
Let's begin our quest into Linux privilege escalation with active scanning with nmap. You're also going to learn some advanced Bash scripting techniques along the way and some passive recon techniques with Wappalyzer and BuiltWith. I had loads of fun making this for you. So it back, enjoy and then follow along with your Hack The Box VIP account!
We're going to wrap up recon by using ffuf and gobuster to gather as much intelligence about the target server as possible. As always you're going to learn of ton of little details as you watch my process and "shoulder-surf" as I think through the most sensible way to attack the server. It's going to be awesome. I had so much fun recording this (and even more editing it). I think you're going to love it.
Yes! Yes! Yes! lolol, can you feel my excitement? Today you're going to learn two scripting techniques for scraping content from victim websites. We will use cut, awk, sed, vim and a bunch of other bash tricks to level up your Linux skills. We're also going to create a phishing pretext to phish our victims, capture and then decode their creds so we can reuse them in our campaign. You are going to learn a TON in this lecture. I can hardly wait for you to see what I have planned for you baby! Let's get to it.
Now it's time to put our loot to use. In this lecture we will use valid accounts to authenticate as the victim user. I'll show you two techniques: one via the Linux shell and the other via a GUI application. Next, we'll siphon through the target's email account, capture new creds and pivot by using those creds to gain access to another service... and we will make a surprising finding. :) Let's jump in and have some fun guys.
Now it's time to pop the box. In this lecture we are going to build a basic web shell from scratch. Then we are going to modify our tradecraft by making the shell clandestine. I'm going to show you an advanced trick for evading logs - in the process you will learn a good bit about dangerous PHP functions and how to use Burp Repeater to craft our malicious script. Let's do this guys!
Sometimes you gotta go sideways before you go up. In this lecture we'll zero in on the Discovery MITRE ATT&CK technique and think about the best approach to abusing the existing configuration to achieve our objectives. Let's go!
Normally when installing python packages you run pip and the package name, it installs the dependencies and everything is good. But what if you could build a python package that contains malware? What if you could gut the insides and replace it with something that would give you backdoor access into the victim server? That's what we're going to start working on in this lecture. I'm going to show you how to craft a python package that will let us escalate our privileges. It's going to be awesome!!
Now it's time to finish building our malpackage. You'll watch the step by step sequence and enter into my thought process for building the package that will allow us to elevate our security context (and you'll understand why this works as well). Let's do this baby!
Now it's time to go to the top! I'm going to show you how to use use legitimate Linux binaries to completely bypass the local security restrictions on the compromised server. We are going to use a benign binary in an unintended way to basically make the box attack itself. This is nuts I know... and you would be nuts not to check out this lecture! Yes! Let's jump in now!
Oh yeahhh! Let's go baby! We're going to dig into recon using both nmap and masscan (you're also going to learn how to build masscan from source when stuff doesn't work). You're also going to learn a bunch of uncommon tricks for identifying the target application version. Wappalyzer, Burp, Source Code... man it's all here - and I can hardly wait to show it to you! Let's get into this now.
Now it's time to let our curiosity roam free. We're going to dive in the DEEP end of the recon pool. We discover the target application is an open source project with a public repo on Github so I'll show you expert tricks for searching through the source code to gather even more interesting data. You're also going to learn some 133t bash tricks for extracting all the links from the target web app. And I have so so much more (can't fit it in this description). Let's just jump in shall we??
Now it's time to dig into our dirsearch results. I like dirsearch over gobuster and dirb for forced browsing (you'll see why). Then I'll walk you through some advanced tricks for reverse engineering the source code through Github. We're going to jump through the issues and pull requests and find a PoC we can build to bypass a defensive control. And then I'm going to break down EXACTLY how the exploit works... It's going to be AWESOME! Stop reading this right now and press play. lol.
Ahhh RCE... like a breath of fresh air without your Covid mask on! This is going to be bananas guys. I'm going to show you how to build a PHP Reverse Shell. But that's not all. I'm going to show you how to make the shell look like an image by manipulating the Magic Bytes... and we're going to do the entire thing from the command line. No external tools needed. Let's do this!
Reverse Engineering Patches!? Yup!! Today you're going to learn why our attack worked and why the patch works as well. We're going to dive into how we effectively bypassed web application controls to send our shell. I actually think this is my favorite (and your most useful) lecture. I had a blast recording and editing this one for you and I hope you can see why!
It's time to go sideways with horizontal escalation! We're not going to use any prebuilt scripts such as LinPEAS or anything like that because I want you to enter into my thought process for exploiting local privesc misconfiguration's on Linux hosts. I really think you're going to like what I have in store for you today! Let's do this baby!
Now it's time to aim for the clouds with root. You're going to learn how to exploit a dangerous vertical privesc vector that will allow you to completely take over the server... and then you're going to learn the details of Integer Overflows which made this attack possible. Yeah, I said "Integer" Overflow not Buffer. We're going deep baby! Let's dig in!
Yes baby, let's pop em' like Pringles. Every penetration test or red team engagement needs to begin with good recon. So in this lecture you'll learn how to master nmap, masscan, Burp Proxy, Wappalyzer and OSINT to get a solid overview of our target. Let's go!
Awww yeah! Let's jump right into the juicy stuff: SQL Injection and Server Side Template Injection (SSTI). I promise you will learn a ton from this piece... You're going to learn the manual process for finding and exploiting the vulnerabilities... it's going to be a lot of fun. I mean seriously, what's more fun than SQLi and SSTI??? Hahha, let's go guys!
This is going to be awesome. In this lecture you're going to learn how to pivot from a harmless PoC to a weaponized exploit. I'm going to show you how to find an existing exploit and then how to tailor it to your specific test case so it works against your specific target. I had a freggin blast making this lecture so I really want you to be part of it. Let's jump in RIGHT NOW.
All these attacks are broken down into byte-sized nuggets so it's easy to digest. I hope you like it like that... anyway - in this lecture you're going to get your hands dirty using... pwncat. It's like netcat but on steroids and it's BEAUTIFUL. I can't wait to show you what I have in store for you here. We're also going to kick off LinPEAS and a few other things... it's gonna be a fun day. Let's jump in shall we?
Now that we've popped the box it's time to move laterally and expand influence. In this lecture I'm going to walk you through my thought process on achieving this goal.
Goalposts are in view! Now it's time to completely compromise the server by elevating our privileges to ROOT! We're going to modify a local launch daemon to pull this off... this one is slick though because we're going to use the local security agent running on the host against itself to elevate our rights... it's nuts man. Let me me show you what I'm talking about!
New Spring\Summer 2021 Launch!
This is a 100% hands on course as you will be using the same tradecraft and techniques Red Teamer's and advanced adversaries use to escalate privileges on Linux servers after they have gained initial access and established a foothold. This course is not "death by PowerPoint", in fact there is not a single Powerpoint slide in the course. This course is aimed for intermediate to advanced users who are hungry to know how to discover and exploit novel escalation paths on popular Linux servers (including some that are patched). Everything is carefully, explained - step-by-step and mapped to MITRE ATT&CK
Additionally, although Metasploit is used in some attacks, we will be using less Metasploit and more manual walk-throughs because I wanted to take the time to carefully explain WHY each method works and detail how common misconfigurations happen in enterprise environments.
Where Metasploit is used, everything is carefully explained and deconstructed so you can understand why and how it works. Exploits start easy and escalate in difficulty as you progress through the course.
The Techniques
You will quickly learn and execute the following escalation of privilege techniques across 5 vulnerable machines. New videos are being released weekly.
Malicious Python Package
CVE
Modify Launch Daemon (NEW! Just added 02/12/2021 6 New Lectures!)
The Tools
You will use ffuf, gobuster, dirsearch, nmap, Bash Scripting, Python Scripting, netcat, pwncat, Burp Suite (advanced features) and more. You will learn how to threat hunt for SQLi attacks and how to exploit Server Side Template Injection (SSTI) attacks and much much more.
My dream for you
By the end of this course you should be able to use these techniques in:
Your day to day work
OSCP preparation
CTF hacking
About the lab
There are 5 vulnerable machines.
No lab setup is required as the entire environment is already established in HackTheBox VIP labs
I wanted to make this course as realistic as possible while removing as many barriers to entry as possible so I've partnered with HackTheBox VIP labs to make it as easy as possible to get started.
Yes, HackTheBox is an additional charge but it offers hundreds of pre-configured vulnerable machines in a lab which is accessible via a VPN connection. This means you can get started right away and don't have to waste time fumbling with VirtualBox and VMWare settings on your local system. Most of the systems are also licensed which provides the best environment for realistic exploitation.
Tip:
I made these videos so all commands are zoomed in close so you can watch on a mobile phone if desired. I hate watching videos on my smartphone and squinting at the command prompt or terminal. Never again will that happen.