Have you ever wanted to be a fly on the wall, watching a penetration tester attack a new machine — working their way through the layers of security, ultimately leveraging what they learned into a login? What tools are used, what do they reveal, and how is the information applied? Well good news, because [Phani] has documented a step-by-step of every action taken to eventually obtain root access on a machine — amusingly named DevOops — which was set up specifically for testing.
[Phani] explains every command used (even the dead-end ones that reveal nothing useful in this particular case) and discusses the results in a way that is clear and concise. He starts from a basic port scan, eventually ending up with root privileges. On display is an overall process of obtaining general information. From there, [Phani] methodically moves towards more and more specific elements. It’s a fantastic demonstration of privilege escalation in action, and an easy read as well.
For some, this will give a bit of added insight into what goes on behind the scenes in some of the stuff covered by our regular feature, This Week in Security.
9 thoughts on “How A Pentester Gets Root”
Follow ippsec on YouTube for this sort of content.
That was a fascinating read. Really enjoyed that.
Nice article! Thanks!
Rooting through the git commit history reminds me of one of my favourite tricks – once I’m in I make a copy of .bash-history, there’s always some interesting stuff in there
My root password is there from times when I automatically typed
sduo cmd (enter)
And I am in good company.
Hmm, fascinating indeed, thanks for posting and thanks also for comments to other sources :-)
I might be a little confused on this, but what it basically boils down to is using RSA keys for authentication?
yes without passphrases
How A Modern Government Pentester Gets Root: Charge the user with Insurrection even if it is not true. Threaten him/her with a life-worse-than-death in prison if he/she doesn’t provide the login credentials. Enter the newly obtained username and password. Kill the so-called Insurrectionist anyway by hanging in his/her cell with no witnesses. Elapsed time: 13 minutes. Satisfaction: 100%
Please be kind and respectful to help make the comments section excellent. (Comment Policy)