CTF Challenges For Beginners | RootMe TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on today we're doing a step back to the basics and we're doing a beginner city of challenge the beginning city of challenge name is root me and i think most of you guys have went over this challenge in try hack me so basically this is the room um as you can see in the description a ctf for beginners can you root me in this channels we're gonna take a step back and cherish the basics that we have learned at the very first of our journeys in this field so basically we're going to go over reconnaissance getting a shell and privilege escalation all of these steps here all of the tasks are easy to answer as you will see down in the video now so let's first explain the flow or the workflow of this challenge and then we're gonna do the practical side so as you can see the very first thing we will do is the in-map scan which is the first thing you would do if you are doing a scanning of any device of any machine after the nmap scan we step to directory brute force and the reason for that is when we scan the machine what among the ports that we will find open is port 80 and also we have port 22. so this one is for ssh as you know and this one is for http as you know as well so since we now we know http port is open we're going to open the page and see that we have a simple page we're doing director brute force to look for hidden directories on the web page we will discover couple hidden pages on the directory on the site among the hidden pages are you see we have cpanel and also we have uploads so the directory uploads is kind of intriguing therefore we take a look at the uploads directory to find that we have an upload vulnerability in which we can upload reversal so the most the the first thing that comes to mind is upload a php reversal and there is no any filtering mechanism on the web server to filter for files extensions so we're going to upload here p html of course the original file is in php but we want to make sure that the reversal gets through that's why we put it.html or we can use any other extension such as php 7 you can also use php5 as you will see now now after we get a foothold so basically we elevate our game to seek privileged escalation so in privileged escalation we look for files that are binaries that have the suit bit set so that it can be executed as the owner so with bit is actually you can when you list the permissions of any binary or any file if you see the letter s among the permissions such as read write execute and you have s here this is means that the binary or the program or the application you name it can be executed as its owner so say if the owner is root here right and the group is root this means that we can make the binary execute as root why because it has the suit bit set that's why as a security precaution do not put the suit bit set on files owned by the root so exploding the fact that we will we will find that python has this width bit set we will go to gtf opens ready uh methods to exploit binaries dtf opens and we will land root so that's basically the workflow of this channels now let's step to the practical side so as we mentioned earlier we have two open ports 80 and 20. take a note of the nmap a command that i used here sv to scan for the versions of the services and dash as it used in map scripting engine so basically here uh you know me guys i don't show the nmap scan command all the time but actually since we are tackling down a very beginner machine here uh we need to show the actual the basics of this challenge that's why i showed the command here and these are the results now since i have port 80 open i'm going to navigate now to the page and see what it looks like so going to the page oops i typed it with me this is the ip and then we go to the page so basically this is the landing page of the root me channels if you type something i thought it's interactive so that you can type commands can you root me all right so i'm not going to spend much time you can also take a look at the viewpage source there is nothing worth attention here so we're going to close this one and go back start our directory search that's what we always do when we give up on the page so you can do directory search using directory buster you can also use go buster you can also use ffuf there are a couple tools to perform directory research i'm going to use now ffuf and i have my command ready here let's see no this is not the comment i want to use so basically first i define the url so my url is here and then i define the word list dash w user share word list set lists i have cyclists then we can define discovery web content okay let's see what we have all right so these are the files that we can use as word lists so since we are brute forcing for directories we need to choose one that is big enough to cover all of the names of the directories let's see here raft small files extensions words medium extensions i think we don't have one for directors here is that possible ah we have one rough medium directories but i think we don't have one for lars so small medium no large all right let's try out the medium one lower case let's just pick up the normal one text text and we start so it seems like i have a problem let's see one errors occurred keyword fuzz defined but not found in headers aha we didn't select the keyword fuzz here so basically in ffuf we have to select where to fuzz since we're fuzzing directories it comes directly after the address of the target page in this case it comes here let's start now so see here it's immediately started to give out the name of the directories uploads we have and panel so let's go out let's go to these and discover them panel select file to upload now if you go also to uploads my guess is that i made a mistake at the very first of the video i said that uploads is the page where you upload directories and that's fine but my mistake was to say that here you will upload the php reversal and that's what's that was wrong we'll upload the uh reversal here so we'll exploit file output vulnerability under the cpa under the panel directory not cpanel uh actual cpanel i heard the word a lot since sometimes i deal with web hosting so it's span and not cpanel okay so now we select the file so open a new tab and now we let me mount my directory here where i can find all of my tools [Music] cd back unless where is that hippo okay so go to tools let's see here so now we're looking for the web shell so php upshot and this one is a warp shell this one is a reverser we will pick up the reverse cell and we're going to open the file and make some changes so the changes are the port and the ip address i am fine with the port i'm not going to change it the thing that i need to change is the ip address since my ip always changes so we'll need to update the ip address with the correct one okay then that's that's it so next step now we will just rename this file so from cp copy the file and give it another name say shell p html this is an example just to get around the prohibited extensions and to make sure that the file gets through the web server so name it like that and we can go here browse of course we're going to need to open a listener let's see here so we go to repo tools php shell reverse shell and this is my guy upload okay so this means that the file has been successfully uploaded now to trigger the reversal we're gonna have to navigate to that so refresh the uploads directory and we can see we have our reversal has been uploaded we're gonna trigger this to make the reversal connects back to my listener trigger me okay now we got the first boot hold access id and now we are the dub dub data user now let's stabilize the shell make it more stable to easy the process of issuing commands and interacting with the system so in this regard i'm going to go to my notes uh reverse cells aha always my windows defender catches my reversal file and sends it to the trash so i'm gonna need to tell windows defender please give me my file back and whitelist it it doesn't understand i need to whitelist it every time that's my suffering with windows defender so i'm going to say 11 device i'm going to go to protection history go to threads allowed making sure i'm allowing the right thread so it is reverse cells that's fine okay it has been restored now let's check back okay fine now let's go to the part where we can stabilize the shell let's see here all right stable shell first we're gonna issue the tty so close this one and this one okay [Music] and next i'm going to export the [Music] term ctrl z and on your attacker machine issue this one and you will get this type of cell okay so right now we have a more stable shell the next thing is as i told you at the very first of the video we're going to look for files or directories that have the suite bit set so we're going to go now to my linux guide i'm going to issue the find command and see what i can find so search in all directories for 577. let's search for suit so nothing in here i'm going to look for the linux privileged escalation notes in this guy in this case and search for sued which set so i have one here so we have two options let's take this one [Music] so there is nothing in here how about this the first one didn't work let's see this one this one seems working so we have couple as you can see binaries that have this wood bit set um long story short i think this this command is kind of overwhelming for you guys i'm gonna uh try a new one find dash sperm you can also try perm slash four thousand four so it would set this is another way and then say dev not okay that's easier to follow so many binaries right now of course in a real world scenario you're gonna go ahead make a copy of the machine on another virtual machine okay and try out exploding every single one of these so following this methodology you will find that python is the right one that you can export and get root so in this regard we can go to gtfo pins and see how we can exploit this one gtfo bins moreover we can just copy that and say ls-la so as you can see the python is owned by root and has the suit bit set can be executed by root right as the as the owner root and also as the group root can be read as root and executed as root so let's take a look here at um gta4 pins and search for python so here we can select subwood as the method to exploit and let's see sudo capabilities so what do we have now so do i install dash m okay never mind this python c import os os execute this one invokes shell as the new user or as the root user so how about we try this one let's try it out no such file or directory okay let's copy this one it seems like we're gonna have to invoke python from the full path and then gonna copy this part id ah there you go it's root now so we're gonna go to root and cat root the text that is the flag here we go so now since we finished the challenge let's now go to the room and see the questions that we have to answer reconnaissance see scan the machine how many ports are open we found we have two open ports what version of apache is running we're gonna have to step back and the nmap scan let's see here so it's 2 4 29 let's do that quick what service is running on port 22 it is ssh directories on the web server using the go buster tool well i'm sorry guys i used ffuf that's fine what is the hidden directory it is panel getting a shell find a form to upload and get a reversal and find the flag user the text lag right so let's now search for this as a text flag here so use the find command all directories dash type file dash name user.txt so we have it under var dub dub dub cats and this is the user flag okay lastly it is the root flag no search for files with suite permission which is which file is weird yep it is the python it's actually indeed weird guys to have python under uh have to have python uh suit bit set right it's very weird that's why we stepped out immediately we stepped immediately to this file to test it to the binary sorry so this is the weird one completed root nope this is not the root this is the root flag already then that was root me so easy beginner friendly and it's a great way it's a great machine if you are already getting started with um testing or doing pen testing for the machines or even if you're preparing for ostp it's still an easy machine to conquer so that was for today guys i hope you find that helpful and definitely we will see you in the next video
Info
Channel: Motasem Hamdan
Views: 9,947
Rating: undefined out of 5
Keywords: CTF
Id: pc_NCJW6bl4
Channel Id: undefined
Length: 19min 57sec (1197 seconds)
Published: Thu Mar 03 2022
Related Videos
Basics of Hash Analysis and Security Testing | TryHackMe CrackTheHash
Motasem Hamdan
3.9K
Capture the Flag | Hacking Challenge | ITProTV’s Live Week 2019 Replay
ITPro
161K
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
260K
CTF Walkthrough with John Hammond
David Bombal
160K
TryHackMe RootMe - Walkthrough | CTF For Beginners
Antoine Matthews
5.9K
TryHackMe! EternalBlue/MS17-010 in Metasploit
John Hammond
256K
Beginner and Easy CTF | TryHackme Wget CTF
Motasem Hamdan
5.5K
[HINDI] Get Started into CTFs | Capture the Flag Introduction | Beginner's Guide
Bitten Tech
68K
BEGINNER Capture The Flag - PicoCTF 2021 001 "Obedient Cat"
John Hammond
375K
The ultimate introduction to Pygame
Clear Code
1.5M
NahamCon CTF 2023: Web Challenge Walkthroughs
CryptoCat
9.2K
Basic Buffer Overflow - VulnServer TRUN
John Hammond
190K
Solving the Pickle Rick CTF
The Cyber Mentor
8.3K
Hands-on Hacking Demo | CTF - Capture the Flag in 15 Minutes!
ITPro
96K
I Played Beginner-Level Security CTFs For 30 Days - Here's What I Learned
Grant Collins
614K
Making Minimalist Web Server in C on Linux
Nir Lichtman
128K
4 JavaScript Projects under 4 Hours | JavaScript Projects For Beginners | JavaScript | Simplilearn
Simplilearn
165K
TryHackMe! RootMe - Uploading Shells & SUID // CTF (Easy)
Jon Good
4.4K
Server Side Request Forgery | Junior Penetration Tester TryHackMe SSRF
Motasem Hamdan
23K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.