a user u have in /etc/passwd…

@aerozine2389 29 күн бұрын

I just removed the hash of root then overwrote shadow; then just ran su :)

@AlejanroDelHierro 28 күн бұрын

@@aerozine2389 Mostly, only root is approved to write, even read a file.

@aalbatrossguy 29 күн бұрын

man, I love your videos :) keep up the good work :)

@rogerioabreu3081 29 күн бұрын

Great work, John!

@Adkali 27 күн бұрын

Nice! Thanks for sharing John!

@DHIRAL2908 29 күн бұрын

6:00 Doesn't python server read the file and serve it? How can curl having the sudo perms make python be able to serve a forbidden file?🤔

@DHIRAL2908 29 күн бұрын

6:35 ah should have watched ahead😂

@RandomGeometryDashStuff 29 күн бұрын

so he overcomplicated reading .bash_history 😅

@ToyeTuning 29 күн бұрын

Always great videos. Thanks John! Edit: I often make the same mistake when doing links 😂.

@liveting4579 29 күн бұрын

Hey John, is there anyway to reach out to you about setting up vulnerable servers?

@algorithmblessedboy4831 29 күн бұрын

3:10 lmao I am watching at 23 pm and i got flashbanged

@gabrielex 27 күн бұрын

That was neat, the only downside is that this way if the authorized_keys file does exist you'll be overwriting it, so the original user wouldn't be able to access anymore using their key. Also root ssh access could have been disabled for safety reasons.

@carl313313 28 күн бұрын

If you fixed up the perms, then this wouldn't work, because the HTTP server would need to run as fry or root to read any of fry's files. Could've just "cat /home/fry/.bash_history" at this point instead to save time.

@ChillstreamCentral 28 күн бұрын

wait a min. i didn't get that, when we access that file via curl its requesting python server for that file and python don't have perms to read that file, how the hell curl suid perms allowed that?

@user-mk3zz8zn9b 6 күн бұрын

its not requesting python server, curl can do that on its owm , since it had root perms. we dont need pythonserver, at all after the fry shell

@Trilipop 29 күн бұрын

great stuff! really clever

@luis-rv8jj 28 күн бұрын

how to access one system to another system

@NANa-nz2pz 29 күн бұрын

John, what do you think of Tcm security training?

@xCheddarB0b42x 29 күн бұрын

They're solid.

@definitelyno 25 күн бұрын

The first curl example does not make any sense. The web server that reads the symlink will do it as the same user as is running curl and the web server. Curl simply does nothing in that case, just that the permissions were set incorrectly.

@mihaiciocan59 26 күн бұрын

Hi. Just a quick question. If you had access to write, is there a possibility to overwrite the/etc/shadow file with a new hashed password that you actually know for the root account?

@_JohnHammond 26 күн бұрын

Yes! That is an even better technique, so it all stays local and you don't have to rely on SSH. If you remove the hash entirely, you can su to root without even needing a password 😎

@mihaiciocan59 26 күн бұрын

@@_JohnHammond Exactly, thanks for the answer 😉

@an3ssh 29 күн бұрын

please put the nahamcon ctf hosted somewhere.....

@nickg.7275 29 күн бұрын

Nice idea. Thx.

@hacker4fun 23 күн бұрын

john never disappoints !!

@RuggMatt 29 күн бұрын

Someone once time me the order of the params for ln is the same as mv and cp and i have never forgotten it since. mv cp ln -s

@paultapping9510 29 күн бұрын

ln -s will overwrite the old file with a blank new one. I discovered this trying to move my .bashrc into .config and symlink it into ~. That was a fun hour 😂

@xCheddarB0b42x 29 күн бұрын

Great stuff. I now have more CTF problems than I have time. LMAO 😅

@JustenCase 25 күн бұрын

You can just become root with only needing sudo..... sudo passwd -d root && su and now ur root. Way faster..

@thespecialchannel 27 күн бұрын

if he's already running commants using fry and using sudo then where the heck is the privilege escalation

@sluuny 28 күн бұрын

Love your videos !! Thx !! Is this Kali on bare metal or in a VM ?

@user-mk3zz8zn9b 6 күн бұрын

@sluuny 6 күн бұрын

@@user-mk3zz8zn9b thx bro

@wrathofainz 29 күн бұрын

Glad I'm not the only one who consistently fucks up the ln command. I do the same with mklink on Windows -_- oh the pain

@beardlyinteresting 28 күн бұрын

Commands I've used a million times but always need to look up: ln tar find

@petermoras6893 29 күн бұрын

Privilege escalation, in MY sudo? It's more likely than you think.

@AUBCodeII 25 күн бұрын

Hey, John, let's get OSEE.

@gregorh5658 29 күн бұрын

Awesome !!

@amnahidhasan 29 күн бұрын

You are amazing

@ramprasadmuppana5002 29 күн бұрын

I want to learn Exploit development, any suggestions mates..

@Jarling-so4oi 25 күн бұрын

Buffer overflows, Azeria Labs and Liveoverflow's Bin series

@ramprasadmuppana5002 24 күн бұрын

@@Jarling-so4oi mate, any prerequisite

@ahmedazizabbassi 29 күн бұрын

Thanks a lot for this valuable and enjoyable content 🥰

@lltheblankll3024 29 күн бұрын

nice!

@false_positive 28 күн бұрын

conclusion - no ssh no problem :D

@yajusgakhar6969 28 күн бұрын

Not me doing a symbolic link CTF just before watching this video 😂

@nightwalker83 28 күн бұрын

I can't see the subsibe button 😂

@rigsshiver823 29 күн бұрын

6:13 pepePains the password

@tametov 28 күн бұрын

Cool 😊

@temolantern9091 29 күн бұрын

mmm hamham-yumyum-tumtum

@Apple_Beshy 24 күн бұрын

❤❤❤

@bertosudu9506 22 күн бұрын

👍👍👍👍👍👍👍👍👍👍👍👍

@proveryourpoint_8554 29 күн бұрын

for some reason I hate when you say "tac" instead of "dash"

@Quick.history27 28 күн бұрын

Really?!? I love it!

@stylo__boy 29 күн бұрын

First 🥇

@meanjellybean8963 29 күн бұрын

Second

@abdullahgunduz2656 29 күн бұрын

Brother, why are there no Turkish subtitles? Do you have a problem with Turks?

@RadicalInteger 29 күн бұрын

there's also no Persian, probably unintended

@hawks5196 29 күн бұрын

Ask KZbin, they are auto generated

@MI7DJT 29 күн бұрын

Why race-baiting? That's VERY low IQ.

@paradoxlord 28 күн бұрын

very good