Can You Hack a Bank's Server? - TryHackMe! BankCTF Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so my name is Jacob I am a recent graduate of a of a cyber security boot camp and the reason why I'm making this video today is to Showcase a CTF or a virtual machine that I created in hopes of helping others who want to start in cyber security and I've never done any ctfs don't know anything about hacking really this will kind of cover a lot of bases for them this is the room here that I created called Bank CTF on try Hackney if you go through here the objective is to get Six Flags or what this room covers is deploying the CTF machine finding open ports via nmap running derb to find Secret website Pages use Hydra to brute force a website login Brute Force SSH login explain a program to dump Etc Shadow create a word list using crunch escalate privileges by becoming root and I do have a ride up here that kind of goes over everything if you do give it a shot and get stuck on anything this will guide you through but so will this video and then if you are unsure how to get a virtual machine you can use the attack box here through try hack me or if we go down to Here There is a hyperlink that will kind of go over how to download a virtual machine I have my machine started now and I'm on the openvpn for try hack me so I'm going to go ahead and see if I can get going here um the first thing I'm going to do is read the intro really quick it says Roger at work mentioned a new bank opening up in one of the small towns in your area he said someone had reached out to him about designing their website but declined because the pay was going to be too little and said whoever ends up building the site probably won't know what they are doing you ask Robert well I already see a mistake there this is Roger and that says Robert but anyway you ask him for the information they gave him and decide you want to check out the site and look for some vulnerabilities so what I'm going to do first is take this IP address we can go ahead and say that this is the one that Rogers gave us or Robert I'm going to use my nmap script that I created here try to get this automated for me so if I type in 10 10 251 six seven it says found Live host scanning now and then it gave me this information here so it looks like we have two ports open HTTP and SSH which is port 22. um if you're not familiar with what SSH is it's kind of similar to what I'm doing now I'm using the command line but you are connecting to something remotely and you have that kind of access and then HTTP or 80 would be a website I guess the main takeaway from this is that it says HTTP Port 80 and that means that it's not secure if it was https it probably would be on another Port such as Port 8080. the protocols both of these ports can be used for the web services but what I'm going to do now is I'll just double check I'm gonna double check here does tell me that the Live host is that IP address and then if you look at our scan that's the same information I got above so don't really need that now but I'm going to go ahead and take this IP see if we can view the website here so going to the website we see Citibank site under construction check robot permissions looks like that's all that's on here if I click this button nothing happens I'm gonna go ahead and view the source code or page source from here still not too much to go off of but we do see that the form action equal which would be that button it does specify robots.txt so in theory if we go back here type in robots.txt at the end of the URL hit enter looks like we now have what looks like a word list let's go ahead and copy this and do wget and save that list so it looks like I now have the robots.txt you can go ahead and go back and there's really not much we can do from here so this is where derb or gobuster is going to come into play because what we want to do is see if there's anything else that's kind of hidden from us or something that we're not supposed to find I'm going to go ahead and use go Buster um all right so I have my command here for gobuster I'm going to change 50 to 80. trying to make this go fast I'm going to go ahead and change this IP to 10 10 25167 it looks like go ahead and hit enter and what this is going to do is it's going to go through this word list that I specified right here it's going to put each one of those words at the end of the URL like right here it looks like it found forward slash WordPress for instance so what this is doing is sending requests to the 10 10 25167 web server if it's getting an appropriate status returned then we know that this thing exists whether we don't have permission to view it or whether it's public it'll kind of let us know by the status I'm going to let this run for just a little bit longer but for now let's go ahead and go to the support slash WordPress perfect so it looks like we now have a web page that has a lot more going on with it I'm going to go ahead and end this in a real world scenario if you were doing some sort of penetration test or just anything else that you're allowed to do obviously other CTS whatever else it is you would probably want to keep that going for a while but in this instance we're not going to find much else other than like the robots txt and this WordPress I only know this obviously because I've made it but so if we go to the WordPress now we're going to go scroll down nothing really out of the ordinary we have welcome to Wordpress in hello world we have a banking a home and a sample page let's maybe type banking looks like we do have something here it says Patrick I am leaving this page here for you so you can see what needs to be worked on next and it looks like it's from manager and with that being said we also have our first flag I'm going to go ahead and copy this and put that in here submit and correct okay so from here there's not a whole lot we can do still we can try to navigate a little bit more go to the home page for instance looks like that one goes to a different IP address something might be misconfigured don't know let's go back go to sample page and there's nothing useful here and actually I'm gonna go ahead and run go Buster one more time um the main reason is because I want to show proof that we can find like the WordPress page for instance to log in so just to make this go a little bit faster I'll actually go ahead and stop this and then I will change this to forward slash WordPress and then go ahead and hit enter perfect so I would have found this on its own but just to expedite this we see we have like WP content WP includes we'll give it a little bit longer and WP admin that one seems a lot more promising let's go ahead and view that one perfect so now we have a login page or a few different ways to maybe go about this since we had a message from the manager addressed to Patrick we can kind of use some social engineering technique here to see if that would be a username so type in Patrick well first let's just type admin and see what we get we say error password password unknown username okay let's try a patch two and then we'll just do Patrick for the password this is the password you entered for username password Patrick is incorrect so this Elites tells us that Patrick is a valid user and going back to our terminal I'm gonna go ahead and end this now because we got the login page let's clear our screen with Ctrl C and looking in here we have like our robots.txt for instance that looked like a word list what if we were to use this as a possible passwords to log in for Patrick all right so I'm going to grab this syntax here this is for Hydra The Brute Force program let's go ahead and change this IP address now we need to go to 10 10 25167 so in theory this should work let's go ahead and hit enter and it is going through the password list now perfect looks like we have a match so the password for Patrick is going to be vamos capital V OMS exclamation hit enter it looks like we're in now all right so we can see like on the side here in the tabs we don't have much whatever that one I think that might be for the dashboard but it's going very slow but let's just go ahead and scroll down here awesome looks like in our bio we have another flag well this decided to load let's go ahead and go back to our user okay so flag number two I'm gonna go ahead and grab this and kind of keep in mind here where it says flag one flag two and it says answer format our format doesn't look exactly like that let's go ahead and paste it in though looks like we need to take this part out probably add a curly bracket at the end too submit perfect so just another little thing to get tricked up on you can't just copy this whole entire thing and paste it and expect to get it right but a little message here this account doesn't seem to have very many privileges which we did find out from like a dashboard for instance and on the tabs here we can kind of see that this is true and then who do you think the admin would be well if we go back to the page we were on earlier we had a message from the manager so maybe that would be where we would need to go go ahead and log out let's try manager and we'll just do pass [Music] password didn't work but we can confirm that manager is the correct username let's go ahead and go back to our terminal I'm going to hit the up arrow and use this one more time except I'm going to change the username from Patrick to manager go ahead and hit enter and we'll wait so this one says zero valid passwords found I'm going to go ahead and try this one more time here for whatever reason it's not working the same when we use it for the manager but I'm gonna go ahead and change that little part right here again the main takeaway is that we're changing this part from error to incorrect go ahead and hit enter try to type this in probably should keep this lowercase for whatever reason it doesn't work exactly the same for both the users but this did finally get the password it's Live Hack love66. let's go ahead and type that in all right so it looks like we're in the man as in the manager now we can see on the left side that there's a lot more options for us we seem to have full access to anything in here usually when you can get access to an administrative account in WordPress or if your ultimate goal is to get onto the server as opposed to just being into this dashboard here one thing you could do is try to set up a reverse shell inside one of the pages to do that typically you would have to go to appearance and then or theme edit I believe and then from there you can kind of go through and you can physically edit code for the theme for instance like the 404 page would be really easy one to go ahead and remove the code that's there currently and add like a PHP reverse shell inside there's ways to go about that but today we're not going to be doing that let's go to our account not noticing anything else let me go ahead and go to appearance nothing there it looks like things need to be updated so there's probably a lot of vulnerabilities with things not being updated but we may not have to exploit those let's see if we can find anything so now I'm in the pages Bank login let me check that one let's view it perfect so it looks like this is giving us some information here so Patrick this is a the page where I want you to add a login do you have remote access to the server yet I left the port open it looks like it's kind of the same message there but then it says do you read ASCII looks like oh first let's grab this so we have our third flag I'm gonna copy that over seems like it'd be a message for us but obviously we can't read that I'm going to go ahead and go to a website here called decode.fr and then I think we can just do forward slash ASCII code let me see ah we need to take the actual e outside d code.fr Perfect all right I'm gonna go ahead and paste that in here and hit the decrypt all right so now we have our plain takes and it looks like that would be right here and it's another word list I'm going to go ahead and grab that and we'll just do Nano pass list go ahead and paste that in there and then we'll save it and perfect so we have that now and the next thing we're going to want to do is try to get server access like mentioned in here so let's go ahead and just log out of this probably don't need access to this website anymore so I'm going to go ahead and click out of there right now we're looking for flag 4 5 and 6. the next thing we would want to do is try to get SSH access to or remote access to the server since we found that other word list let's see if maybe we can use that to our advantage so type Hydra and do capital L as opposed to before when I had a specified username I use a lowercase L now that I don't I'm going to use Capital use my pass list and then going to do capital p and pass list again and then the IP address which is 10 10 251.67 and then we want to do SSH for our threads we're going to do four for SSH you can't have a high number of threads I think four might be the max but let me go ahead and hit enter all right perfect so as you can see that goes so much slower than using Hydra for like a website login or something like that but it looks like it did get a username and a password both of them happen to be the same I'm going to go ahead and close this now I just want to try to SSH into the account here so ussh cat at 10 10 251.67 and then I want to specify the port as 22. uh go ahead and type yes and now the password will do cat and we are in so I'm going to go ahead and clear my screen print are the working directory looks like we're in the home directory for this user I'm going to go ahead and hit LS um looks like there's a few things here just to be safe I'm gonna see if there's anything hiding we'll use the minus a flag for that it looks kind of like everything is the same but let me go ahead and see what that flag for is my cat flag floor and it looks like we do have something so I'm going to go ahead and take that and we will submit looks like that one through let me see what else we can find looks like there's a readme file we can go ahead and even try doing LS with the L flag that might give us a better option to tell us the dates of some things here doesn't seem like that's gonna matter too much in this case let's go ahead and just try the readme file I'm going to do cat or concatenate is what that stands for hit enter and now we have a message it says cat please try my new script before doing anything else and this is from root well let me see if we can try to find where this script would be I'm going to clear my screen LS one more time we have cat toys documents pictures secret I'm gonna go ahead and just do LS with an ash trick and it doesn't seem like there's going to be anything important in any of these folders for us let's maybe go ahead and go back to our home directory looks like we now have another directory present like Patrick let's go inside Patrick if we can all right written nothing showed up let's go ahead and do the minus a one more time looks like we have some things we can go ahead and maybe possibly use like this dot Bank underscore work directory that one does seem interesting so let's go ahead and go inside there remember the message before I was talking about a script looks like we now have a script inside and notice there's a few folders we also have like our bank folder let's go ahead and see if we can look inside of the bank folder passwords phone number customer email things that would probably end up eventually inside of a database um let's go ahead and see if we can use the script first so again LS let me get out here let me just see if I can read like these awk files okay looks like one of them is denied ah so this is the script file we can't read I'm gonna just prove that here by going cannot do that not sure why can we interact with it let's see permission denied well the only way to use this is if we have escalated privileges it seems like but just to be safe first let's go ahead and see if we have any sort of pseudo privilege for this user I'm first going to check see if cat is part of the pseudo group and it looks like Patrick is in there cat is not but let's do pseudo minus out okay so it looks like cat can run a couple things cat can use awk and can also run the script so it looks like this would need pseudo privileges but since we've been granted that let's go ahead and clear our screen one more time so this time let's do suit up and then try to do script.issh perfect now we're getting somewhere so it says hello enter the numerical hour for the time you want to investigate followed by AM or PM the four digit date and lastly the game and these are the games example 8am 0310 blackjack well shoot um let's go ahead and just type I don't know 6 am one of those numbers I don't remember if there's multiple but let's go ahead and type in the o310 and let's try Texas Hold'em hit enter Ock cannot open 310. well let's see what we have so it looks like we have 312 and 315. let's try this one more time [Music] okay so see 6 AM 43 12. and then let's go ahead and just do Blackjack this time hit enter okay so it looks like it worked we actually have some output just tells us the time and a name so that isn't going to be much help or too much help for us right now if we go back here for flag five which we're looking for the hint it says can you exploit the script to view the shadow file the file they're talking about is going to be in this location but we don't have permission to do that however this script is working it may be able to read a file for us but if you're not familiar with the shadow file for instance let's do Etc Shadow example to kind of go over the shadow file or the password file for instance either one they're going to look pretty similar the shadow file is typically going to be holding a hash of the password and the password file where these hashes used to be stored now it just kind of tells you more information about the user one thing we can take here from a shadow file is we can see some things that reoccur or kind of common would be like the semicolon and the X for instance it looks like every so often maybe there's an exclamation mark but maybe those are symbols that we can use to our advantage run the script one more time go ahead and get out of here it tells us the games let's just see if we even need to have a game inside let's go ahead and do eight A.M 0315 and then we'll just type anything we want like an X it looks like that kind of breaks it doesn't give us the output that we want so just to kind of mix things up a bit let's go ahead and maybe do an X here instead of the time and then we'll do pm and then we can go 0312 blackjack and kind of the same thing let's try this one more time let's do eight a.m and then let's just see if we could maybe go to a different directory password and then we'll do blackjack thing let's try this again this time I'm going to keep the ETC password in there but I'm going to change the first part so let's say we do X semicolon BTC password and then blackjack perfect so it looks like that gave us what we wanted this isn't the shadow file but we did get the script or the program to do something it's not supposed to and we see in here where grep is probably being used right here and then awk would probably be in this file and then we have our Blackjack since the password file similar to The Shadow file doesn't actually have rows or columns like awkward be trying to grab for us it's going to just give us everything so let's try this one more time all right enter and perfect so it looks like that went through as well and then we have right here actually would be flag five I'm gonna go ahead and grab that submit perfect so now we have one more flag let's go ahead and just forget about this thing forever is there a screen and then let's try that bank folder and then maybe try it let's go into a reminder LS message for cap just see if there's anything else nothing let's go ahead and hit look at this okay so looking at message for cat we have cat I have temporarily changed my password to a word count I need you to log in and find flag 6 on my account hurry up and gain access access before I change my password back use crunch to create a word list by solving these riddles who can finish a book without finishing a sentence another one that says start with six add that add the number that comes after two subtract the number that comes before five add one what number am I and then use the num the answers to the riddle to fill in the blanks then run the command to generate your word list so it looks like we have crunch one answer two and answer one and the word count of this output is my temporary password love always root PS if you haven't figured out yet there may be another way to get into my account maybe one of your pseudo privileges has a vulnerability another thing we did just see was the password since that has the hashes let's maybe go ahead and grab like right here we have root I'm gonna go ahead and copy this is just open up a new tab and so just using our local machine here we can do the same thing so let's go ahead and do Nano pass and paste just to show that's our hash there let me go ahead and make this bigger I'm gonna go ahead and save John and pass we're gonna let that run it might get the password for us it might not but in the meantime let's go back to okay it's a message for the cat so let's see if we can just solve this real really quick who can finish a book without finishing a sentence well we can sit there and try to figure that out but we could also probably just Google this it's like the answer would be prison or maybe prisoner let's go ahead and go with that and then for this one start with six add the number that comes after two that'd be three so now we have nine subtract the number that comes before five so four so five add one what number am I and that should be six I believe we do crunch one six prisoner hit this and then let's go ahead and just stop that what this was going to do is create a giant word list for us using these parameters that we put in but we don't really care for that we don't need to know or have that word list we just need to know the number of lines that it's going to be because it looks like that could be the word count is my temporary password so that would be the password let's see if we cracked our password we did it's the same thing so we can go ahead and get in that way but there is one more thing we can do so the third way to get in would be from our pseudo-privileges specifically with awk so right now if I were to type who am I we just have cat for our user let's go ahead and do sudo begin system and now we have a parenthesis quote bin forward slash bash to quote and then the parenthesis and then we have our curly bracket and then we need to that in there this should allow us now hit enter nothing seems to have happened but let's go ahead well we can see from our user it says root for instance let's also just check here who am I we are now root let's go and specify root we have I am root let's do chat perfect so it looks like we now have flag six and it says you've compromised the bank's operation happy hacking you should get some sleep so so I'm gonna go ahead and submit that flag and we did it we have all Six Flags now let me go ahead and just complete this task here and perfect we've got the room completed yeah I just wanted to Showcase this to anyone who may be interested in giving this a try themselves like I've stated previously this is mainly for people who are brand new to ctfs and don't have any sort of practice or knowledge about these tools this is just to help you gain some experience using them so hopefully you give this a shot even if you watch this video and saw how it all went about it's still nice to try it yourself um and then it's trying to figure things out on your own as well I do plan on making more rooms in the future they won't be as easy probably but kind of keep an eye out for that thanks for watching and hopefully you're able to learn something new and if you do complete the room let me know and kind of tell me your thoughts again thank you and see you guys next time
Info
Channel: Jacvbtaylor
Views: 89,056
Rating: undefined out of 5
Keywords: kali linux, virtual machine, tryhackme, bankctf, jacvbtaylor, hacking, how to hack, hydra bruteforce, linux, virtual box, hack wordpress, ssh, cybersecurity, OSINT, john hammond, jacob taylor, bruteforce ssh, bruteforce wordpress, awk, privilege escalation, sudo
Id: lR7gNc4wr1g
Channel Id: undefined
Length: 32min 18sec (1938 seconds)
Published: Sat Dec 10 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.