Lecture Transcript - Bypassing Limited Privileges & Executing Shell Commands

So we already seen in previous lectures how we can run Linux commands on the target server or you have

to do is just literally typing the commands.

For example, we can type the ability to see where we are.

We can navigate back the door, that we can list what we have and we can do anything we want on the

target server.

Unfortunately, this isn't always the case, in many cases, you might gain access, upload your shell

and have WiFi working, but every time you're on a command, you want see the result or you might get

permission denied.

And this will happen because the server is configured in a way to prevent you from running commands

on that server.

So what we're going to do is we're going to use a function that comes in with wavelet.

So let's first type in help to see all the functions.

Are the commands that we can use and the functions that we're going to use is called Shell S.H. And

as you can see in the description, it says it allows us to execute shell commands.

So using the function is very simple, all they have to do is type in shell.

S.H. and then taps the command that you are on so you can type in again and you'll see the current working

directory.

Now, this will just use the default way that we've been using so far anyway.

So if the default way doesn't really work, this will probably not work for you either.

What I want to show you here is what this function allow you to do, so it actually allows us to run

Linux commands using a number of methods.

So it's very similar to the idea of the password when we were reading it.

In this case, if you can't run commands on the target server, then it's probably because your user

is configured in a way that's not allowed to run by commands.

So what this function allow us to do is run the command through a function or through a python function

or through a Perl function.

So this way you're actually not running the command directly.

You're running a function and then the function itself runs the command.

Therefore, if you don't have permission to run commands directly, you'll be able to bypass this by

running the command through a function.

So to see all the vectors or all the methods that we can use to run the command, we're going to do

LSH followed by minus.

And as you can see, the first thing you see is the general way of using the commands, so you type

in LSH and then you type where you want the command to be displayed.

This is the right direction and we're not going to mess with that because we want it to be displayed

on screen.

After that, you specify the vector.

So this is what we're talking about, this is the methods that you can use to run the shell commands

and you can see that you can run it using system.

So this is the default way of running the commands.

You can also use a pass, a pass through function.

So this is the one that we used to use when we were executing commands, using, remember, and the

code execution vulnerabilities.

Again, you have a number of functions.

So if one of the functions is disabled, you can use the other one.

You can also run commands using Python through the Python interpreter and you can run functions using

the Perl interpreter.

So to use this, we're going to use the same command LSH followed by minus V, just like we see here

in the template.

So selling us first thing you type in is the command followed by the vector, and we're going to choose

a vector to use.

And for the first one, let's try the Perl system.

So we're going to use Perl.

System.

So this is the actual function that will execute the command that we specified.

And you can see here in the template, so it's show S.H., followed by the victor, followed by the

command that we want to run and let's run this time we're going to try to run.

Who am I?

Hit enter.

As you can see, this doesn't work, so we're going to go back and we're going to change the vector

and let's try to use passthrough and we know passthrough works because we used it before.

So, again, we were using passthrough as a vector and we're running the command.

Who am I hit enter.

And as you can see now, the command got executed on the server.

So, again, in our particular case here, this doesn't seem very useful because around anchorman's

normally just we can just type in who am I?

Well, in a lot of real scenarios, you won't be able to run commands directly like this and using this

function with the vector could be very useful.

So all you have to do is just use the shell stage and experiment with all the available vectors until

one of them works for you.