1
00:00:00,750 --> 00:00:06,780
Welcome back to our continuation of the walk through for the CTF EVM version one.

2
00:00:07,260 --> 00:00:14,280
Now, in this second video, we're going to be going through the exploitation and the privilege escalation

3
00:00:14,670 --> 00:00:16,440
for this target.

4
00:00:17,200 --> 00:00:20,320
And so without any further ado, let's go ahead and get started.

5
00:00:22,020 --> 00:00:23,910
So let's go ahead and minimize our terminal.

6
00:00:24,840 --> 00:00:30,360
And we're going to go over here to our terminal and launch a clean one, and at my new terminal, I'm

7
00:00:30,360 --> 00:00:33,420
going to type in MSF consul.

8
00:00:35,270 --> 00:00:42,180
I hit enter and now we're just going to let it roll on up, and once it gives us that metastable prop

9
00:00:42,230 --> 00:00:48,500
will begin to look for the exploit that's going to give us that terminal over onto our target machine

10
00:00:49,280 --> 00:00:50,860
so that my display prompt.

11
00:00:51,110 --> 00:00:55,460
We type in the U.S command, followed by the export that we want to use.

12
00:00:56,530 --> 00:01:03,400
Now you can do a search inside of Venice flight just by typing in search and then you can tell it what

13
00:01:03,400 --> 00:01:04,150
you're looking for.

14
00:01:04,360 --> 00:01:11,500
For instance, if we were looking for this exploit, I could type in search space, WordPress, and

15
00:01:11,500 --> 00:01:16,450
then it would bring me up all of the different exploits that are available for WordPress.

16
00:01:16,780 --> 00:01:20,920
And from that selection, I would then find this exploit.

17
00:01:21,310 --> 00:01:26,350
I would then copy and paste it along with the U.S. command at the top.

18
00:01:26,890 --> 00:01:29,290
And then I would hit enter.

19
00:01:30,650 --> 00:01:36,680
You'll notice that my prompt changes to let me know that we are now using that exploit, so to see what

20
00:01:36,680 --> 00:01:39,830
options have to be configured, we can type in show options.

21
00:01:41,050 --> 00:01:49,780
And we see that we do have to set the remote host and we do have to set or we can set the local host

22
00:01:49,780 --> 00:01:57,030
IP address, I recommend that you do set that local host IP address for this to work properly.

23
00:01:57,490 --> 00:01:59,770
So we're going to go ahead and type in our host.

24
00:02:00,280 --> 00:02:07,750
So we're going to type in, set our host and now we're going to type in the IP address of our remote

25
00:02:07,750 --> 00:02:14,320
target, which is one nine to that one six eight dot 56, the one zero three.

26
00:02:14,740 --> 00:02:19,400
Now make sure everything is correct before you hit enter and it comes back to the prompt.

27
00:02:19,550 --> 00:02:22,070
Let me know that that command completed successfully.

28
00:02:22,720 --> 00:02:26,410
Now we're going to do the same thing, but we're going to do it for our local Kalyn machine.

29
00:02:26,950 --> 00:02:28,360
So I'm a type in set.

30
00:02:28,750 --> 00:02:38,230
They'll host the IP address of my calling machine, which is one nine two one six eight DOT 56 that

31
00:02:38,260 --> 00:02:40,480
one two seven hit enter.

32
00:02:41,170 --> 00:02:42,470
That comes back to that prompt.

33
00:02:42,490 --> 00:02:44,620
Let me know that that completed successfully.

34
00:02:45,130 --> 00:02:47,470
Now we have to set the target.

35
00:02:47,470 --> 00:02:56,380
You are I for the directory that we're going to find this ability to create the reverse shell with some

36
00:02:56,380 --> 00:02:58,390
type and set target.

37
00:02:58,390 --> 00:02:59,460
You are I.

38
00:03:00,470 --> 00:03:05,090
And now I'm going to type in a space for WordPress.

39
00:03:06,150 --> 00:03:11,250
Hit enter because back to the pump, let me know that that completed successfully.

40
00:03:11,520 --> 00:03:15,500
Now we have to set the username I've typed and set space.

41
00:03:15,510 --> 00:03:16,170
Use your name.

42
00:03:16,170 --> 00:03:20,570
And now I'm just going to copy and paste that information in because I want to correct.

43
00:03:21,420 --> 00:03:23,400
I'm going to hit enter now.

44
00:03:23,400 --> 00:03:25,010
We have to type in the password.

45
00:03:25,650 --> 00:03:32,100
So again, I'm going to use the set command space password along with the password that we discovered

46
00:03:32,490 --> 00:03:35,330
for this user called Corrupted Brain.

47
00:03:35,940 --> 00:03:43,860
I'm going to hit enter and now we're going to launch this exploit by typing in the word exploit and

48
00:03:43,860 --> 00:03:44,910
then hitting enter.

49
00:03:46,200 --> 00:03:48,180
So for me, that command failed.

50
00:03:48,450 --> 00:03:54,260
Now, if I go back and have trouble shoot myself, I see that the localhost IP address is actually wrong.

51
00:03:54,450 --> 00:03:56,000
It should be one, two, three.

52
00:03:56,520 --> 00:03:58,470
So I'm going to go ahead and reset that.

53
00:03:59,780 --> 00:04:03,230
And I'll hit enter now again, I'm going to run exploit.

54
00:04:04,650 --> 00:04:11,280
And this time it completed successfully and we now have a reverse shell between the target machine and

55
00:04:11,280 --> 00:04:13,800
our counting machine using a metal spreader session.

56
00:04:14,470 --> 00:04:20,220
So the first thing we want to do is look inside the home directory for that target machine, some type

57
00:04:20,220 --> 00:04:26,400
in CD change directory it would afford a home like.

58
00:04:26,400 --> 00:04:31,950
So I hit enter, comes back in and lets me know that that command completed successfully.

59
00:04:32,490 --> 00:04:38,340
Now I'm going to type in ls, which is list everything that's inside of that home directory.

60
00:04:38,820 --> 00:04:45,000
And you'll see that we have just one directory and it's called Route three are.

61
00:04:46,100 --> 00:04:52,520
Again, I have to change locations over to that route three hour directory, some type in CD space,

62
00:04:53,060 --> 00:04:57,680
Route three are hit enter and again, it comes back to the prompt.

63
00:04:57,690 --> 00:05:00,110
Let me know that that command completed successfully.

64
00:05:00,230 --> 00:05:07,340
Again, I type in LS and I see that I have a number of directories and files available to me up inside

65
00:05:07,340 --> 00:05:08,180
of that directory.

66
00:05:09,190 --> 00:05:14,760
Now, I need to look inside of that root, underscore, password, underscore, S.H., not text file.

67
00:05:15,160 --> 00:05:20,800
Now, to do this, I'm going to have it printed out to the terminal using the command, Kat.

68
00:05:22,040 --> 00:05:28,190
So I've typed in cat space, the name of the text file that I want printed out to the terminal.

69
00:05:29,070 --> 00:05:37,770
I'll go ahead and enter and inside we have a password, Willy, two six, that is the root password

70
00:05:38,430 --> 00:05:39,880
for our target machine.

71
00:05:40,710 --> 00:05:46,280
So the next thing I need to do is get some privilege escalation, which means that I want to be route.

72
00:05:46,950 --> 00:05:48,300
Currently, I'm not route.

73
00:05:48,690 --> 00:05:50,250
And if I type in get.

74
00:05:51,390 --> 00:06:02,640
You I.D. or set you I.D., that doesn't work, so I type and get you I.D. and it tells me that I'm currently

75
00:06:02,640 --> 00:06:08,700
logged on as a default user using the name of W-W dash data.

76
00:06:08,730 --> 00:06:10,200
Now, you're going to see that a lot.

77
00:06:10,800 --> 00:06:14,940
But when you see that, that means that you have very limited access to the server.

78
00:06:15,390 --> 00:06:16,640
You want to be rude.

79
00:06:16,890 --> 00:06:18,480
So that's what we're going to do next.

80
00:06:18,960 --> 00:06:26,370
So I need to now run a little snippet of Python code, but I can't do it at this terminal to run a snippet

81
00:06:26,370 --> 00:06:26,940
of code.

82
00:06:26,940 --> 00:06:31,060
I got to have a shell now to get a shell up inside a metal spreader.

83
00:06:31,170 --> 00:06:32,720
I just type in the word shell.

84
00:06:33,390 --> 00:06:37,550
Now it comes back and there's no prop, but it is working.

85
00:06:37,800 --> 00:06:41,090
So when you see it, are you going to have is the cursor.

86
00:06:41,580 --> 00:06:42,690
But again, no.

87
00:06:44,070 --> 00:06:52,110
So now I'm going to copy and paste the following snippet of Python code into that prop and make sure

88
00:06:52,110 --> 00:06:54,540
you get all of this because at the very end.

89
00:06:56,030 --> 00:07:01,850
This snippet of code, there is a little dash at the top that has to be part of it.

90
00:07:02,650 --> 00:07:04,400
I'm talking about this right here.

91
00:07:05,460 --> 00:07:07,840
All right, so make sure that you get all of it.

92
00:07:08,700 --> 00:07:11,400
Now, I'm going to go ahead and what's going to happen here when I run?

93
00:07:11,400 --> 00:07:14,140
This is I'm going to spawn a bash shell.

94
00:07:14,250 --> 00:07:15,380
Let's see how that happens.

95
00:07:16,020 --> 00:07:23,670
And you'll notice now that I have a bash shell and I'm currently logged in as W-W dash data.

96
00:07:23,970 --> 00:07:26,550
But now I have an elevated prop.

97
00:07:27,060 --> 00:07:38,040
Now because I have this elevated prop, I can change over to pseudo or super user or route just by typing

98
00:07:38,040 --> 00:07:38,940
in S2.

99
00:07:39,950 --> 00:07:46,130
And now it wants that password that we discovered up inside of that text file, which was Willy 26,

100
00:07:46,880 --> 00:07:53,510
I hit Enter and now you'll see that my prompt changes to let me know that I'm now logged on as route.

101
00:07:54,170 --> 00:07:56,450
I now need to look inside of the root directory.

102
00:07:56,450 --> 00:08:02,180
So I'm going to type in KDDI space forward slash route hit enter.

103
00:08:03,050 --> 00:08:08,300
And it comes back to the prompt, let me know that I'm now inside of that directory again of my type

104
00:08:08,300 --> 00:08:14,270
in ls so I can see what's inside of here and you'll see that I have something called proof text.

105
00:08:15,020 --> 00:08:21,470
Now I need to look at that proof dot text because that is going to confirm that we have completed this

106
00:08:21,980 --> 00:08:23,780
boot to the root challenge.

107
00:08:24,230 --> 00:08:29,900
So I'm again going to print out the contents of that text file using the cat.

108
00:08:30,890 --> 00:08:37,970
So that's the proper type in cat space proof dot text and it comes back and lets us know that we have

109
00:08:37,970 --> 00:08:41,960
successfully completed this boot to root challenge.

110
00:08:43,410 --> 00:08:48,090
So this was an easy butyrate challenge, but it introduced you to some of the excellent exploits that

111
00:08:48,090 --> 00:08:55,470
can be used not in just this capture to play exercise, but in the real world of pain testing.

112
00:08:56,380 --> 00:09:02,650
So you want to become familiar with these little snippets of Python, Perl and bash code because you're

113
00:09:02,650 --> 00:09:08,470
going to see them not only out in the real world, but also on your exams for certifications.

114
00:09:09,910 --> 00:09:16,210
And so that's going to conclude this short video presentation on how we go about completing the boot

115
00:09:16,210 --> 00:09:23,300
to root challenge and the walkthrough for the SVM version, one, capture the flag exercise.

116
00:09:23,770 --> 00:09:24,760
You've got questions.

117
00:09:24,760 --> 00:09:25,770
You've got concerns.

118
00:09:26,140 --> 00:09:27,430
Don't hesitate to reach out.

119
00:09:27,430 --> 00:09:31,420
Contact your instructor and I'll see you in my next video.