OSCP Practice: Proving Grounds CTF-200-03

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey I'm n sum I've been going through the ctf2 200 um boxes from Proving Grounds I'm going to be going through CTF 20003 right now um you know that you've seen the title um I've got a whole playlist it's up here in the right hand corner you can click on that card and see the entire playlist if you want to watch one through eight and then again I'll have a have it set at the end of the playlist at the end of the video as well um so I'm just going to kind of do a quick run through of this pretty much Sprint um this genuinely took me U like all day uh in terms of like enumeration looking up um looking up uh various like protocols and softwares and trying to get things to run and debugging and troubleshooting and uh it actually was pretty difficult um it's rated what is it rated rated very difficult very hard something like that um on uh Proving Grounds and I agree I agree because of how much you know you're you're constantly like looking around trying to figure out you know what's next what's next what's next um but it does feel good like when you get it all and everything kind of Falls in line so I'm going to quickly run through this I'm I'm trying to give you like a little walk through um and um both yeah we go from there uh so the way that I like to go um I start off with a rust scan we can see Port 22 and 3000 oven um did another scan with inmap for default scripts and numerate versions and then we'll see um node.js there running title markdown to PDF converter if we go there we can actually see the web page marked down to PDF converter um and a Google search if we do markdown to PDF uh exploit we uh end up at this fluid attacks um exploit and it's local file read via server side xss um this works for btim so like if you take this you're reading as a password um which we have right here I'll save this and then come back over we'll browse to it and I'll show you what it looks like excellent um so as soon as I got this I was ecstatic I was like oh my gosh this is going to be a piece of cake what are all these people talking about our difficulty uh very hard no way no way not even a little bit um so first thing I did was I usually do and look to see for I'm looking for bin bash um or specifically sh and the only person that I see here is root so that kind of made me think well am I running as root uh I try to go after that and look for Etsy shadow um I am not root we are not root fortunately however uh we do see another user on the box we see the SAU user uh with home SAU directory and they cannot log into the box okay well that's all right um I'll go ahead and tell you I didn't notice this initially um I like I didn't notice this bit initially I said no login and I just completely skipped over that in my my head um yeah completely missed all that um so I did a few things I went looking for um keys and I was like oh man that could be my my way in Port 22 is open that's probably uh what they want right so let's go to home sa do SSH ID RSA we'll save that and then we will upload the file and what do you know we do in fact to get that um the private key is just sitting right there for us to take um and take we do so after we have that um we're put that in um and then we're going to try to connect with it right SSH keys sshi keys sa at box IP and of course we can't log in in right why can't we log in well as we saw before um we're not allowed to that kind of put you back to thinking so what what what can I do I I have SSH Keys um or have a private key but I can't log in to the user account well maybe um maybe we can uh scan internally right we can set up a SSH proxy um and scan the internal Network because maybe their port's open internally that we just can't see externally so we run SSH Qi R key in ND Dynamic uh forwarding 127 1080 to the user at IP address doing that and we'll then run a new inmap scan I'll tell you this inmap scan took forever it took me 71 minutes and that's an hour and 10 an hour and 11 minutes total um oh something else it wasn't until afterward after I had gotten the private key that I was like you know what I and then realized that I couldn't log in I was like I bet I can just get the local at the local file I went ahead and did that um and then proceeded to uh you know try to set up the SSH proxy and then run in map again um again this took me 71 minutes total to get these four why because I did- P Dash it would have been better for me if I had done them like a thousand at a time right they would have been completing over and over and over so 1 to 1,00 1,1 to 2,000 um and that would have gotten me exactly what I needed right like initially I done that to two two full scans th ports each and this would have come through and then I would have been able to move on um if we look at it we see that it's being marked as uh BMC Patrol DB I didn't pay too much atten to that necessarily I did look it up um but really I was just like well I can connect to it that's what I'll do I'll um I'll go there I'm going work right yeah that's not going to work okay so now that we have that we need to uh set up like a listener so we'll do 1313 please local host3 TCH I Keys then we'll just finish that out um so now we end up seeing websocket request was unexpected you a Google search for websocket exploits actually a question that I had was like how do I connect to a websocket if I can't connect to it through here um can't C like how do I connect to it how do I interact with it um um I went looking around that and found hack tricks right and immediately you see you can use web soat to establish a raw connection with a websocket um then went and looked that up soat and I tried using it I really tried using it and I just I just could not get it to work unfortunately there we kind of see that like looking you know we can't get this to work um can't get their package they recommend their release that they recommend to work uh let's like start looking around I mean we see something about chromium debugging um maybe there's something going on there which uh there is um yeah yeah we see Chrome's mentioned in the web so uh socat geta page um and if we do a little search for pretty much this right like chromium debug exploit chromium debug exploit it brings up a lot of Articles right um again I'm always going to try to stick the things that I know pretty much so hatrick um we'll look at them we'll look at this and I don't know I pretty much just looked at hatrick um but here we can see that they're using inspect node inspect to connect to this app um scrolling down a little bit further not just that but like they're using command line to connect to debugger inspector and that they're executing a command to uh maybe this will work for us so with our listener running maybe we can just kind of you know utilize this right uh so we'll node inspect um Local Host 1330 1313 and we get a connection back right so now we're in the debugger um and we can try to run man right so they've got this uh conveniently located and I've got it somewhere where thought no you can see everything that I was looking for cron aliases host all the keys okay here's what I'll do instead um we'll just start over so I grab this whole thing I'm just going to pop it in here because I'm going to need to change this command out right like we don't want to run we don't want to execute that um let's try to get a reverse shell so we'll do netcat and VP 901 and then we'll go to like revell.com and get ourselves a netcat shell I'm pop that in there figure out where my thing is okay there we go and then we'll just grab this entire thing copy and paste it into the debugger just like they have it and we should get a call back my ip2 16845 [Music] 169 thought I hit enter I did not okay yeah we did cool and who are we we are freaking rude man um hello R there we go St LA and we've got our proof. text right excellent so I know that that looked really easy um but it was not it was not it actually took uh a lot longer and it wasn't a straight forward as like searching for chromium debug exploit like looking back at this um I mean I really tried to get web socat to work I tried getting um I tried getting the release to work I tried a ton of different things um it was it was not happening for me [Music] um yeah so I'm going to be moving through uh the rest of the series you want to join me go ahead and hit the hit the hit click the playlist at the end of the video and just follow along with the next one next we'll be doing four keep up see you next time

Info

Channel: NoxLumens

Views: 48

Rating: undefined out of 5

Keywords: noxlumens, noxlumen, hacking, cyber security, oscp, oscp prep, proving grounds oscp, proving grounds, kali linux, hacker, cyber, malware, active directory, pentesting, web app pentesting, network pentesting, ctf, cyber ctf, offsec, offsec oscp, offsec proving grounds, crackmapexec, gobuster, ad pentesting, ad pentest, active directory pentesting, enumeration, ad enumeration, ad exploitation, feroxbuster, ctf-200-02, proving grounds ctf-200-02, live, red teamer, how to hack, pentester, pentest

Id: Ab3w1Dzt0eA

Channel Id: undefined

Length: 14min 5sec (845 seconds)

Published: Wed Feb 21 2024