FREE STUFF? TryHackMe - "The Great Escape"

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and welcome back to another john hammond youtube video uh we're gonna have some fun today we've got a little stand-in desk going on so we can be a little bit more mobile have a good time here um a few days ago my good friend fawaz reached out to me on twitter and he said look john i'm putting together this super cool extravagant little scavenger hunt try hack me room and inside the try hack me room they're going to be some giveaways like sprinkled in you can win potentially an elearn security junior penetration tester exam voucher you could win some try hack me vouchers uh some throwback vouchers i think there's you know what let's let's dive into this let's just do the thing so i'll hop over to my little computer screen here and here we are at the great escape uh it says our devs have created an awesome new site can you break out of the sandbox here it has a medium difficulty so i'm probably gonna get my stuff pushed in but you know let's tinker uh this is totally a raw video and that i have never seen this before so uh i will try to pause the video when we do stuff that i'm like absolutely failing at but i'm literally going in cold as cold as i can right now so uh we'll see how this goes this room is linked to a community giveaway by the wonderful fawaz that is totally true you know what that's an absolute fact that he is in fact without a doubt wonderful so uh go give this guy some love guys any user who completes this room within three days of release as in the 17th of february 2021 so hopefully this video will be able to go live at that point uh we'll be entered into a raffle for the chance to win one of the following prizes one ejpt exam voucher one of two throwback network vouchers and one of seven one month subscription vouchers to a try hack ami so uh that's it man that's that's what we're doing we're gonna dive into this we got the ip address and everything ready i've uh connected the vpn and spun up the machine joined the room so let's bump around i'll uh i'll fire up my terminal here uh let's make a directory for the great escape this is the first time that i'm recording on the upper monitor so i uh i'm gonna have to look down repeatedly to actually see my keyboard because i have not yet mastered the typing while not looking at my keyboard just yet let's start with a little nmap scan we'll do an nmap tac sc tac sv attack oh and uh nmap initial and slap in that ip address there we go uh i should have put that in verbose mode gosh darn it um while that's doing its thing we can just kind of go see if there's anything worthwhile on port 80 on our own here yeah yeah okay we have a docker escape nuxt title uh which is spooky wookie photo classroom welcome to the photo classroom check out our courses to get started okey dokey i'm gonna hit ctrl u just to view the source here a lot of weird javascript files being included so i'm totally all in one line inline css that's disgusting oh my gosh that's so hard to read i'm not even going to not even going to read it more javascript files okay these are all underscore next what is that what is next the intuitive view framework oh no no no cool modern hipster javascript frameworks you're killing me dude all right let's put that away for now let's check out the courses oh i need to log in all right let's check out the admin panel still probably need to log in um is there anything neato benito on this page nope just more view let's create an account signups are currently disabled to prevent rogue accounts how did they know how did they know i'd be here nmap's still cranking i really should have set that in verbose mode okay um log in as admin and admin nope that was too easy how about password right nope still too easy okay how about pass one two three i'm just kidding let's try some sql injection you know you know good old one two a good ol or one equals one slap that in uh that's using kind of like a sql light syntax there when we use the hyphen hyphen or the dash dash for a comment that fails invalid username and password uh let's switch this to a double quote yup still no cool dash dash again nope great uh let's do that let's do the go buster how about that let's do a little go buster dir uh attack u and we do want to go to that ip address so we'll slap that in we'll do a little tack w let's throw in opt directory word list lower case and that died to force process oh no what the server returns a status code that matches the provided options for non-existing urls as in that thing just returned no so if i were to go to like slash anything it would just be like yeah dude totally cool it's still a 200 response right is there a little cheeky robots.txt i mean it's a viewframe or it's a js thing i really doubt it oh okay we should have done that first ladies and gentlemen all right so we can't go to the api uh exif util as in maybe exfiltration utils is weirdly commented out i don't know can you have comments in robots.txt is that a thing and uh anything.back.tag that's pretty juicy might have some good stuff oh nothing to see here move along is that right is that right our end maps can't finish let's try to go buster dur that api endpoint there see if he gets any see if he gets any good love there let's check out that and map scan if we take a little subtle in our nmap directory we got some good ssh here we have a strange generic lines output that i don't exactly know what that is port 80 does see engine x is that an old nginx version or something that looks like a low number one uh robust text has those entries yep as we saw exif util it's weird that that is just kind of commented out so let's go back to that thing alexa futil exit futiles upload file and from url uh what is this going to process it with though it's not like i can do like a php upload what are what are the prompts here by the way what am i supposed to do start off with the simple web app can you find the hidden flag find the flag hidden in the web app um what kind of is there a flag format is it a thm is it a flag curly braces is it should i be still digging through source code th can i like actually see the contents of that nux directory nope totally forbidden well just for safe keeping let's totally make a mirror directory and hop over there and let's try and w get tac m that whole thing and download literally everything that you see um because if there is a flag in that javascript in one of those javascript files i just kind of want to see i kind of want to know so i'll do a cheeky strings on literally everything oh yeah yeah i know it's a directory used they're all going to be a nuxed though um i can do a find right yeah yeah and then uh find to list out all the files in the current directory and then we'll just do like a wow read line which you could totally do in x-args but uh let's echo that or just let's look excuse me let's strings each line and we need to do there to actually you know do that boof all right uh now we get a lot of output let's see if we got a little thm curly brace nope how about a little flag curly brace how about a little fawaz curly brace nope okay not exactly helpful i'll be honest not not really not really handing me any favors here let's go back to our good ol xf util um and if durbuster isn't finding anything out of that api which it still hasn't i might just be a crazy dude and go poster the thing again out of that x-fil endpoint so let's do that opt directory because i want to see if there's like a slash uploads no that actually gets me to something so that's not extremely helpful maybe it does something weird with the api when i upload something though so like let's make a directory uploads and then let's subble a test dot html i guess we'll throw a little like good proper standard oh okay thanks sublime text just crank that out i appreciate that test this is a test and that's all we need so let's go ahead and upload this file um i think i'm going to be in ctf i'm going to be in try hack me great escape uploads test yeah yeah that cried service temporarily unavailable are you kidding me filename test the form date is totally fine a padding to disable mise microsoft internet explorer and chrome friendly error page is the api broke wait there's an admin cookie now weird um all token local equals false i feel like that's going to be some view thing and i won't exactly know what to do with it so from url might be worthwhile though if that api just isn't doing things uh let's go to slash api again it says nothing to see here move along which is lying to me because we know exif is in there but that's just broke xa futils must be exif must be getting metadata it must be like running exif tools so is it just going to like run a command with that is that going to be like will it download a file as an image and then like run a command with it let's uh let's keep bumping around uh i'm gonna copy my headshot in here so let's get that stupid mug stupid mug going on and uh let's see if we can just spin up a little python server to to you know whack this thing so i'm gonna move into that other directory or another terminal where i had put this gosh so that's an uploads and then we'll use a little python three tech mhttp dot server cool now we're up on port 8000 so my ip address is that thing so if i were to simply go to http that thing and go to headshot dot png on port 8000 you stupid boy that's it you get my ugly mug so let's go to from url and get that exact same thing again let's move this terminal over here just so i can see hopefully the requests come through we'll do it something bad happened please verify that the url is valid excuse me oh stupid port now we got the request tab open we have the server open and we have the thing so let's do it what is wrong please enter a url to an image that is that is it's that's literally a url or an image http ip address are you like sketched out about my port 8000 is that what it is do i need a domain name let's uh let's do this on port 80. then whack now going to that on port 80 will still give me my headshot and oh gosh bring me back to xfutil go to a from url include that in there let's just do it from that page because that already had the thing up something bad happened please verify that the url is valid [Music] what is the problem let's check out the request tab there's a get exif url that um oh that's another service temporarily unavailable is that intended i'll be honest you know is that a thing let me let me let me reach out to foo like just for a sanity check i know cause i'm not exactly positive if that is what it's supposed to do um url equals a service temporarily unavailable api exif nothing to see here move along yeah it's worth asking i think i'll pause the video recording all right ladies and gentlemen we're back uh i asked around um and thanks to the community they told me that yeah actually the 503s actually are intended because of rate limiting on the login um so i uh while i was asking around i just kind of reverted the box and and spun up a new one um just in case like okay if it wasn't intentional that i would need a new instance and if it was intentional uh anyway who cares we hadn't really gotten anywhere yet so uh now we have a new ip address and if it actually is in fact at a rate limiting then maybe my serious amount of uh go buster wasn't exactly helping so let's uh let's go check out the new ip address which is up okay so we know from our robots.txt here we got these instances api and xfutil let's try and get to that api exif now and that still kind of dies so maybe that's not actually what i need to go to however that actually does end up returning something now so get on its own in the um using an http get method on its own on that api xf endpoint seems to get that 503 but getting with the url in there does actually return something so let's see if we can go ahead and get that headshot one more time now that looks like it's actually getting a response from a url thing i don't know how this is doing it maybe it's running curl or something but we should be able to just run a little headshot.png and there we go exif i'm not positive what this is doing or how it's doing it but i don't know what information might be present here am am i going to be doing command injection am i going to be doing something so i can see the requests come through server side right there's that but can i include like an ls with a semicolon here http 404 file not found i don't know exactly what is processing this it does however see the server and this is just a view source thing so can i run like uh that okay okay that dies great uh how about a little backtick once uh did i just straight up kill it did i just break that yet again i've god damn it okay no it's it's doing its thing but those other strings don't want to work for me okay um can i request locally how about that file etc password file url connection cannot be cast to a java.net http url connection sunhead protocol why can it not be requested um what if i go back to uploading a file does it actually upload maybe does it store it anywhere let's go to exit futils one more time exit util let's upload that file let's do that headshot submit it and it just displays that out not helpful though let's upload that test.html file format cannot be determined exif utils photo classroom what am i missing here is there more in this api i don't want to dirt bust i don't want to go buster it again because what if it just kills the thing simple web app start off with a simple web app can you find the hidden flag oh there's a hint a well-known file may offer some help you mean like that robots.txt that we were getting at is the oh no is the backup thing something i'm actually supposed to go to is there like a flag dot back dot text no there's not literally a star dollar sign that's not a real thing index.back.text what are these pages that i can go to you can see me completely lost here so fun fun fun fun video allow everything disallow api disallow exit futiles and there's nothing else in this file obviously because it's a text file is there a robot.back.text no is there a login.back.text no those are the only pages though supposedly um api nothing to see here move along is that that's html though isn't it api index.html i don't know how view and this nux thing is going to end up rendering oh that's actually a thing though there's no way that that's going to end up having its own backup file though in it in like its own subsequent directory it's not back.text right or am i misinterpreting oh resource not found a lol exif is the only thing that actually returns something but that dies with an internal server error is there a flag in the internal server error that would be fun [Music] mm-hmm let's try to get our file things in here again files not allowed sun www protocol i want to know what this thing is there's nothing in courses is there anything in courses no i can't get in there is there a oh admin text dot or admin back dot text spinning is that an actual request there or is that just gonna die i don't know because like this isn't going to return html that is just not loading courses.back.text did i break the server again anything.text is just hanging now supposedly hmm okay well if we uploaded a real thing we get this exif data and i don't know if that's being processed like by a command though so if we give it a 404 it returns a file not found as it should if i just do a little like netcat connection to call back to me can i like see what it does oh no i'm trying to type with my keyboard beneath me java 11.0 it's looking for jpegs ah yeah it dies makes sense it's not going to render out the html which makes sense we can't access local files supposedly never occurred file format cannot be retrieved we made the thing hang what let's go back to our go buster with the api didn't get anything though in fact i broke the thing when i tried to restart the machine did we ever get any hits whatsoever no not at all can i use w fuzz or fuff fuff right fuff is the thing that lets me like fuzz a thing do i have fuff fuff not a thing let's uh you know let's get it get clone cd fluff go go get uh i do have go pretty sure let's move it to my op directory just in case it throws anything in that my current directory i think go just puts it in goes like go path or go binary thing there we go now we have guff puff uh and now i think i need to reset my path where did you put it dot go go what what is my what is my go path oh god do i actually have go no i mean i do all right let's go build you know what i'm saying uh yeah just download the thing clone it download it get it and build it i don't want to deal with that path stuff right now um fuff incredible okay so we need a word list which can be directory list medium uh and let's do that url right http this thing dot back.text however is it going to take forever to load no okay it's actually good fuzz right dot back dot text oh i kind of wanted that output actually to see that help help info word list url mcall fs42 fuzz math all responses filter those with content size 42 color verbose output oh i want that colored verbose output okay those are all going to return things with a status 200 of 141 words so that syntax said filter out content size 42. so fs3834 right i have no idea if that will actually return literally anything but let's do it fingers crossed it probably won't get any hits only 207 643 things to do uh that is the syntax according to robots.txt like that is the file name schema got back.text yeah this is something that should have been a live stream seemingly no flags here ultimately we're still looking for a flag but we need to get on the box too one of the machines oh as in there's multiple that's exciting a well-known file may offer some help find the flag hidden in the web app we know through robots.txt that slash api and slash xfutil are things and so is a dotback.txt we're fuzzingthedotback.txt api is seemingly a dead end but there's no way that's a dead end if we go back to this what can i upload that gets a temporary surface and available um if we go back to ourselves was my ip address again oh no fuff don't do it don't display like that you're gonna hurt yourself oh i killed the other forward slash headshot.png something bad happened is that oh god i broke it it's dead because i was straight fuzzing with fuff oh no should i just like let that go i feel like it would have found some by now i'm running out of steam guys i'll be honest how is that oh is it everything is broken because of the rate limiting i'm just looking at cached pages right now no this is dirty i feel so bad i have to like keep rebooting the box gosh all right this is going real well everybody okay i have got a new machine uh hopefully we won't have to deal with all the rate limiting um let's just get ourselves back in check if we're finding a back dot text and we can't fuzz with fuff because of the rate limiting maybe it's got to be some things that we know already exist we tried login we tried index we we tried api right but i mean that's a directory what about that exif util thing on its own oh oh okay um so this is the source code for the exif util functionality all the view stuff and once we submit something it has a url and if you submit a url it retrieves something from http api dev backup 8080 exif okay [Music] so that is new but that is probably something like that's if it's a different thing because port 8080 isn't open on my it isn't accessible or visible to me like when i end map scan it we didn't see 8080 but i wouldn't be able to reach that locally from my own attacker machine but this thing maybe can can i can i like reach this api through the other one so we want to go to this page and we were going to api slash exif and that gets our internal server error but we need to supply a link so url can equal this paste that in and that gets the nothing to see here move along html i'm repeatedly getting messages stand by pause the video all right um but if this is just the api is that one going to be rate limited can we hit that thing that just is the api so there's not going to be anything else there other than exif as far as we know but that gets the internal server error can i request things if this is if this is the backup api is there more to this is there like a flag right there no seemingly could not find a resource for full path i don't know what that means i don't want to fuzz this thing though because it's just going to break again can i request things through this but i'm going to need to like url encode this question mark right or will that work if i just try to like go to me uh this ip address right uh that's like tunneled tunneled through i don't know if that will work response timed out that thing probably can't reach me or can it no it can't i'm looking at the time and that's not the latest thing so can this thing read files requests contained bad words what what are the bad words there password or just file what are the bad words a file format cannot be determined retrieve content it got nothing because it's not a real thing file file colon colon colon bad words okay so that is disabled is there anything that this can reach locally oh god on itself if we set the url to [Music] call itself we can go to 8080 again nothing to see here move along but then we're just getting like nested for literally no reason xf now slash exif there's no no reason to do that unless there's like more functionality in this for some reason i don't know i don't know can this thing request a file a that's just completely taking a guess at a url parameter probably nothing there is there a standard for like apis to have a what is rest easy that thing oh that's probably the kind of api rest easy api jacks is that why is there no actual help for that or is there like i want to know a list of your endpoints that this api can offer [Music] um if we use a file on this thing do we get a like by default if we use a file inside our password do we get a request contained bad words no it just says that so that's different when we use file xif url equals file is there some weird no that won't work oh that one is using curl oh shoot okay that's how we get access okay okay okay uh do we use a little uh you know if that is just straight run up commit that dies uh tech talk help slash ls come on come on yeah there's new info there let's do a little who am i you know let's just see uh who we're working what what um let's get a reverse shell right or can we get a reverse shell this thing can't reach us is this the only command application stuff that we have like command and no no let's just run the find command dot slash application that's literally it can i just cap the application oh god cat application uh what have i done see how long this takes to come back checking my phone for a moment okay that died reed timed out um can i ls tackle a slash home root root what is in this also where is this flag that i'm supposed to have oh can i get those backups now like what are we listening in um slash home has nothing how about our home directory root has a dev note all right we need to stop running slash help at the very stop at the very top of this because that's kind of useless uh we do have dev note though so let's cat that out cat slash root slash dev hyphen note dot text ooh hey guys apparently leaving the flag in docker access on the server is a bad idea or so the security guys tell me i've deleted this stuff anyway the password is that fluffybunnies123 uh password for what cheers hydra well that's new let's uh let's save this stuff just to keep these things in mind i guess we should start a little read me read me slap that in um okay password for what is that something that i can ssh with is it going to be ssh into that so fluffy bunnies one two three is the password if i were to ssh into well no that's not going to be seemingly that is a password for the backup right we know ssh is open but that's going to be quote unquote the production server and i is it is it still open why did that take so long why did that not return anything maybe that's for the backups um nothing opt how about var there is backups var backups that's nothing there ssh just straight doesn't come back wasn't ssh open in our stinking nmap 22 is totally open i understand let's keep looking around i guess the file system there isn't a var dub dub dub though which is weird to me there is a dot get though which is peculiar we should be able to see our docker env because we know we are in there oh there is a slash work directory uh that's new work application and that's a file which is way too big can i horrendously base 64 this application uh work application because it's i don't know what the file might be it's huge though there's no way that's going to come back in time that will not work i don't think that's going to work nope dokie so what else do we have oh oh oh maybe we can cat out uh etcetera hosts to get a better idea as to what apis are in here yeah yeah yeah okay so 1962 192 192.168.112.2 is going to be the api dev backup so that could very well be useful i wanted to copy that not open dev tools copy that [Music] a little bit of new intel what else do we got you know a regular reverse shell would kind of be nice but i'm not positive that this thing can call back to me so because it's kind of internal ip if i run ipe no i don't have that do i have ifconfig i don't have that what do i have i don't have anything do i have netcat url contains bad words which netcat it doesn't like netcat bin what's in slash bin classic same old stuff crap what do i do do i have python also contains bad words how about pi thon echo python pipe to tr slash delete spaces oh god do i have bash also contains bad words there's some filter going on that's janky and annoying um what is my shell right now uh i probably just can't run bash whatsoever yeah okay quest contains bad words what other things can i use pearl is also filtered out hmm there was nothing in home oh god did i break it no okay don't you don't you put that evil on me bobby media mount opt proc crap the only maybe docker is listening on like do i have docker in this no because i am in a docker container do i have netstat no ssh has to come back at some point right all i have is a password find the flag hidden in the web app which we don't have oh god okay that was weird computer's dying there is no like flag.back.txt we already we already saw that we can look for like a fine tech name uh oh god this is gonna kind of be horrendous though i mean it's a docker container it shouldn't take too long right flag name flag find yeah i mean okay there's stuff nothing good though apparently leaving the flag and docker access on the server is a bad idea or so the security guys tell me i've deleted the stuff anyway the password is fluffybunnies1 cheers hydra can i login with that hydra fluffybunnies123 invalid username or password hydra capital uh admin oh let my wits end everybody okay so the flag format is seemingly thm but silly dubs leaving their backups lying around i don't think i'm that far anyway let's try to do a w get back to me just to see you know don't even have w yet freaking we definitely have curl but that's gonna fail like we know that's gonna fail [Music] um i really think ssh should be up and like functioning right or oh it has a question mark it doesn't even know if it's ssh it might not be what is that hello [Music] why do a little aggressive man on port 22. tell me if that's ssh or not because i don't think it is this is a struggle bus y'all got any more hints for me we're root in a darker environment question is how can we break out without access well is there a docker service up and running http wise that we could access things through that through the original web page like we know that we are api dev backup on 8080 on one but if on dot two but if we were to go to 22 one is a thing that should theoretically return the page ah no that didn't return i don't know where how else we could access the original box through this docker container all right took a quick break let's keep trying curl isn't working we know we have this dev note with the password um the get thing is weirding me out though like the fact that that's there can i cat out that git config hydrogrum example.com name is hydra and that's the user for git so can i just simply run git yup so we have git but it would get log is there anything that's done no not a git repository or any of the parent directories dot get so i need to cd into root first but can i can i have git log like work out of a specific directory if i just move into git do i tell it oh attack c is path is that right if i do the man get attack c run if run as if get where started in path instead of the current work director yeah yeah yeah okay i see it right there so let's do that let's do a git log a get tax c root with log aha fix the dev note remove the flag in original devnote because security added the flag and death notes okay um out of the flag of death notes let's do a get show on that commit oh oh oh oh oh hey guys i got tired of losing the ssh skill all the time so i set up a way to open the docker for remote admin just knock on ports 42 1337 all these things to open the docker tcp port and there's a flag ooh the root flag okay so i'm assuming that's going to be the one for this thing although i have been explicitly asked please don't submit flags to uh ruin statistics or whatever um so i'm assuming that's going to be that one but we still don't have a simple web app dude why didn't i do that earlier if we saw git was here i should have at least checked out all those version stuff man we spent so much time bumping around and now we at least have one flag added the flag in dev notes now we know some port knocking technique which is very slick um let's slap this into [Music] our notes because that's pretty handy dandy um let's get that in there set up a way to open up the docker for remote admin to open the docker tcp port just knock on ports those things um but that should be on the original port right what is the docker tcp port by default docker ecp port is [Music] two three seven six two three seven five when it's using t yeah or two three seven five when communication is in plain text okay so is there anything else that i should get out of this let me see if this does a git show on that that just removes it that's it the other one is replacing the dev node so git show that one just for a good sanity check and we have the same password that we already knew so i hope that was readable i don't know if my face is in the way get show yeah okay okay um let's do this port knock and see if we can open up the docker tcp port so let me unmap attack v on the original host this guy right now considering we've reverted it like seven thousand times um on port two three seven five it said yeah two three seven five that should tell me that it's closed but it does know that that is the docker port so if i were to knock on those ports let's go 42 let's go one excuse me one three three seven holy cow um ten four two zero uh 6969 oh i see what you did here i see the sequence of numbers uh six three zero zero zero good and let's get back to our 2375 and see if that service is open still closed uh i hate port knocking because i never get it right i never understand how the thing is supposed to be done there is like a port knock knocker tool port knocker github knock yeah yeah simple python port knocking client knock at that server on those ip addresses that's it okay um do i already have that is that in oh i do great let's uh move into knock that's there we know the ip address here that thing and then the ports that we want to knock in the sequence we'll just spit these and remove commas and remove that word and so let's slap in those and it did it so now let's see if that nmap attack v attack p two three seven five should be open yes script kitty coming back at you just use other people's tools i'm just kidding i would never now we got docker um i could just totally connect to that can i not two three seven five page not found is there a script docker tcp enumerate attacking docker exposed api let me let me read that real quick today we're going to explore some of the security risks associated with docker examining their consequences of exposing the native docker api leaks in our world we could do it with tainer i've used pertainer before very simple lab good enough and then you could do it so it gets it it sees darker and we can curl it with json right let's try that let's do a little uh curl here let's do a curl http that thing page oh yeah version aha let's pipe that to jq and see what we got here ladies and gentlemen docker engine community latest version run c docker inet good good good okay now test the exposed api using the docker cli obviously we need to have docker exposed yep okay so you need to have docker installed i have docker installed so let's use that same command and uh can i run info there we go i think four containers is it is it running it on my machine though it shouldn't be how many containers are running ps yeah yeah okay so we got some stuff endless sh that must be the fake ssh thing what are the images pulled on the host machine are there some stopped containers i guess that's a good thing to to look through there are just the same ones what are the images pulled i just want to run through this enumeration to kind of understand a little bit more debian nginx analysis h okey dokey could be images with juicy info maybe you could run those yes can i access them spawning a shell inside a container is done by the exact command in this case we want to spin on a bash shell so checking out the running instances front end is a thing and that's running on front end one that process so if i were to just exec it bin bash and that will it work exec it container name bin bash fingers crossed okay okay okay i uh i see that now uh obviously i'm root because i'm in that container um nothing in that root directory lame lsac la i'm still in home let's get to uh lsec la we know this is a docker environment right there might be some backups lying around if we're in the front end we're probably invol backups maybe no hmm let's do it let's do a good ol find again let's do a fine tac name on that flag [Music] same stuff let's check out the etcetera hosts one more time because docker escape.thm oh yeah completely different subnet completely different thing okay but those are only some this is only one of the containers xf api exif api dev that might be worthwhile endless ssh i think is the trap because we know ssh is not real supposedly dev backup one well we were just there but we were accessing that thing um do i have wget do i have curl curl i do have curl so do i i can just like open nano though can't i vim vi at the very least pico i got nothing i got no text editors to work with straight echo and that's it do we have said oh we have said oh fantastic [Music] docker entry point dot d list on ipad v6 by default nv subset on templates i'm just bumping around this file system so forgive me what is running i don't have gosh ps i don't have that fantastic they just list stuff out of proc be super gross but we could do it nothing in temp we already know everything that's in var supposedly temp backups had nothing cash what um root had nothing home had nothing nginx pid is there cron jobs running now well let's check those images again um because some of those might still be useful and we should go explore the other ones i'm going to throw that in my notes we just bumped around in front end which didn't seem to have anything worthwhile for us uh endless ssh which one were we just which one were we in xf api dev when we were running it like within the web browser oh machine expiring soon don't you dare i've been doing this for way too long but somehow still not long enough let's do a little host name on that api dev backup so exif api is prod like the production one so if i were to grab this one and exec into that oh i am not root in this i am quarkus so what do we got in here hello hello hello home so shalom cat etc password corkis is a weird boy um i can run who am i again over and over again but that's not going to tell me anything lskla root we're still in docker container yes we know um quarkus in work oh now we have actual like command line access access though so we could probably like actually figure out what this application is never mind we could just churn this out how wait this thing's like a freaking gig isn't it let's take la h 50 max is it worth it i mean i always say you know try everything so let's do it let's do a little base64w0 application and let that rip oh god oh isn't it a beautiful sight ladies and gentlemen isn't it so marvelous seeing god's creation spat out on your screen dope let's um let's try and steal this let's get this one right here let's copy and paste all of this base64. my terminal might have crashed okay no he's still here he's still here okay let's get that make a little sublime text window try and paste that all in dear god that's going to crash my computer we'll let we'll let sublime text work you know we'll let it we'll let him deal with the clipboard oh god has my terminal died sublime text what'd you do terminal died freaking fantastic is this thing still on my clipboard nope terminator couldn't get it uh all right well you know what we still have some progress here we still have our docker h to connect to this so i am still connected to the vpn though am i right like openvpn's not going to die yeah okay application d-quarkus let's explore endless ssh here um exec attack it that container name bin bash it doesn't have that been sh who am i root is there anything worthwhile in this probably not ash history no no sorry i i wanted a cat it's a password not change my password nobody cyrus who the heck are you cyrus it looks like a system account for some weird reason um this feels like a dud because it's it's just fake ssh what is what is endless ssh gosh dang it stop giving me these do i have strings oh thank god i have strings okay just in case this is a binary file which it is it's just an ssh client or hsh server that's a vortex i'm going to assume is that like a known thing unless sh [Laughter] that is incredible i have learned something new all right cool i have fun with that you know at the very least i don't think there's anything in this what else do we have is there a way to see the privileges of a docker container because if we could try some like hey docker escapes or is there more to do with this docker api exploiting exposed docker deep ce hmm honestly i haven't done all this all that much so i'm not paused one run c was mentioned in the docker info oh hey it's zero day these review the docs folder deepsea can i use this i mean i don't want to install packages primarily because i can't oh you can use no network okay um this looks possible but i still don't know if like any of these are privileged containers docker check for locker check privilege how to know if a docker container docker inspect format that thing okay can i do that and then it needs the container id so i'm assuming that front end is not going to be privileged right is the dev api going to be privileged are any of these going to be privileged endless ssh i don't have a whole lot of hope for you my friend nope okey dokey hmm what how did the machine get terminated i added an hour all right try acme is just bugging out that's fine simple web app i mean the front end i should still be able to actually go find that flag on i need to go do that because i don't think i ever did um let's go ahead and exec it bin bash uh no it's container first there should be a flag but dub dub dub is not a thing var www was not a thing so it's not like a normal web server um however 80 is running so like nginx is happening somewhere nginx nginx dot configuration file where are you working include mime types yeah but where but where us it's is it the wsgi thing is it in comp.d yeah okay so it's in user share nginx html gotcha okay can i get into admin uh hello is there a flag anywhere i have strings so let's do little strings everything i don't have strings you what do i have a grep for the love of god yeah okay grep tac-i let's do a recursive eye and let's look for the thm that's not helpful um e no where on the web server am i supposed to find this flag there's a read me this is rough ladies and gentlemen browser config courses is a thing is there anything else more in x if you tell no same horrendous view that's another login unless is it like in next robots.attack should still be the same oh i don't know where the heck i'm supposed to find that flag in the initial but i still need to get to the original machine i'm still just looking in docker containers right now can can you exploit expose docker api [Music] oh can i just like can i build a new image that's a thing isn't it gtfo it just has like a quick one-liner for it and i know i made a video on it and i like overexposed the thing um let's see if i can just make that alpine container will that just work i'll be pretty dang happy if it would you have alpine do you not you're not going to be able to pull it down i don't think you have images though you have alpine in your images alpine uh 3.9 the tag is 3.9 looking back here so oh root in the container i have a slash mount what we put in mount did we not wait i am in the current one because it ch rooted that into that with that syntax so if i were to check out a set of password i am hydra i i have a hydra user that's it yeah yeah type that stupid cat syntax damn it oh my gosh that was fun and i still don't even have the web flag that took way too long and we're still not done okay um so that would be the great escape uh we already have root root unless that's the simple web app one there's a flag hidden by root on one of the machines can you find it maybe um maybe the web app one is that so let's do a little docker ps one more time and just try like a find command for the things that are owned i have some darker ones so my own local docker stuff uh docker ps to get into one of these machines front end um 8080 was the one that has the port exposed exec it port bin bash bask so that will let me into that and i need to find a name flag dot text one more time and it's owned by root i don't have a freaking can i like prive skin this i don't have pseudo the only other one that i'm did we do it in front end did we did we run that in front end like did we hunt for a flag within front end using find because we were root on that i don't care i don't care grep tag r-i-t-hm good luck let's uh put that in one um let's put that in one pane and then let's look again in the api dev backup one docker connecting to that i am supposedly root let's do a fine tac name does this have find for the love of gosh it does but it doesn't find anything let's do a grep uh let's get into root grep tac ri thm we'll set that to a different color do the same thing for the original production api what what oh it was a fail copy pasta copy paste there we go we don't have find though let's take r let's look for a flag dot text can i do a little grep for that nope i probably can't get into root though but i don't have pseudo sorry i've got a notification um i think i'm going down the wrong road here not gonna lie uh i'm gonna go back to the thought that the root flag is the one that i got while i was root looking in the git logs and the simple web app a well-known file may offer some help there is a dot well-known file there is that did i just not see that when i was looking in the web webroot forbidden flag dot text whatever this is this is front end in a good old blue i know you guys don't like that color so we'll go back to the hardcore uh black stuff it's it's in user share share share nginx html [Music] and there is a dot well known oh my gosh security.text excuse me excuse me ping api that's totally flag with a little elite speak upside down g but you know let's just hop on over there because we literally already own this thing uh can we get into the api ah no whatever you know what let's just stink in do it from curl curl attack x give me a head uh http get this url gosh darn it slap that bad boy in there we have double http schemas now a good does it work okay you may it may not work the way you want use tactac head [Laughter] great holy cow that was way too long that was way too much agony that was uh a horrendous video for you to have to sit through and watch but uh we finally did it we finally got all of the flags this was a trial by fire um cold case of me trying to jump in and figure this thing out um truth be told i i did like ask for some sanity checks i'm like i reached out to fawaz and the the creator here uh like hey is this 503 server error like supposed to be happening uh is is this thing supposed to actually be accessible in the api um what am i going through the right order of the flags because i'm not able to submit them i don't know what's what uh so i did uh ask for a little lifeline and phone a friend on this one's but i mean look i hope that goes to show like there's no shame in doing that i hope that goes to show like the whole whole point is to learn right and if you're banging your head against the wall for way too long don't like kill yourself like you don't don't don't beat yourself up you know so uh that's that i don't know if anyone would like to see a more formal actually procedural like packaged and bundled education video on this thing but i just kind of just went in for it and stumbled and failed the entire time but uh i hope we had fun i hope you had fun we got the web app flag by finding that dot well known it took us to the very very took me to the very very end to realize oh that's actually indicating the dot well known and i know that directory like i've seen and used that for a capture the flag event like that was in a game that we've hosted uh getting the root one was going through some ssrf or server side request forgery to reach the internal docker api dev backup thing um and then we were able to read the messages in the git log in the git directory within slash root and that gave us that flag and also led us to the eventual port knocking that opened up the docker api and then through the docker api we were able to just run a run a new container start a new instance with the alpine image that's there mounted the original file system so we had root on the core actual machine 10.10.56.195. so that broke us out of the that that helped us do our docker escape and got us onto the actual machine so holy cow i am uh i'm burning out from this one that was a lot of fun though uh fawaz i hope this was the uh exciting and extravagant release that you wanted uh but this was my solution agonizingly and painfully slow but uh hey you know what that goes to show there there's so much fail in in hacking and so much fail and learning this stuff but you just kind of power through and reach out when you need it so all right that's the end of the video i'm done that's the end of the video thanks so much for hanging out with me everybody uh if you enjoyed this video if you like this kind of cool casual hangout session style me just goofing off and uh going in without any notion of what wtf i'm doing that was this so let me know if you want to see more like this and we'll do it and we'll jam and we'll hang out and we'll keep having fun but please do all those youtube algorithm things i'd love to see you hit that like button i'd love to see you maybe leave a comment you know type whatever you want uh and smash subscribe hit that bell all those things that uh overexcited youtubers put put together and say so thanks for watching everybody i love you i'll see you in the next video take care goodbye

Info

Channel: John Hammond

Views: 76,377

Rating: undefined out of 5

Keywords:

Id: 44H4zFM2vtU

Channel Id: undefined

Length: 106min 37sec (6397 seconds)

Published: Wed Feb 17 2021