OSCP Practice: Proving Grounds CTF-200-08

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm KNX Sans welcome uh we're going to start off by doing the CTF 2 2009 I'm sorry 08 from Proving Grounds and we're going to start off with the rust scan so I've already got everything kind of running um I'm missing at 5,000 here for U limit um and let's run this right off the bat we see ports 22 22 what C ports 22 how is that possible okay let's try something else I'm not sure what the hell that was but okay um 22 80 91 8090 which means that our map scan is going to be 22 80 91 80 90 um I could let rcan uh finish this up like you want you you can just do this to allow ruscan to do um run like a map type commands after the fact right dash dash and then put whatever you want but I'm not going to do that I'm going to M map Tac SCC SV tag p 22 80 91 80 Give me Break 8091 holy 22 80 91 8090 and the ip1 192.168.1 17941 we'll let that run and see what happens um I would say that I'm not familiar with 8090 or 8091 so so I guess I am interested to see what happens what comes back um let's just try to like well going say let's just go to them in the browser and see what pops up but we'll wait we'll wait might take a minute but we we'll wait longest 19 seconds let's see we're still at uh 66.67% let's just see if Rus scan's even faster so while M maps running we'll also start ruscan and we'll see what happens this would be interesting if it doesn't look at that what is going on here how did it catch them so it didn't catch them the first few times then it did and now it's not again yeah it only did 22 how odd um so I could output that to a file which um would probably be the best idea but I am not going to I like pop them in here and then if they get massive like this then I kind of will uh move them out of the way let's do that create a new note um call it in map but I need to be in the right folder first our PE back and let's make it colorful and then we'll go check out this because I think that I've been putting everything in the wrong place we're not doing seven we're doing eight nice and then let's take a look at this we see the location Local Host 890 Lin action OS destination index action permission violation Ms author via B um CSS server cannot or will not process a request du to something that is perceived by the client error malformed open Jam link uh no content left o what is that left okay let's just write some of this down server left 046 um and this is [Music] actually was 8090 right 8090 91 so pop that in there as well we go oh no that was wrong there we go this is also wrong and what was up here interesting I'm going to pull this location back and make it so that it doesn't do that there we go no actual linking I think this is interesting and it's [Music] saying Ops messaging just go take a look at it 192.168 dot 179 41 8090 we'll do the same thing we'll go to 8091 confluence 18090 Confluence lassan and it's 7131 alassian 713 6 736 powered by lassan confluence just grab this real fast so with that we have it and did not pull up anything oh maybe I didn't connect to it I'm not sure let's just look up this uh version it doesn't seem like anything's coming back on 891 891 yeah Maven okay uh let's look up this version of Confluence exploit I might need to not be so might not need to be so um heavy on the version seven old Fusion let get aage Habib zx0 versions of confence and data center are affected all versions up to what just all versions in perpetuity evence of exploit out of here evence of exploit runtime execute touch temp r data data the vulnerability is ognl injection vulnerability the HTTP server the ognl payload is placed in the URI with HTTP request it's in simplest form and exploit abusing the vulnerability looks like this all right screw it let's just run it and see what happens um we're going to try to touch a file and then whatever that is at [Music] all evidation can typically be found in Access logs next command respon Confluence line in uh note scanning for vulnerable service is easy because exploitation allows attackers to force Ser to sing command output to the hcp response for who for example the following requests will return their code who am I of who am I uh and the attacker created X command response field X command response who am I let's see what this is actually doing um I need URL decode this uhhuh okay I'm just gonna give this a shot we'll see what happens see if anything's [Music] returned oh damn it we also got an SL activity page okay we'll check that out after this and I'm going to write those down also boo farx Buster snag and honestly it's probably just like uh syntax thing I probably need to just add something so that it would stop returning errors buster and we're interested in slash status and slash activity down here oh this is not going to work because I grabbed the wrong one yeah we need the URL encoded bit I'm looking at 192.168.1 [Music] 17941 okay we that worked or at least it did return Confluence uh does it like we ID oh my gosh okay well that that act that works um okay hell yeah so what's that mean does that mean that we can get like a reverse shell uh let's see if pythons on here which plus Python 3 uh don't I don't see it oh command response is there uh 222 C 23A 29 29 7D to F which python three which thatat cool decoding the exploit and the cow request shows how this is achieved the exploit saves the output of the executable call and use the set header to include the result in the server's response to the attacker disc Creed for [Music] after gives attackers many options okay uh discusses ASP web shells being dropped to disc however Confluence server should typically execute as Confluence and not root the Confluence user is fairly restricted and unable to introduce web shells okay that could be something that's kind of blocking us we're like limited on what commands we can utilize uh Java does otherwise provide a wide variety of features that Aid in achieving and maintaining execution both with and within without touching disc it's impossible to demonstrate all here but a reverse Shell rer through [Music] Javas sh engine is perhaps an interesting place for others to explore get engine by name Nur AAL new Java laying process Builder command is Bash ta C bash Tac I D have TCP okay we can give this a shot this curl request um and see if we can get reverse Shell let's just write it down at very least X oh dog it's not Pearl maybe it is Pearl does this give us more colors need more space um anyway we need to do this 192.168 45169 set hour IP and then we'll just use the port that they're using um not for any specific reason neat NP 1270 and oh we need to fix that we need to fix our uh IP as well 192.168.1 179 41 really interesting see if this works oh it does okay all right uy do uh R shell and we need to grab this article this article has been amount to Our Success it's rapid seven rapid rapid seven blog [Music] post cool we've made our way in uh what can we do maybe we'll need to come back in a minute but right now it doesn't look like it um I'm going to leave this open and close this out uh PSE sudo a terminal is required to read the password either the S option to read standard put blah blah blah blah blah okay let's do something else let's look at um some files verions right this is everything we were seeing before um let's just start from the top CD home LS CD Confluence L cat local. text and we've got our local. text okay local [Music] local okay might actually just be easier to look up Confluence config files fluence Confluence CFG XML in [Music] the copy this and send everything else to please ask your administrator find name our find re Quest just in case what is thist private key okay I like private Keys oh um I'm going to make another no I'm just going to call it creds and I'm going to place that in there license messaging backups access mode read right let's look in this one web token private same thing is this like like is there a way to view it or like will it return anything about what that's a thing uh actuallyy for user Confluence at Local Host using password yes using password no okay where's the shot do other things let's see what do we want to look [Music] for doesn't seem like this would be something but guess we can look Molly yeah nothing [Music] there this is interesting me I'm going to H it's interesting because it's saying backup to rout backup not sure if it's anything we'll hold on to it Ops log backup. shell um that kind of makes me want to put like something like PE spy on here um it's not where I want to put it CD and we're on eight and then I actually need to move that to oh actually you know what's kind of better than this um there's that there's this let's get out of this and we'll uh RL RP there we go okay good Lord just need to I just wanted to be able to use commands um Confluence at flu uh and then what were we doing going [Music] to yes this LS uh make dubb dub move P SP 32 to dubdub dub CD du dub clear that crap out and then Python 3 attack M gp. server W get uh P spy 32 I'll put that to spy 32 config file [Music] equal hey check that out it is running this okay let's let's just try and Lo name in okay let's copy that out of there and then get out of that me um CD op plus Echo um yes now oh um let's actually just make sure that it's in there log back. shell yes it is okay that [Music] RL 9,000 one's fine um and then where's our port number here there it is 91 was going to hope that I could I'd be able to see like when it when it ran um it may have already run LS LA and Bash it is um so let's do B Bash TP ID we are root cd2 root LS at roof. text cool it was that easy it was it was it was this is actually like the second or third one that's use this um like escalation method what am I looking for looking to put the flag in that's right paste save cool dang I like making things harder than they need to be limes wasn't helpful there it was pretty much just like look around see what's happening check out peace spy um and it was all because we notic that that file right and then inside of the file like inside of here we see where did it go this it's this this this like root backup directory thing is is interesting it's like okay so Confluence owns this file however the Confluence user in group own the file however they're able to write to grot backup what what's going on there how is that even possible um that's kind of where I was just like okay there's got to be something going on something like this where like um the root user is actually running like running it soaring it and that's that's how it's how it's working um turned out to be the case so let's grab some other screen shots because we are root um upload spy 32 and uh which allows us to see uh root executing opt log backup. shell which is nice

Info

Channel: NoxLumens

Views: 67

Rating: undefined out of 5

Keywords: noxlumens, noxlumen, hacking, cyber security, oscp, oscp prep, proving grounds oscp, proving grounds, kali linux, hacker, cyber, malware, active directory, pentesting, web app pentesting, network pentesting, ctf, cyber ctf, offsec, offsec oscp, offsec proving grounds, crackmapexec, gobuster, ad pentesting, ad pentest, active directory pentesting, enumeration, ad enumeration, ad exploitation, feroxbuster, ctf-200-02, proving grounds ctf-200-02, live

Id: xlEq2W0PSkM

Channel Id: undefined

Length: 41min 25sec (2485 seconds)

Published: Fri Feb 23 2024