Capture the Flag | Hacking Challenge | ITProTV’s Live Week 2019 Replay

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everybody to IT Pro TVs live week capture the flag challenge I'm your host Don pizzette here in studio with mr. Daniel Lauer Daniel how's it going it's going great having a great time hopefully everyone is having a good time in live week unfortunately I couldn't be here but I wanted to realize something really cool so that's what we're gonna try to do today yeah you know I tried strong-arming Daniel I said if you're not gonna be here for a live week then you're gonna have to be here for dead week it's your choice but we we certainly wanted to have a capture the flag challenge because there are a lot of fun now what let's start off a little slow here for people that are just tuning in if you don't know what a capture the flag is these are hacking challenges that you see pretty commonly a lot of the big conferences that are out there are sa blackhat yeah and you know basically what they've got are a series of machines that are set up or it may even be a single machine that they have stashed away some data on those are the flags and as an attacker you've got to be able to get in and gain access to that data by using one or a multitude of vulnerabilities and you know it's all in a challenge format so Daniel is that a good summary I I think you nailed it right only had Don there are different types of capture the flags but that is definitely one of the prevalent ones especially if you're doing these things at home downloading them and it's all running them on a virtual machine like we're gonna do today it's a very common format for them to be so that you don't have to have a whole network infrastructure set up people aren't having scoreboards that's kind of what you see typically like a con but if you want to practice at home you want to get your feet wet and play around with this stuff is a great way of doing it download some photo machines that are capture-the-flag specific get them up and running and start attacking now I remember last year at blackhat you know we went downstairs the area where they had all the the hacking competitions going on and I I went down so I wanted to see I thought it'd be interesting and it was teams sitting in there in their tables kind of closed off because you weren't supposed to bother them while they were hacking and the lights were dimmed it was very quiet and they would go all day long and if I had to sum it up in one word it would be boring right I mean it was just you really had no benefit in walkie yeah you were better off just waiting and getting the summary a few days later so what we wanted was a cap to the flag it was a little more exciting right where Daniel is gonna take a challenge and walk us through the process so he's gonna talk I'm gonna ask him questions so we're gonna bug the hell out of him while he's trying to basically get into this machine and compromise it I'm a big boy and the Machine you've chosen has five flags yeah this one has five flags one of Justin actually if you want we can jump into the computer here real quick let me just show you where I got these things from this is Mike on Linux machine but if I go back over to my Mac OS from Volcom you can see up here there's the URL if you want to grab that these are a series of CTF machines that were released by the DCAU user whoever this is and so you have DC 1 DC 2 3 4 5 and 6 I figured let's just start with the first one and let's have some fun with it they are a ton of fun you can play around with these there's a lot more found envelope so if you like what you see here you're like man I work my way from DC 1 to DC 6 and I'm I'm ready to rock with something else just start looking through bone hub they got so much interesting and different aspects I've learned a ton from going to Vaughn hung downloading a latest machine and trying my hand at it and see what I can figure out yep and for the audience at home if you want to try this you absolutely can this isn't a do not try this at home you can download this run yourself and the best part here is Daniel he's only got one stab at this right so we're gonna give him a chance right now if he fails to get some of the flags maybe you can work at it and figure it out get a little further if you do make sure you tweet that out to us so we hear about it or at least send Daniel an email and say Daniel loser yeah yeah so be sure to send that one in but with Daniel we do want to make this a little bit more fun so we're gonna stick some some ground rules on what your what your able to doing what you're not the first round will rule we want to set 30 minutes you've got 30 minutes to capture as many flags as you can oh yeah you know that's actually a really good rule because a lot of times these things can sometimes gonna it's gonna stress me into trying things yeah so so 30 minutes now that also means that he's going to do balancing like if he's on a flag that he's just not figuring out it makes sense to skip it go to the next one to maybe come back if you have more time so time management is a fun thing so we're gonna do 30 minutes I'm gonna break out a timer here in just a moment set it up on the podium so we'll have that next rule no Metasploit ah you know Metasploit is like the easy button fantastic behind so otherwise we wouldn't even need 30 minutes right some of these things would be over pretty quick pretty quickly yeah and you know in the field if you're a pen tester you may use that but Metasploit isn't gonna help you find unknown exploits in most scenarios so so we're gonna we're gonna pray about that one you got to do it by hand okay and then uh you know I don't think it's a matter of win or lose based on the number of flags just five flex let's just see how many you can get alright yeah I think that's a good way to go because sometimes that that just worked itself out there's just one flag or two flags or a certain flag that's more difficult maybe you don't have experience in that I know everyone across that plenty of times just like I just don't want to do here and that's where hey you know what if you guys find the flag coming with Dom saying before you guys find a flag I don't find or if you have a different way that you found a flag or you use something different than what I've done I would love to hear about that I think that stuff is awesome tweet that out to us send us an email or postcard whatever you like and we'll we'll definitely check that out so it's awesome to see how different people come at these things from different perspectives and techniques and stuff and I love that I think there's a lot can be learned through that shared experience alright so Daniel I think it's it's about time for us to get started on this okay I'm gonna break out art timer which we got a nice big timer here I am going to the hardest technology I'm gonna work with today I'm gonna set this for a cool 30 minutes and 20 seconds that way I can have time to set it down and not knock it off the table there we go so we got a 30 minute timer it's just a decrementing thing so as the red pie gets smaller you're running out of time at the time I guess I better jump into this I've already started the VM up and I'm running VMware fusion and I've got a network that I you don't want expose these things to the internet because they are vulnerable so I've got it in a lockdown thing if I need to get something from the internet I can grab it through my Mac so if that happens that's what we'll do so I'm gonna jump back into Kali let's get rockin on this thing we open up I'm using Terminator as my terminal I like it because it's very team-ups like without having to really know team-ups too much I like being able to split the panes and everything you know I'll make sure it's something we can see so since I'm running inside virtualization I need to discover the IP address if you're doing this kind of thing you can use net discover discover - I for the interface e0 - are for the range and I'm in 10-10-10 0/24 Network hit return and it is scanning now help me understand I'm gonna stop me for just a second so if somebodyís I'm not done to capture the flag because I'm not a security person so you have no idea what these flags are I have no idea right so how are we gonna know what a flag yeah how will you know you actually hit that's a great question typically what you'll see is it says flag one flag - or flag it'll have something like that maybe sometimes you'll see them as like an md5 string something that effect so that's what I'm looking for as far as flags go but most of the time it says flag and inside of it will be an empty five string so you can prove all right and so you've got no guidance other than that and so you don't even know what machines are in the lab and that's where you're trying to figure out right now is just what's even sitting there that's it okay so right now I'm looking at what my box is discovered and that discovered uses ARP to figure out what's on its network and I've got 53 and 56 and I'm pretty sure if 53 is another VM that I have running so I think it's 56 so let's do an nmap will clear this out in map and I'll just do a real quick - t 4 - and - P and whatever comes up and 10.10 dot dot and 10 the pressure 156 I think I said it was and there we go let's just see what comes back so immediately I get port 22 port 80 and port 1 1 1 which is RPC stuff so that's cool it looks like it's going to be a remotely administered webserver so I'll just run nmap again - but this time imma throw some extra flags at - a is gonna run like a certain set up those OS fingerprinting and versioning so it's easier to do this so - and then - SC so it runs safe scripts and I'll speed it up with t4 increase the timing - in does no DNS - PN does no ping so if it's blocking pings it doesn't matter still scalable and a lot of systems are doing that today right yeah so it's a it's always a good option plus it makes things faster you'll have to wait for it to ping I like fast so and here are in do - P which tells me which ports I want and I in just 20 to 80 and one more so and then give it the IP 10 attend attend 156 and a lot of times what I'll do is let me bring open a new tab there not a new tab I wanted a new pane let's see there we go split vertically that's good let me creates a folder or so I should have done so mkdir call it live CTF CD into live CTF there we go and here I'll do you can kill this now and here I love that that's 100 just control see there we go and I was just - go for output into live CTF I might have to do it dot slash and I'll call it slash and mapped it's txt all right there goes so what I'm doing here is I'm getting all that information doing that enumeration I need to know more about this machine other than it's a web server of course I can open my browser I start seeing what website is on it but I want to learn about the technologies as well and under the hood we've got port 22 it's running OpenSSH version 6.0 point 1 and apache HD PD and I do see underneath this this is why I like to run those scripts I see it's running Drupal 7 ok I do have a little bit of experience with hacking in Drupal so first thing that comes to my head is Drupal getting was pretty common so what I want to do now is verify that this is actually running Drupal on I mean it is running Drupal but I want to see if Drupal 7 is correct or you know what's going on also have a bunch of entries 36 disallowed entries in robots.txt which is a common place to hide directories for a web application those crawlers don't find them so I'll take a look at a robots.txt file as well all right let me move into the live CPF here yeah there's my ex excellent clear that outs and you're saving it cuz you're gonna need to refer back to that yes yeah as you do it's always a good idea like anything you find that's good information pop that into a text file so that you can keep it around and refer back to it whenever you need like well what port was that especially if they get into weird ethereal ports or something we can be super helpful with that okay let's see here let's open the browser and let's go to 1010 to tend 150 156 and yes it is definitely a Drupal sites excellence it's got a login page this looks like a pretty standard install like nothing crazy going on got to create a new accounts tab so maybe I can create an account let's try test test test come create new accounts thank you for applying for an accounts your accounts currently pending approval by the site administrator and in the meantime a welcome message for their instructions but something email address well that's never gonna happen so can't just create one probably try to request a password that's that's probably not where they're going with this so let's just go back home let's look at that robot doxed dot txt file so if you go up into the address bar this forward slash robot robots.txt you see that this file hey I have access to it which is nice and I can see some disallowed directories I can see some disallowed files they're here so a lot of times I just kind of crank through these see if there's any kind of low hanging fruit inside of them maybe that flag you can't you can't dis disregard something ah yeah yeah great so it's an entry go in each one of these things and see does it typically take a lot of time and my clock is ticking yeah it does but if I'm gonna find Flags that's what I got to do so let's go to include this copy and paste them and that that robots.txt file is kind of a double-edged sword right because it's supposed to stop the like Google or other search engines from crawling your side and doing all that but if you put sensitive folders in there it's kind of giving them away you're telling people where to look so on some servers they actually protect that where you're not able to just hit robots that text right yeah sometimes they little they'll hide that away or just not give you access to it not all the time though just because most people are smart enough nowadays to go I'm not gonna put anything sensitive in there it does still happen don't disregard it but you find a bit a bit of a mixed bag when it comes to that so I'm just gonna keep slapping these in here right now I'm getting forbiddens which means that there is some security here so there's permissions that are being put on these so even though I can find them I can't get into them maybe I want to do some directory fuzzing against that I can still find stuff from time to time even if you have a forbidden I'm just gonna keep pasting these in here keep double slashing yeah they all seem to be forbidden I'm scripts would be awesome give me scripts I would love to get into the scripts directory you know I guess not every challenge has to be hard give you an easy one yeah yeah and this this was meant to be a a beginner stuff so but this is definitely not yielding any fruit so far and there we go forbidden so all those directories are forbidden that's that's good security on their part but let's take a look we do have a change log text this might show me some versioning information if it's available hopefully I'm not gonna get forbidden that as well and you might be going man this seems like a lot of minutia and yeah can it can be a drudgery but when you find a flag you go you know it's it's the hit you need to keep going note changelog stuff there let's look at it install dot txt that might have some versioning stuff that's why these text files can be super helpful all right paste that's ah we actually have some some action here let's see what we get all right so it's talking about Drupal says the web server or a web server Apache version 2.0 is recommended PHP 5 - for greater only one of the following are just as one of the following databases so my sequel Maria DB plus breast sequel or sequel light so it's just kind of giving me some information about Drupal that's good let's see well so we have here upgrade text that can have some good stuff see what we got and when you're hoping to find is where you can figure out what version of Drupal it is and if you knew the version what would be the next up like you'd go and look for exploits in that version man Don you are I just make it up that's exactly right cuz I know I know what it's running then I can really start narrowing down my search parameters when it comes to exploitation of it we do have some it does look like it's telling me that minor versions of seven so if I want to update from seven eight two seven nine from 76710 this is the instructions that I want to follow so I definitely know I'm working with a version seven of some milk this is taking up some time so I'm just gonna go with I know it's version seven at this point I just I have a very good idea that that's what it is so I want to start getting at this thing so I know that this is here I could probably run some vulnerability scanners like Nick to and do some directory fuzzing something like Bill buster order to try to enumerate we've gotten a lot of interesting information just from robots I'm thinking Drupal is where the road they want us to go down so that's where my focus my efforts let's get back in the terminal I'm gonna actually just shut this down one workstation there we go that way we can just bounce back and forth and here what I'm gonna do is I'm gonna run search poit let's see if there's any Drupal good which I'm pretty sure there is I think I've done this before on another box and a different CTF side I know I've done something with Drupal before so then I'm gonna grip out a lot of times you'll get like denial-of-service attacks I'm like I'm not trying to do s this thing so get that out of the way so there we go I do have some entries and I got a bunch of entries here for Drupal 703 731 looks like they're sequel injections me I'm gonna just reduce the font just a bit I'll zoom in so everybody can see but I like to be able to see the entire line there there we go so I've got this group which looks to be probably from the same exploit writer just in the way they're formatted like I think this is the one I've done before ad admin user it's a Python script I'm not as good with PHP so I'll definitely want to stick with Python because it's just more in my wheelhouse and I've got some drupal getting three we've got triple get into and these are authenticated so I can I can ditch those I don't have authentication to this and this one's a Metasploit module so that's out of the out of the question so I might want to go with something like this but I think I've done this one before where I've added an admin user which will give me access to the panel and I might find Flags in there so let's just start with the top and work our way down see what we get so this is right there which is probably why you've seen this one before because you just start at the top and work your way down let's see so I'm gonna copy that let's see slash users chair exploit DB / exploits PHP web apps and that one is three four nine nine two pi and I will save it here alright so I should have it there which I do and usually what I'll do is I'll nano that Joker three four nine two just to kind of take a look and see if there's any kind of instructions that they have for us inside of there this materials at education purposes any damage caused not their fault start from Drupal pass and port Drupal has just kind of given you some idea of what this thing is doing calculate a non truncating so what it should do based off of what I'm seeing here is add an admin user services what it said inserts poit so if we can add an admin user that would be great so control X and let's run that Joker so Python three four nine ninety two dot pi let's just see here is giving us a cool splash page sequel injection drupal death for everyone right and then the options if I need help that's cool all right so - T for target or - - target equals - username so insert a username so it's telling me that I need to give it a username that I want to use and then the same thing for password insert password okay so Python actually probably just go up - t for target which is in URL format as it says here so HTTP 10 156 like that then - you for make sure you guys can see this - you which is using and we'll just call it hack you not you F that's the school hacker - P hacker fire away ah excellent vulnerable which is always makes me happy and mu straighter user created that really makes me happy and then there's my login it gives me a URL if I want to use that but I'll just I know I'm already there so hacker and hacker should be my username and password let's go to here I will see far hacker hacker welcome alright what let's pause for a second so now now you've got you you haven't necessarily compromised the box underneath you but you now have an admin account in Drupal that is correct which is a pretty aggressive thing now for those of you watching home we are just crossing the halfway point on this challenge you got 15 minutes left and get somebody flex I've found so far zero so technically still losers even though he's got admin access to Drupal so yeah so I better get back here right alright so I'm in Drupal let's look around tells me hello I've got a long gown I can look at my account usually when I when I drop into something like this I just start from the left side to the menu stuff and start playing around so let's do let's do the dashboard right hey hey oh-ho hey yeah I think I found the third flag all right so what happens now yeah I mean it says flag three you just take a screenshot of that that's the fly you can take a screenshot of that I'm gonna click on it cuz it's a link and in this one this is this is cool I do like it when they do this kind of thing this flag is actually a hint for the next flag so it's telling me special perms will help find and you'll notice that they got to really pay attention to stuff like this see how this is capitalized special perms we'll find the password but you'll need to know - exact you'll need to - exact that command to work out how to get what's in the shadow so it's kind of lending me to think all right a lot of times once I've gained access to think I'm trying to escalate my privileges I will look for like stat UID and I use find and perms to do that very thing so maybe there's a set UID that I could find it does also have a dash exec a lot of times when you find a binary that is being run as a set you IDE or it has like sudo privileges or something there is an ability for you to jump out of that or have it jump into a shell using those permissions and - exec kind of lends my thought process to think that's what's gonna happen but we have found a flag I feel good not a complete loser and how to get what's in the shadow is that a reference to the shadow file well the password is exactly right so as the shadows where all the encrypted passwords are so that's good to know we'll use that information as we go but now all right so I have worked with Drupal before I wasn't able to do this before and if I'm remembering again correctly I created a and you should be doing this is any time you learn something new you write it down so you don't forget so I keep a bunch of things that I've learned that I don't use all the time in documents in them in a Documents folder so let's go look I'm pretty sure I did this with Drupal and we will LS /root slash documents and see what's in there see if there's anything with Drupal yes Drupal she'll upload aha Isis paid off good job Larry so I will cat that cat slash route slash document slash Drupal she'll upload all right so to upload a rip sale to a Drupal site you need to install a new theme all right so we're gonna smuggle the reverse show that's right okay it's all coming back to me we're gonna smuggle a reverse shell a PHP River shell into a theme that we then install because we have administrative privilege to the driplets site and then we go to a certain like URL and that should launch that PHP giving us for our shell if I'm remembering so it says obviously you need access to the Drupal admin first all right so it's under login appearance install new theme and then hit browse this might not be the same version but it's okay it should be similar you'll need to have a theme for the installation and smuggle it in your rep shell okay yep I am remembering correctly all right so this was the theme that I use that time hopefully it still works so I'm gonna grab that that is for sauce project fort slash bootstrap at drupal.org all right so I don't have internet access on this machine because I'm stuck in that VM net so I'm gonna jump over my Mac real quick and we'll let Mac do the heavy lifting for us so let's see here was HTTP yeah HTTP clone you w w drupal.org board slash projects us bootstraps project slash bootstrap yeah I can already see everybody I've been here before there we go okay so crease that fonts says grab the dot zip file for your version of Drupal so we're using version number seven so that versioning information again lens handy are we doing on time done well you have approximately 10 minutes remaining so the timer is ticking better get to work all right let's see here so I need to grab my version of bootstrap download it's perfect we've got 8 X + 7 X and said to grab the zip file which is right here so I'm going to download that's I will save that's ok and I'm not gonna call it bootstrap bla bla bla bla bla just gonna help bootstrap alright save that's looks like it is done perfection alright so what I'm gonna do is I'm just use my thong to serve it up as a web page so I can download it let's see terminal and do Python Python it's Python Don Python - him simple HTTP server it's one of my favorite ways to smuggle stuff around my boxes is OOP I need to go to that folder CD slice and downloads documents downloads there we go and now I can buy thon alright so it's on port 8080 Nate's coming here I can do W cool W to get a CP 10-1 on port 8080 mates and it's bootstrap I think it zip there we go excellent so we have bootstrap dot zip on a Bing alright let's take a look at what else I need to do which is add your revved-up PHP file open file with archiver add file and just slap that in there okay so I need a PHP reverse shell which you can grab from pentest monkey if you have Kali I think they're built in they might be lurking around if not got a pentose monkey and grab a PHP rehearse shell which already have I keep a running list of tools so I will CP / root / tool and speech peer reverse shell 3 I think is my next iteration of these things I keep changing what they're doing inside so I'll save that as Reb PHP LS perfect there it is let's cat rat no I need the man oh that Nana or Rev dot php' guys you gotta go in here and change the IP and ports that you want to run on so they have money 1000 10.10 dots what is my IP address I am 142 excellent close that's and put 1/4 to go down here change the porch to I'll just do 9 and roll oh and save that ok so now my Rev dot PHP my reverse shell should be ready to rock I just need to open up the archiver so gates you File Explorer go to was it documents or no home and we're in live CTF and there's boots drop down zip open with archive manager bootstrap and I think all you got to do is drop it over there like so yep there it is Reb dot PHP is showing up and I'm just gonna go back in to make sure cuz I'm paranoid open with archive manager make sure ref PHP is still in there which is excellent so now I install I install the theme here now I know you're in a hurry on this but in real life land you'd probably try and pick the same theme that was already installed because people are gonna notice if you activate the theme right or in real life land yeah yeah you would want to go with something that wouldn't like cause I browse to go up or whatever but here doesn't matter not while the clock's ticking and not well let's see here so I've done that all right so now we install the theme and then we have to go to that alright so let's do that go here I think it's under appearance right yeah install themes stole a new theme hit browse go to home live seats yes we strap down zip hit open and hit install was successfully enable the new healthy themes that's necessary not but I did it alright so now all right let's do ship controlled there we go and increase the once do in cats - BNL which is nine nine nine alright excellent we're listening next thing I need to do is go to this URL which is where that should be copy here smack it in the URL hit paste and go it is turnin and burnin so that's a good sign about a Bing I have shell access feeling good I missed time I got left but I know I'm coming down on the wire here you are just passing the five-minute mark is ticking all right so let's see here so we talked about find and perms first thing I'm gonna do is because I'm looking for say it could be files in here just called flag so I'm gonna do a fine and / - name flag star - slash alright find some Flags actually you just looking for file names than filling errors out hope you found fine to flex oh no that's one flag oh no there's two haha flag one all right can't can't I read them though just cuz it found it doesn't mean I can read them I have to be back it doesn't count touch them yeah yet this you have to probe that you could have data like one is in the web directory right cuz if I do ID I'm I'm dub dub data so let's go there so cat slash was a bar bar I can't do it bar / dub dub dub flag ah 1 dot txt right yeah ha so I was able to read that that's good every CMS needs a config file every good seeing us so do you okay that's including the next one which I have found and cat slash home slash flag for slash flag dot txt and can use the same method to find or access the flag probably okay to find this flag of supposed to use find all right so let's do that find dad / - perm - u equals s s and - type F - / + F / no and I say here you're looking for any file that's got seward set so that the executable would run as rude or was to do alright so I'm looking through now I'm just looking for things that look like like I don't this all you six that probably shouldn't be so if you're wondering whether or not this stuff is actually gonna I got this cool website let me close that go here and go to GT GT o F bins yeah fo gtfo bins and you can actually type in ping six but there aren't any binaries that have that oh that's cool so if you're looking for something that might give you sudo or suet access I see find is in there I think fine might be our yeah so fine I can get a shell with find by doing yep - exact fine dot - exact bin shell Bing and - exact was from that hint earlier and right you got follow the breadcrumbs yeah so even if ping had su it as root it wouldn't matter because you can't spawn a shell from it right but but with fine you can writes in shell and then I think it's this this okay so I'm root nice so now now I have car blush well I know I want to go carte blanche and one and a half minutes yeah oh really all right I'll do CD / roots and there's the final flag can't the final the final flag txt congratulate all right so I have found for flax you found a flag three is what you found first then one and four and now you just found flat back so you miss my crew so flag three top was a 5-1 had a hint it said every good CMS needs a config file so to you and you have 54 seconds your mouth let's go there area of CD - / / / nuptup down I'm assuming they're talking about like a Drupal configuration file or some web config I don't know on Drupal but in WordPress I know they store the database credentials in the config file so if Drupal works that way there is a web doc config maybe it's in there alright so cat web config let's do grep flag for web config config nothing nothing this normally I would do this import because this is for 10 seconds i dot spawn - 1 and over 30 minutes are up I wasn't flags than that oh you did get a nice batch prompt but yeah how was it a lot easier to like maneuver around when you can see a prompt that does help all right well I'll be honest with you Daniel I was worried at the 15 minute mark we hadn't found any flags but that was tough they did start kind of kind of blown along past a certain spot it was like oh there they are though they are I'm guessing that if I look through some of these these files or something that I would have it end up finding a configuration file with a flag inside of it oh if you find it please let me know and tell me how you got past the the Golden Gate there so well I think the thing that I learned here really was that in order to make you successful we need to give you as little possible because you really the first 15 minutes sucked I really appreciate your enthusiasm therefore my cool you know remember we were talking about at the beginning of this which is you can go to voloom calm they have honzik after the flags there hey how do they find this specific one oh yeah so that was that URL we had up at the beginning of the show so I'm at Vaughn hub and I'll show you that take a look so it's HTTP dub dub dub boom hub calm ford slash series ford / DC common 9 board / hashtag and i should take you to the DC series and you can work your way through and are you running that on like VirtualBox or I'm running on VMware fusion because I'm on Mac but VirtualBox would work well I think in when I was reading about the the actual virtual machine stuffs that had been tested on both platforms and should work for both of them so whatever you're running probably good to get some good action on yeah so if you want to play along at home you can actually do this entirely for free right Virtual Box is free the Voland hub lab is free used Kali Linux was your main sex yep totally free so grab those tools together see what you can do and this was super fun was a good time and I like the time constraints and Kami's meant that was cool because it made me have to like really process my way through it not just point-and-click something and go hey I have shell yeah but there were other through when we were looking at search boy there were plenty of other exploits that might have worked against this so maybe try those and have some fun it's a good way to learn I know I had done it one way and I was under time pressure but now I want to go back and play with those other exploits and see if I can get those to work maybe just get like remote code execution directly without having to go through the theme installed yeah the theme install slowed you down a good bit cuz you had to go to an external site and then you had to stand up a server to transfer the file and I didn't do that I would have found flag three well that's true because it was in the admin oh yeah yeah so I'm hosing cons but again I guess the alternate way is if you could have gotten access to the database behind it you could have found flag three in the database yeah I doubt that's what I love about these things there's so many different avenues which she can attack them and I've seen these kind of things before where people come up and they give time crunch CTFs and to watch how they work and oh well immediately I'm gonna try this yeah so you probably have a different way of doing it I'd love to hear about it awesome well Daniel I really appreciate you spending the time with us I know you're you're gonna be on vacation here soon so this is not exactly the pressure you want right before a vacation but at least you get to relax yeah and for the you know the viewers out there in TV land that you a chance to see how a CTF was carried out yeah now in a conference competition as he found each flag he would grab that data and turn that in to score points you know they normally have a scoreboard that's going on we're just doing here for fun so four to five I'll take that that's a win in my book yep I think I qualifies absolutely for adequate and so inadequate performance there we go all right well Daniel any parting words for our viewers on anything just highly recommend doing these a they're really fun so if you like puzzles you like trying to figure stuff out is a great time for a game if you're studying this kind of stuff if you want to learn more about hacking web vulnerabilities system vulnerabilities doing these is a great way to do it without feeling like it's a drudgery you know because they have that fun factor to it I've learned a ton of stuff just doing these things and having to Google stuff and go oh I don't I don't know about this getting out there and seeing what I can find and trying to make exploits work you know you're really up your skill set doing this kind of stuff and you'll have a good time doing it all right well ladies and gentlement there I hope you guys enjoyed it that's gonna be a wrap for our capture-the-flag segment be sure to stay tuned though because live week continues with more coverage really all week long so make sure you check that out and if you miss some of the live coverage don't feel too bad I it will be posted where you're able to watch it after the fact but you know some slot of fun and always to new nights Pro TV to watch Daniels content cuz he's doing security crap all this unless you guys this stuff hey that's not that's not a joke we're laughing having fun but I show you how to do things like just like what we saw today absolutely alright well that's it for us signing off righty Pro TV I'm Dom pizzette I'm being a Lowry and we will see you next time

Info

Channel: ITProTV

Views: 88,387

Rating: 4.9519453 out of 5

Keywords: hacking challenge, capture the flag, capture the flag hacking challenge, hacking challenges for money, hacking challenge yt, how to learn hacking, Hacking challenge sites

Id: wb7m_Y_3irg

Channel Id: undefined

Length: 42min 3sec (2523 seconds)

Published: Tue Jun 25 2019