1 00:00:00,210 --> 00:00:00,690 All right. 2 00:00:00,690 --> 00:00:02,080 Three to go. 3 00:00:02,160 --> 00:00:02,910 Walk through. 4 00:00:02,910 --> 00:00:07,380 Number eight is going to be a machine called Bash. 5 00:00:07,380 --> 00:00:09,400 This is actually a really fun machine. 6 00:00:09,900 --> 00:00:16,950 So we are going to start with IP address of Ten Top Ten Top Ten that 68 and you can go ahead and start 7 00:00:16,950 --> 00:00:18,740 your and map scan now. 8 00:00:18,810 --> 00:00:22,470 You might even want to try this box on your own first see if you can do it. 9 00:00:22,470 --> 00:00:26,940 If you've been following along you've got the VIP check and see if you can do this box. 10 00:00:26,940 --> 00:00:30,690 If you're just taking notes well then come on let's get started. 11 00:00:30,690 --> 00:00:35,040 If you scan and go ahead and pause and meet me back once you've got your scan ready. 12 00:00:35,040 --> 00:00:36,120 See you over there. 13 00:00:36,120 --> 00:00:36,410 All right. 14 00:00:36,420 --> 00:00:38,240 Let's take a look at our map scan. 15 00:00:38,250 --> 00:00:43,620 And let me preface this with the big guys here any purring or meowing anytime I talk lately. 16 00:00:43,680 --> 00:00:46,110 My kitten decides that she's got to be in my lap. 17 00:00:46,110 --> 00:00:51,940 So she's with me in this journey and she's going to be learning as well with you guys. 18 00:00:51,990 --> 00:00:54,280 So here on our end map scan. 19 00:00:54,480 --> 00:00:58,310 We've got one port open and getting these three videos in a row. 20 00:00:58,320 --> 00:01:00,470 So very very nice. 21 00:01:00,480 --> 00:01:02,130 Again same deal. 22 00:01:02,130 --> 00:01:09,930 We know that our attack surface is going to be through port 80 and we see that we have a version information 23 00:01:09,930 --> 00:01:10,260 here. 24 00:01:10,260 --> 00:01:13,550 So we've got a patch two point four point one eight. 25 00:01:13,620 --> 00:01:15,900 Now we could quickly just search for that. 26 00:01:15,900 --> 00:01:22,230 We could say hey search boy do you have anything for Apache to point for. 27 00:01:22,230 --> 00:01:27,510 Remember we don't want to go to specific and see if they've got anything here. 28 00:01:27,510 --> 00:01:33,070 They've got this Apache to Seitel that's maybe a possibility that we could see right away. 29 00:01:33,360 --> 00:01:36,210 Two point four point one seven had denial service. 30 00:01:36,210 --> 00:01:42,780 That won't help us actually route the box though and it looks like this is the only one is this Apache 31 00:01:42,780 --> 00:01:46,050 to Seitel and that's actually a local exploit. 32 00:01:46,350 --> 00:01:51,210 So remember again we're after remote code execution we don't want a local exploits but my help with 33 00:01:51,520 --> 00:01:52,290 privacy. 34 00:01:52,680 --> 00:01:58,420 If we're after something like that but in terms of actually getting execution on the box it doesn't 35 00:01:58,420 --> 00:02:02,960 look like there's anything at least on search flight that's readily available here. 36 00:02:02,970 --> 00:02:09,780 So as usual we'll go out to the web and just check out this Web site here and we'll say ten point ten 37 00:02:09,780 --> 00:02:17,570 point ten point sixty eight navigate their OK so we've got this development Web site here. 38 00:02:17,720 --> 00:02:24,230 And we see an excellent development site and we can navigate around here click and see all these go 39 00:02:24,230 --> 00:02:26,030 to the pound signs. 40 00:02:26,030 --> 00:02:28,790 We won't be doing anything there. 41 00:02:28,820 --> 00:02:35,590 This is an index and this goes to single by age Jamal OK. 42 00:02:35,600 --> 00:02:43,160 And you can see that page v bash helps with pen testing and tested on multiple different servers and 43 00:02:44,610 --> 00:02:46,280 it's got a rectangle page P bash. 44 00:02:46,290 --> 00:02:48,600 You can also see there's an uploads folder right here. 45 00:02:49,260 --> 00:02:55,350 So possibly it's sitting in uploads folder but it looks like this is talking about a dev tool that he's 46 00:02:55,380 --> 00:02:58,710 written just a little bit information gathering there. 47 00:02:58,740 --> 00:03:00,380 There's not a lot here. 48 00:03:00,480 --> 00:03:07,230 So it looks like from a hunch that we can probably just say uploads and see if there's anything there. 49 00:03:07,770 --> 00:03:08,190 OK. 50 00:03:08,190 --> 00:03:12,060 And there is an uploads but not sure exactly what's there. 51 00:03:12,060 --> 00:03:14,130 So a folder definitely is there. 52 00:03:14,130 --> 00:03:16,380 I don't know if there's an actual way to upload yet. 53 00:03:16,410 --> 00:03:21,690 So a good way again to do something along these lines is we probably need to do some directory busting 54 00:03:22,140 --> 00:03:24,840 and we can go ahead and just use dir buster. 55 00:03:26,360 --> 00:03:29,160 And this should all be pretty common right. 56 00:03:29,160 --> 00:03:32,490 This is kind of a refresher up until this point. 57 00:03:32,550 --> 00:03:41,250 So what we're gonna be looking at is this HDP and we're going to be doing ten at 10 10 to 68 on port 58 00:03:41,280 --> 00:03:45,760 80 we'll choose go faster. 59 00:03:45,860 --> 00:03:55,180 And then of course we browse and we're gonna go to the base folder here and go into user share to start 60 00:03:55,180 --> 00:03:56,530 typing wordless 61 00:03:59,750 --> 00:04:02,230 and then dir Buster here. 62 00:04:02,270 --> 00:04:04,080 Again this should be a refresher. 63 00:04:04,100 --> 00:04:05,630 We'll pick the medium or list 64 00:04:08,640 --> 00:04:09,760 and now on this one. 65 00:04:09,760 --> 00:04:11,050 This is an Apache site. 66 00:04:11,050 --> 00:04:13,900 So our file extension of HP is OK. 67 00:04:14,230 --> 00:04:16,030 And I think that's all right. 68 00:04:16,030 --> 00:04:21,400 I don't think we need anything else we'll look for directories and then we'll also look for file extensions 69 00:04:22,270 --> 00:04:27,100 if we don't find anything and we're we're certain that you know there might be more hidden behind the 70 00:04:27,100 --> 00:04:30,750 scenes so we can start looking for text files zip files et cetera. 71 00:04:30,760 --> 00:04:32,830 Let's go ahead and just start that scan. 72 00:04:33,130 --> 00:04:38,710 You can see right away it's already finding images upload BHP finding a bunch of stuff as well at that 73 00:04:38,710 --> 00:04:39,500 run for a second. 74 00:04:39,510 --> 00:04:44,290 Another thing that we can look at is that we can view the source code and see if there's anything in 75 00:04:44,290 --> 00:04:52,210 the source code here again we're looking for anything that might be a hard coded credential or even 76 00:04:52,210 --> 00:04:57,150 though you know even CTF staffer says hey look at this directory you dummy. 77 00:04:57,280 --> 00:05:00,860 So you see all kinds of things in the source code. 78 00:05:01,000 --> 00:05:02,080 So nothing there. 79 00:05:02,080 --> 00:05:07,080 Let's look at this again and let's see the source code here. 80 00:05:07,740 --> 00:05:08,390 Let's see. 81 00:05:08,400 --> 00:05:15,880 There is nothing as well so I will admit that I actually have not done this box. 82 00:05:15,910 --> 00:05:17,190 I understand how to do it. 83 00:05:17,190 --> 00:05:21,610 I've done it one time through but prior to this this wasn't a box that I've actually routed I just picked 84 00:05:21,610 --> 00:05:24,610 it because it looked like it could be interesting. 85 00:05:24,670 --> 00:05:30,490 So let's go ahead and take a look at our door buster and see what's popped up here. 86 00:05:31,400 --> 00:05:34,380 We can click on the list view or the results tree. 87 00:05:34,440 --> 00:05:39,650 There's those trees nice it just gives us some things to look at here is we can dive in we can click 88 00:05:39,650 --> 00:05:40,650 on some of this. 89 00:05:40,820 --> 00:05:44,920 So you can see there is an upload there's P HP send mail. 90 00:05:45,110 --> 00:05:50,430 There is a dev folder as well and 91 00:05:52,770 --> 00:05:53,960 there's some javascript. 92 00:05:54,150 --> 00:05:54,440 OK. 93 00:05:54,450 --> 00:05:55,080 They're running J. 94 00:05:55,080 --> 00:05:57,500 Query main. 95 00:05:57,960 --> 00:06:08,540 So this p p Bash looks interesting because if you look here this p p bash is what he's calling his program 96 00:06:08,540 --> 00:06:16,990 that he said he's written and it looks like it is a terminal on a Web site. 97 00:06:17,000 --> 00:06:17,300 Right. 98 00:06:17,300 --> 00:06:25,950 So we call these web shells so when I see the HP bash and it's in the dev folder maybe that's something 99 00:06:25,950 --> 00:06:28,020 that could be of interest to us. 100 00:06:28,020 --> 00:06:32,130 So let's go ahead and just navigate over to Dev really quick and see what that might look like. 101 00:06:35,140 --> 00:06:35,650 OK. 102 00:06:35,800 --> 00:06:43,240 And let's click on one of these so it looks like it puts us in the var w w w h HTML Dev folder so we 103 00:06:43,240 --> 00:06:48,120 can say l s and send that command. 104 00:06:48,150 --> 00:06:54,100 OK so let's see if we can see these two a different folder. 105 00:06:54,340 --> 00:06:54,570 Ok. 106 00:06:54,580 --> 00:06:57,340 We did LSD there. 107 00:06:57,340 --> 00:06:59,700 Let's look at the home folder. 108 00:07:02,300 --> 00:07:02,910 Ok. 109 00:07:02,940 --> 00:07:04,930 And pushes ask. 110 00:07:04,980 --> 00:07:09,720 We are we are a rectangle or w w w data. 111 00:07:09,750 --> 00:07:12,660 So let's see if we can even look at direct sales information 112 00:07:15,360 --> 00:07:20,230 we can we can actually cat out the user of tax I'm betting and we can. 113 00:07:20,250 --> 00:07:22,420 So we can grab the flag right away. 114 00:07:22,410 --> 00:07:26,130 And in all intents purposes we have a shell at the moment. 115 00:07:26,130 --> 00:07:29,470 This is pretty straightforward. 116 00:07:29,710 --> 00:07:31,960 We can see what kind of information we have. 117 00:07:32,380 --> 00:07:36,750 I'm guessing that we're not going to be able to actually do anything in the shell. 118 00:07:37,660 --> 00:07:46,110 And you could see OK well pseudo dash l we can change into a user called script manager with no password. 119 00:07:46,120 --> 00:07:47,390 That's interesting. 120 00:07:47,410 --> 00:07:49,190 I also like to look at the history. 121 00:07:49,520 --> 00:07:51,330 And I even see me do this before. 122 00:07:51,570 --> 00:07:51,780 OK. 123 00:07:51,790 --> 00:07:54,390 There's no history command here. 124 00:07:54,520 --> 00:07:59,920 You see me do this before where I like to look at sudo shell and history. 125 00:07:59,920 --> 00:08:05,980 Well history is not showing us anything but pseudo dash L is showing us that we have some access to 126 00:08:05,980 --> 00:08:10,010 another user meaning that we don't have to supply a password right. 127 00:08:10,060 --> 00:08:13,290 We can run the following commands with no password. 128 00:08:13,840 --> 00:08:17,570 And that is just switch to user script manager. 129 00:08:17,800 --> 00:08:23,380 So we saw that the user script managers in here are ready so we can take that avenue and see where that 130 00:08:23,380 --> 00:08:23,830 leads. 131 00:08:23,830 --> 00:08:28,660 Because I'm guessing if we go back we can't access the script manager folder. 132 00:08:28,660 --> 00:08:31,090 Maybe we can and we can. 133 00:08:31,120 --> 00:08:39,600 We'll see what's in here nothing in here but let's go ahead and pseudo switch user to script manager 134 00:08:39,600 --> 00:08:40,470 and see what happens 135 00:08:43,730 --> 00:08:45,590 no t t y present. 136 00:08:45,660 --> 00:08:47,070 Oh man. 137 00:08:47,240 --> 00:08:47,500 Okay. 138 00:08:47,530 --> 00:08:53,220 So we're not going to be able to get any farther with the show that we have here. 139 00:08:54,200 --> 00:08:59,900 So we're going to Web shell and we don't actually have a t t y which we'll talk about that here in a 140 00:08:59,900 --> 00:09:00,740 second. 141 00:09:00,770 --> 00:09:06,290 We need to actually get a shell through our terminal and then we'll improve into a t t y. 142 00:09:06,740 --> 00:09:11,570 I'm guessing that we're not gonna be able to get into a t t y from the shell that we're in here. 143 00:09:11,570 --> 00:09:15,290 So let's go ahead and take a look at how we're gonna do that. 144 00:09:15,290 --> 00:09:17,090 So let's think this through here. 145 00:09:17,510 --> 00:09:27,200 We have a user w w w dash data now in the past we have seen that if we can upload something malicious 146 00:09:27,230 --> 00:09:33,350 think the Apache Tomcat situation where we uploaded something malicious to the web server we had access 147 00:09:33,350 --> 00:09:36,470 to the web server we are able to exploit that. 148 00:09:37,100 --> 00:09:37,460 OK. 149 00:09:37,490 --> 00:09:46,250 So in the situation of Apache Tomcat we uploaded an Apache or Apache war file or a we uploaded a tomcat 150 00:09:46,250 --> 00:09:54,500 war file I should say in this situation we're looking at an Apache shell now since we have access to 151 00:09:54,770 --> 00:10:01,720 this w w w dash data that means we have access to right to the var w w w folder. 152 00:10:01,790 --> 00:10:07,500 So let's go back to that and we go to S.D. and we go to var w w w h t AML. 153 00:10:07,880 --> 00:10:14,060 This is the directory of the web page of the LSA here you can see all the page information that we were 154 00:10:14,060 --> 00:10:22,040 seeing before we've got about the h t now we've got the dev folder CSX javascript BHP we've got this 155 00:10:22,130 --> 00:10:24,150 uploads folder here as well. 156 00:10:24,200 --> 00:10:31,580 Let's go ahead and see these into the uploads we just take a look we'll do allies and upload. 157 00:10:31,600 --> 00:10:35,750 There there's an index that h t AML we can copy this in. 158 00:10:35,790 --> 00:10:38,850 Go and see if there's anything on the index that HMO 159 00:10:43,830 --> 00:10:52,110 sorry uploads index to age Jamal see if actually gets us anything and it's just a blank page and that's 160 00:10:52,110 --> 00:10:52,620 OK. 161 00:10:52,620 --> 00:10:57,890 So what we can do is we can upload something to this uploads folder. 162 00:10:57,930 --> 00:11:01,220 Now let's think about this and how we could do it. 163 00:11:01,260 --> 00:11:06,420 How are we gonna get a file from this machine from our machine to this machine if we don't have the 164 00:11:06,420 --> 00:11:08,000 upload function. 165 00:11:08,070 --> 00:11:13,050 Well we do already have a shell so we can use something like W get maybe to upload a malicious shell 166 00:11:14,000 --> 00:11:16,880 OK so spin the wheel started thinking about it. 167 00:11:17,240 --> 00:11:22,310 What what kind of shell are relooking for and you've seen this before in the past as well on a Windows 168 00:11:22,310 --> 00:11:30,110 machine where we did the ISP we generated one and we could potentially generate one with MSF venom but 169 00:11:30,170 --> 00:11:37,970 we can also go out to Google and there's actually a nice p p reverse shell out there let's see which 170 00:11:37,970 --> 00:11:38,420 one it is. 171 00:11:38,420 --> 00:11:41,410 I think it's this pen test monkey Yeah. 172 00:11:41,440 --> 00:11:42,340 This one so. 173 00:11:42,340 --> 00:11:43,650 Page for your verse shall right. 174 00:11:43,670 --> 00:11:44,550 Panties monkey. 175 00:11:44,910 --> 00:11:45,150 Yeah. 176 00:11:45,250 --> 00:11:49,990 You see that there is a shell it gives us and we just change this here. 177 00:11:50,350 --> 00:11:55,420 So all we do is change the IP in the port we wanted to call to and then we run a net cat listener. 178 00:11:55,480 --> 00:11:59,110 Listen for the reverse shell the interact and we should get it back. 179 00:11:59,110 --> 00:12:00,490 So let's take a look at this. 180 00:12:00,490 --> 00:12:01,560 Let's open here. 181 00:12:03,080 --> 00:12:06,160 And open this and I'm just going to go ahead and change this. 182 00:12:06,170 --> 00:12:14,550 Drag this out to the desktop of I can see if I can move this case so I'll change it out to the desktop. 183 00:12:14,550 --> 00:12:16,210 It's not going to let me drag it OK. 184 00:12:16,320 --> 00:12:17,020 That's fine. 185 00:12:18,050 --> 00:12:22,470 So I'll copy all this and then all the save it to the desktop. 186 00:12:22,970 --> 00:12:25,070 So we will do a new tab here. 187 00:12:26,270 --> 00:12:30,020 I'm going to change over to a desktop that's downloads. 188 00:12:30,020 --> 00:12:33,090 You could see where my auto complete in my mind is going. 189 00:12:33,380 --> 00:12:37,730 So we'll get it and we'll just call this we'll call it red dot. 190 00:12:38,940 --> 00:12:41,800 BHP OK. 191 00:12:42,200 --> 00:12:45,410 Paste this in here and then they already told us what we need to do. 192 00:12:45,410 --> 00:12:46,520 Look it says change this. 193 00:12:46,520 --> 00:12:47,590 It's got a common next to it. 194 00:12:47,600 --> 00:12:49,220 Change this. 195 00:12:49,250 --> 00:13:00,440 OK so let's look at our IP address our IP address is 14 that 20 1 10 top 10 to 14 not 21. 196 00:13:00,470 --> 00:13:07,190 Let's go ahead and answer that in part 1 2 3 4 it says change it. 197 00:13:07,190 --> 00:13:09,580 We could just leave it it's fine. 198 00:13:09,600 --> 00:13:12,960 Let's say that OK. 199 00:13:12,970 --> 00:13:19,750 Now if we're going to do w get why do we need to do we need to host this file so we can get it from 200 00:13:19,750 --> 00:13:20,890 the other machine right. 201 00:13:21,370 --> 00:13:23,040 So let's go ahead and do that. 202 00:13:23,050 --> 00:13:25,790 Let's use our Python Dash. 203 00:13:25,820 --> 00:13:33,610 M simple H TTP server on port 80 this should all be very familiar in terms of the process and what we're 204 00:13:33,610 --> 00:13:34,350 doing. 205 00:13:34,990 --> 00:13:47,470 So come back here and let's just say ok w get and let's just grab that file so we'll grab HDP and we'll 206 00:13:47,470 --> 00:13:59,120 do tend at 10 to 14 not 21 slash rad t HP see if that executes says saved so alas here and Rab that 207 00:13:59,120 --> 00:14:07,370 P P is there meaning we should be able to navigate to Rab that P HP under uploads and execute that before 208 00:14:07,370 --> 00:14:08,020 we do that. 209 00:14:08,030 --> 00:14:15,740 Let's go ahead and kill this server here and let's set up a net cat listener with a switch of NBL P 210 00:14:16,910 --> 00:14:19,490 and then remember we set 1 2 3 4. 211 00:14:19,550 --> 00:14:22,190 So we're gonna listen on 1 2 3 4. 212 00:14:22,220 --> 00:14:23,750 Now write a verse shall right. 213 00:14:23,750 --> 00:14:24,590 We listen. 214 00:14:24,590 --> 00:14:26,530 The victim connects. 215 00:14:26,630 --> 00:14:29,150 So here hopefully this should work. 216 00:14:29,150 --> 00:14:33,080 We're gonna go uploads because that's the folder we put it in. 217 00:14:33,080 --> 00:14:35,080 And then we call it read that page P. 218 00:14:35,120 --> 00:14:36,250 Fingers crossed. 219 00:14:36,250 --> 00:14:37,850 Some interaction. 220 00:14:37,880 --> 00:14:40,570 Hey it works OK. 221 00:14:40,580 --> 00:14:46,230 We are still this w w w dash data user. 222 00:14:46,310 --> 00:14:56,690 Now we can't access the t t y if you don't know a t t why is it is what prints out stuff to the terminal 223 00:14:56,690 --> 00:14:57,020 right. 224 00:14:57,010 --> 00:14:58,280 It's it's hard to explain. 225 00:14:58,280 --> 00:15:00,410 Call it stands for teletype. 226 00:15:00,560 --> 00:15:04,850 We are not in a teletype shell. 227 00:15:04,850 --> 00:15:09,290 So we have to improve this and one way that we can do this. 228 00:15:09,350 --> 00:15:10,480 And I could show you. 229 00:15:10,480 --> 00:15:15,670 Because if we try to do pseudo dash Al again let's see if we can escape this. 230 00:15:15,920 --> 00:15:22,220 We could say suited ash or pseudo switch user script manager and see if that works. 231 00:15:22,520 --> 00:15:29,300 Now T2 I present same issue OK so let's come up to here and go to Google and this is something that 232 00:15:29,300 --> 00:15:35,090 you should familiarize yourself with because you will run into this situation even in some rural real 233 00:15:35,090 --> 00:15:45,260 world situations trying to talk to you fast let's do t t t t t y escape and just enter that in and this 234 00:15:45,440 --> 00:15:49,270 net set out w s here is a t t y shell. 235 00:15:49,580 --> 00:15:55,260 This is a good one so we can use a combination of one of these. 236 00:15:55,260 --> 00:16:02,100 What I normally do in this situation is I'll just go down the list and copy and paste and see if I can't 237 00:16:02,190 --> 00:16:08,070 improve on this shell so we'll copy and paste this first one here. 238 00:16:08,070 --> 00:16:12,170 And it's been s h but we're actually after bin bash. 239 00:16:12,240 --> 00:16:16,630 So let's let's try to get a bash shall if we can and then we'll. 240 00:16:16,680 --> 00:16:17,750 If it doesn't work we'll try. 241 00:16:17,750 --> 00:16:26,640 Ben S age and friendly note this may actually kill your shell if you fail so just be ready to have to 242 00:16:27,090 --> 00:16:31,080 improve upon that or redo the shallow if it fails. 243 00:16:31,080 --> 00:16:35,640 But look now we improved it so that actually worked OK. 244 00:16:35,680 --> 00:16:41,390 So we're looking at this and see how we just have the dollar sign here because we're not in t t y now 245 00:16:41,390 --> 00:16:42,320 we're in t t y. 246 00:16:42,320 --> 00:16:43,690 This looks familiar to us. 247 00:16:43,700 --> 00:16:46,190 This is what any other Linux looks like right. 248 00:16:46,200 --> 00:16:50,950 Root actually here you can see w w w dash data at bashed. 249 00:16:50,960 --> 00:16:51,220 OK. 250 00:16:51,230 --> 00:16:52,470 So you've got that user. 251 00:16:52,850 --> 00:17:01,160 And now we can try the pseudo switch user and go into a script manager should be able to do without 252 00:17:01,190 --> 00:17:02,300 any password 253 00:17:05,920 --> 00:17:07,360 and I'm failing you. 254 00:17:07,780 --> 00:17:08,130 OK. 255 00:17:08,140 --> 00:17:12,220 So I should be able to instead. 256 00:17:12,460 --> 00:17:17,560 Instead of switching user let's try something else if we can't do without a password we can run commands 257 00:17:17,560 --> 00:17:19,360 as the password. 258 00:17:19,360 --> 00:17:23,200 So without a password I should say I self against which the user. 259 00:17:23,200 --> 00:17:23,850 That's OK. 260 00:17:23,860 --> 00:17:37,640 What if we can do sudo and then user and then we just do script manager instead and if we want to run 261 00:17:37,640 --> 00:17:40,410 a command as a user what if we run the command. 262 00:17:40,580 --> 00:17:44,580 Bin bash Well there you go. 263 00:17:44,580 --> 00:17:47,570 We just switched into bin bash as script manager. 264 00:17:47,580 --> 00:17:54,090 So we have a TDY as the user anyway case that's a little trick if you're in this situation sometimes 265 00:17:54,090 --> 00:18:02,550 you will see something along the lines of you may run commands on bash as user or you can run or change 266 00:18:02,550 --> 00:18:05,350 user into the user without a password at all. 267 00:18:05,370 --> 00:18:10,860 So it's always good to try especially if you have sudo privileges as root which I've seen before. 268 00:18:10,860 --> 00:18:18,540 You can literally just use sudo switch user dash like this and get you into a route without having to 269 00:18:18,540 --> 00:18:20,360 supply any password at all. 270 00:18:20,400 --> 00:18:23,640 So it looks like here we actually do have to supply a password. 271 00:18:23,640 --> 00:18:25,060 No big deal. 272 00:18:25,170 --> 00:18:30,690 We can just work around that by supplying the user with a forward such bin for its last batch and calling 273 00:18:30,690 --> 00:18:32,260 that out here. 274 00:18:32,490 --> 00:18:34,810 OK so now we say who am I. 275 00:18:34,810 --> 00:18:43,410 We are script manager good OK so we are in what directory we're in the forward the base directory here 276 00:18:43,440 --> 00:18:44,670 for its last right. 277 00:18:44,670 --> 00:18:49,980 So let's let's play this one first OK. 278 00:18:50,020 --> 00:18:57,160 And if we come through and just look at this also we should before we look at all this let's let's pseudo 279 00:18:57,160 --> 00:18:59,490 dash L and see what we can do. 280 00:18:59,830 --> 00:19:00,850 We can't do anything. 281 00:19:01,570 --> 00:19:04,420 So that's gonna be a fail for us. 282 00:19:04,420 --> 00:19:06,060 No big deal. 283 00:19:06,280 --> 00:19:12,140 Other thing we should look at is history got no history either so that's OK. 284 00:19:12,240 --> 00:19:14,690 No history no pseudo privileges. 285 00:19:14,760 --> 00:19:20,970 Let's go back to this scan here or this ls L.A. just to look at our base folder and see where we have 286 00:19:20,970 --> 00:19:22,570 access. 287 00:19:22,710 --> 00:19:29,670 So if we look at the ownership of who owns what folders you can see there's actually a scripts folder 288 00:19:29,670 --> 00:19:29,970 here. 289 00:19:29,970 --> 00:19:35,910 Now if you are familiar with Linux at all there's not typically a scripts folder so you have common 290 00:19:35,910 --> 00:19:37,950 folders like bean boot Etsy. 291 00:19:37,950 --> 00:19:38,960 Right. 292 00:19:39,120 --> 00:19:45,600 Scripts is not one of them so the more experience you have with knowing folder structure and looking 293 00:19:45,600 --> 00:19:50,370 for certain things like a lot of times you'll see backup folders or something in the bass folder the 294 00:19:50,370 --> 00:19:55,950 forward slash here you'll see backup folders or weird folders here and you just kind of want to dig 295 00:19:55,950 --> 00:19:56,960 into them. 296 00:19:56,970 --> 00:20:01,320 Well this is one of those weird folders because it stands out in a couple of ways one we know scripts 297 00:20:01,320 --> 00:20:08,570 doesn't exist and two everything's owned by root except script manager here is not owned by root. 298 00:20:08,610 --> 00:20:18,030 So if we go ahead and just see these into scripts K and we analyze this ask that chalet 299 00:20:20,850 --> 00:20:21,760 OK. 300 00:20:21,880 --> 00:20:29,160 We have a script manager test out pi and we've got a test stat text. 301 00:20:29,700 --> 00:20:36,810 Let's cut out the test PI because we own that OK. 302 00:20:36,840 --> 00:20:46,650 So we we are running test up pi and when we do that we set a variable the open test on tax so we're 303 00:20:46,650 --> 00:20:48,430 gonna write to it. 304 00:20:48,430 --> 00:20:53,700 We're going to write Testing one two three and then we're going to close it. 305 00:20:53,830 --> 00:20:57,110 OK so what can we do. 306 00:20:57,110 --> 00:20:57,810 Let's see. 307 00:20:58,220 --> 00:21:03,180 Well here we can my guess as to what's going on. 308 00:21:03,180 --> 00:21:04,480 Thirteen thirty three. 309 00:21:04,490 --> 00:21:05,640 Look what time it is. 310 00:21:05,710 --> 00:21:06,200 Thirteen. 311 00:21:06,200 --> 00:21:07,490 Thirty three. 312 00:21:07,490 --> 00:21:10,480 So my guess is that this is taking a script. 313 00:21:10,550 --> 00:21:14,420 It's running a cron job somewhere or a scheduled task. 314 00:21:14,450 --> 00:21:15,150 Same thing right. 315 00:21:15,170 --> 00:21:19,580 It's running a scheduled task and it's saying hey every so many minutes. 316 00:21:19,580 --> 00:21:23,280 Go ahead and write this file out to test that text. 317 00:21:24,170 --> 00:21:29,950 And look what it's saving and storing as it's saving and storing as root. 318 00:21:29,950 --> 00:21:30,370 All right. 319 00:21:30,430 --> 00:21:34,660 So what can we do here. 320 00:21:34,660 --> 00:21:37,310 Well let's take a look. 321 00:21:37,350 --> 00:21:38,630 Let's let's play again. 322 00:21:38,630 --> 00:21:38,920 See it. 323 00:21:38,920 --> 00:21:39,820 Has it updated. 324 00:21:39,910 --> 00:21:41,020 Yeah it's updated again. 325 00:21:41,020 --> 00:21:43,590 So it's running pretty much every 1 minute. 326 00:21:43,750 --> 00:21:47,080 Now we can overwrite this file and set up a listener. 327 00:21:47,080 --> 00:21:54,130 So what if the overwrite this python file with a python command that will tell this this output or however 328 00:21:54,130 --> 00:21:54,630 we do it. 329 00:21:54,670 --> 00:21:57,940 However we want to make it this python file to execute as root. 330 00:21:58,510 --> 00:22:00,670 And then talk back to us. 331 00:22:00,700 --> 00:22:07,420 So think about what I'm trying to say here I'm saying what if we make this python command into a reverse 332 00:22:07,420 --> 00:22:08,730 shell somehow. 333 00:22:08,860 --> 00:22:18,590 How do we do that well let's go to our Google machines and we'll just type in Python reverse shell and 334 00:22:18,650 --> 00:22:21,300 let's take a look at the reverse shell cheat sheet. 335 00:22:21,320 --> 00:22:22,490 This is a great cheat sheet. 336 00:22:22,550 --> 00:22:27,710 I think we've been here before as a as a class if this is our first time I'm sorry. 337 00:22:28,000 --> 00:22:30,320 By feel like we've seen this at least once before. 338 00:22:30,350 --> 00:22:34,220 But this is the cheat sheet of all the possible one liners. 339 00:22:34,220 --> 00:22:42,190 Now this I use all the time most commonly bash here but in other terms we can do. 340 00:22:42,230 --> 00:22:47,540 I mean we could do anything like if we need if we can execute Perl on a machine or python a machine 341 00:22:48,000 --> 00:22:49,510 BHP etc.. 342 00:22:49,520 --> 00:22:50,280 Net cat. 343 00:22:50,900 --> 00:22:52,760 So a lot of examples here. 344 00:22:52,760 --> 00:22:58,240 What we're going to do is we're going to use this one liner we're not going to execute Python dash see 345 00:22:58,280 --> 00:22:59,240 that's just a command. 346 00:22:59,240 --> 00:23:06,520 We're gonna go ahead and copy what's inside of it and let's open up a notepad first so you can see what 347 00:23:06,520 --> 00:23:07,200 it's calling out. 348 00:23:07,210 --> 00:23:09,060 Is Ben S H. 349 00:23:09,070 --> 00:23:14,280 We can make it bin bash as well and we can just say dash I. 350 00:23:14,290 --> 00:23:15,990 Which is interactive mode. 351 00:23:16,150 --> 00:23:20,680 So all we're saying is hey we want interactive mode which is just what you're seeing here with a T T 352 00:23:20,680 --> 00:23:28,580 Y so what we need to supply is a whole host a listening host and a port. 353 00:23:28,590 --> 00:23:32,820 We've already used one two three four four this shell so we can make this something like two three four 354 00:23:32,820 --> 00:23:36,300 five and then we just need to supply our IP address. 355 00:23:36,300 --> 00:23:39,740 So 10 10 14 20 one for me. 356 00:23:40,730 --> 00:23:47,390 And some of this should look familiar if you're familiar with Python a f iiNet is your IP V for address 357 00:23:47,420 --> 00:23:49,150 SOC stream is just your port. 358 00:23:49,550 --> 00:23:56,780 So just calling socket dot socket setting it to a variable s here and it's doing it as connect to this 359 00:23:57,260 --> 00:24:02,540 and then it's calling out to actually run been bashed with an interactive mode. 360 00:24:03,230 --> 00:24:08,990 So I'm going to go ahead and actually just copy this and let's see if we can paste it in a nano if we 361 00:24:08,990 --> 00:24:10,000 can't paste it Nana. 362 00:24:10,010 --> 00:24:11,660 That's fine. 363 00:24:11,660 --> 00:24:12,820 Let's see if nano exists. 364 00:24:12,830 --> 00:24:17,990 But before we do that let's also call out that we're going to be listening just because this is on a 365 00:24:17,990 --> 00:24:21,470 timer so we'll do two three four five. 366 00:24:21,470 --> 00:24:26,980 Listen here and let's go ahead and just nano test stop pi. 367 00:24:26,990 --> 00:24:29,310 See if that's on the machine. 368 00:24:29,420 --> 00:24:30,050 OK. 369 00:24:30,050 --> 00:24:32,100 There is no nano for this. 370 00:24:32,330 --> 00:24:42,050 What we can do then is we can all this close this and over here we'll host up one more time we'll just 371 00:24:42,050 --> 00:24:55,760 say get it test stop pi pace this guy and say that close and then we're gonna say pi fine simple H GDP 372 00:24:55,760 --> 00:24:57,500 server for 80 373 00:25:00,640 --> 00:25:04,170 come back and let's just do a W get again. 374 00:25:04,180 --> 00:25:14,810 So we'll replace the file that's in here and we'll say 10 10 to 14 that 21 slash test that pi K saved 375 00:25:14,810 --> 00:25:24,550 it oh it's not going to overwrite let's remove let's remove test stop pi and then we'll w get that again 376 00:25:30,900 --> 00:25:36,330 OK alas and let's also remove our old test pilot we're at it 377 00:25:39,230 --> 00:25:39,630 OK. 378 00:25:39,850 --> 00:25:48,890 So in theory whenever this runs again this should create a shell here that should talk back to us and 379 00:25:48,890 --> 00:25:50,070 let's cover while we wait. 380 00:25:50,090 --> 00:25:51,900 Everything that we've seen so far. 381 00:25:52,040 --> 00:25:59,330 So we started with our map scan our map scan revealed port 80 and this lesson for you guys may have 382 00:25:59,330 --> 00:26:03,940 been a little bit faster but that's only because I expect more out of you. 383 00:26:03,950 --> 00:26:06,790 Now we are in episode eight right. 384 00:26:06,830 --> 00:26:09,250 So and there's our shell or an episode eight. 385 00:26:09,830 --> 00:26:14,780 And you've kind of been handheld and I'm still going to hold your hand all the way through this series 386 00:26:15,290 --> 00:26:21,950 but I expect more I expect some of these things for you to have practiced and for you to you know be 387 00:26:21,950 --> 00:26:22,520 familiar with. 388 00:26:22,550 --> 00:26:24,530 So we saw poor 80s open. 389 00:26:24,530 --> 00:26:26,090 We know a few things on that. 390 00:26:26,090 --> 00:26:26,300 Right. 391 00:26:26,300 --> 00:26:28,730 We could check the service version information. 392 00:26:28,730 --> 00:26:32,330 We can go check out the Web site look at the source code. 393 00:26:32,390 --> 00:26:38,810 We can also run something like Nikko if we wanted to for vulnerability scanning we can run door buster 394 00:26:38,810 --> 00:26:43,130 like we did and find information and it just kind of think it through. 395 00:26:43,520 --> 00:26:48,650 From that point we already found a shell we were able to get a user tax if we really wanted to. 396 00:26:49,370 --> 00:26:51,590 But you know we just have to think outside the box. 397 00:26:51,620 --> 00:26:51,920 OK. 398 00:26:51,950 --> 00:26:56,290 Well we have access to this folder we are WW w dash data. 399 00:26:56,300 --> 00:27:01,270 We've seen reverse shells on web servers before we've seen of a tomcat. 400 00:27:01,280 --> 00:27:04,480 We've seen it with ISP or I guess. 401 00:27:04,610 --> 00:27:11,330 So what is any different than what we've done before except where just using HP so a little bit of thinking 402 00:27:11,330 --> 00:27:18,650 outside the box a little bit of googling and it tells you hey you know just I'm going to go ahead and 403 00:27:18,650 --> 00:27:25,850 use PSP reverse shell find one on the web that you like generate one if you if you want in and use that 404 00:27:25,890 --> 00:27:28,120 but you should be able to do it on your own now. 405 00:27:28,130 --> 00:27:29,230 And then once you're in there. 406 00:27:29,570 --> 00:27:29,810 OK. 407 00:27:29,840 --> 00:27:32,370 We don't have the best experience with privacy. 408 00:27:32,390 --> 00:27:34,560 You know and there's a lot of things that we could do a privacy. 409 00:27:34,560 --> 00:27:40,280 We're just very very lightly touching the service still when it comes to privacy especially on the Linux 410 00:27:40,280 --> 00:27:41,170 side. 411 00:27:41,300 --> 00:27:44,190 But what you saw here was OK pseudo Dasha. 412 00:27:44,210 --> 00:27:46,850 We saw that that worked just fine. 413 00:27:46,850 --> 00:27:50,450 And it showed us hey you can run commands as this user. 414 00:27:51,180 --> 00:27:51,400 OK. 415 00:27:51,430 --> 00:27:55,010 So we were able to run the command we ran into a little issue with the UI escape. 416 00:27:55,010 --> 00:27:56,140 You've never seen that before. 417 00:27:56,150 --> 00:27:59,030 But T2 escapes are pretty straightforward for the most part. 418 00:27:59,660 --> 00:28:02,270 Sometimes you get stuck in what's called T Y how. 419 00:28:02,900 --> 00:28:07,490 But in this instance it was very very straightforward first when we copy and paste it actually work. 420 00:28:08,300 --> 00:28:10,860 So that's very good thing there. 421 00:28:10,910 --> 00:28:17,300 And then once we did that we were able to switch our shell into our new user from that user. 422 00:28:17,300 --> 00:28:20,750 We were able to look around we check sudo again couldn't use it. 423 00:28:20,750 --> 00:28:22,730 We checked history nothing there. 424 00:28:22,910 --> 00:28:27,800 And we just did a quick LSD L.A. to see properties and ownership permissions and those ownership permissions 425 00:28:27,800 --> 00:28:31,760 showed us a folder that typically isn't on a Linux machine. 426 00:28:31,880 --> 00:28:35,610 And it showed that we are owner of that folder and you dig into that folder and you see hey there's 427 00:28:35,630 --> 00:28:36,800 a script running. 428 00:28:36,800 --> 00:28:42,140 You read the script it's very basic python and it tells you what it was doing and then you look at what 429 00:28:42,140 --> 00:28:46,190 file it's creating and you see that it's running as root and it's updating every minute. 430 00:28:46,310 --> 00:28:50,390 That just tells you in the background you go look at the cron jobs and see if it's there but those tells 431 00:28:50,390 --> 00:28:54,980 you in the background there cron job is running and that cron jobs are running every minute to update 432 00:28:54,980 --> 00:28:55,870 this. 433 00:28:55,880 --> 00:28:57,530 This shell the script right. 434 00:28:58,280 --> 00:28:59,980 So we update it. 435 00:28:59,990 --> 00:29:05,060 We use a one liner and that's something that's new but we use a python one liner because it's written 436 00:29:05,060 --> 00:29:05,690 in Python. 437 00:29:05,690 --> 00:29:07,410 That's what it's expecting right. 438 00:29:07,580 --> 00:29:12,800 And we get this nice reverse shell here we are root here we can say who am I. 439 00:29:12,800 --> 00:29:13,730 And you see that we're root. 440 00:29:13,760 --> 00:29:20,540 So we have own this machine as well and hopefully that's a nice lesson and it's a little straightforward. 441 00:29:20,600 --> 00:29:25,100 Some of you have been saying that you really like the homework aspect of what we've been doing so I'm 442 00:29:25,100 --> 00:29:31,340 going to go ahead and announce here at the very end that for the next homework what I want you guys 443 00:29:31,340 --> 00:29:36,930 to do is I want you to look at the boxes Granny and Grandpa OK. 444 00:29:36,950 --> 00:29:41,870 They're very very similar boxes if you root one you root the other guaranteed. 445 00:29:41,870 --> 00:29:47,300 And I think that I know I know that everything I've showed you this far. 446 00:29:47,480 --> 00:29:49,480 You have all the tools to do it. 447 00:29:49,520 --> 00:29:52,880 It will be a very very basic refresher for us. 448 00:29:52,880 --> 00:29:59,120 I even think that these boxes are easier than optimum because optimum required a little bit more detail 449 00:29:59,120 --> 00:30:00,170 thinking outside the box. 450 00:30:00,170 --> 00:30:03,790 So let's go ahead and just do those two boxes next. 451 00:30:03,860 --> 00:30:09,500 And since they're so similar and they were released around the same time they are meant to couple with 452 00:30:09,500 --> 00:30:15,440 each other a will does do the videos together in one session and we'll run both of them at the same 453 00:30:15,440 --> 00:30:15,770 time.