Red Team Capstone Challenge! - TryHackMe -- [Part 1]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to chimento tremendo is a wealthy Tropical Paradise and Prime holiday destination with its long beaches diverse wildlife and exotic markets tremento does not just specialize in short-term tourism but have become the ideal location for those looking to get away from the hustle and bustle of the city to facilitate the amenities of this lifestyle tremento has an incredibly strong financial factor led by their own Reserve Bank called The Reserve however with such a wealthy Finance sector it does attract some not so welcome guests therefore the government of tremente has asked me to perform a red team engagement against the reserve to test their security and help identify any potential weaknesses the reserve in its entirety is considered in scope for this engagement including both the corporate and Bank Division and almost all attacker techniques are allowed including confession of employees and other social engineering attacks to show impact of a compromise to the executive the government has set the engagement goal of compromising the back end banking system named swim and performing a payment between two bank accounts Swift is responsible for routing payments between various different banks and is therefore a critical system to allow florists to transfer their Capitals in and out of the country however this is easier said than done to ensure fraudulent transactions cannot be performed authorized mechanism has been introduced which requires one employee to capture the transaction and another to approve it are you up for the task are you ready for the challenge can you hack the bank boom and it is time what is up everyone welcome back to another video good to have you hanging out with me oh I am John hey there we go try hacking this plane in the background now now you guys should be able to hear me thank you guys for hanging out thank you for joining my stream we are gonna dive into the red team Capstone challenge if you don't know who I am my name is Tyler and I get to be the one hanging out with you this evening as we get into it let me just share with you guys a little bit about what to expect first I'm going to ask you guys again because I have no way of monitoring my audio for those of you watching on stream right now if you can let me know if everything sounds good to you if everything looks good I shared before that I am a one-man team and that's what I am I Cali Linux VM to stop working because we are live and that's how things work but that's fine I'll put that up in the background as I do a quick intro but hopefully everything sounds good here's my plan for not just this stream but for the future I am going to attempt guys to stream like every night through the month of May will I be able to accomplish it I have no idea um and I'll be starting around this time each night it'll be around eight o'clock or 8 30 Central Time the reason for the time change y'all is I have two young kids and it all depends on when I can get both my kids in bed and I can get everything booted up and ready to stream but that is my plan so if you join me around this time most nights you will find me on working through this challenge get everything booted up in the background here's the other thing I want you guys to know just so you don't set your expectations too high I am not like a super Elite hacker so a little bit about my background I am a pen tester but I haven't been a pen tester that long and I am a web app pen tester so everything I do for the most part is web applications things in that world I know a little bit about ad I do have things like the oscp but I am not uh Elite hackers if you're coming here to learn like really cool hacking tips you're probably going to be disappointed and I assure you guys I will get stuck on this network I will get frustrated but we will work through it together and here's how I want to see it we have right now about 30 online with me we're all sitting in one room together so you guys feel free to sound off in the chat I'll keep my eye on the chat if you have ideas as we're working through this talk as much as you want and we'll try your ideas as well right so I'm just I'm the guy on the keyboard but we can do this together especially if you don't have the trihack me streak you can live through the network through me and we will take down down the bank I do want to give a special shout out to my friend amoeba man he is the creator of this network and in many ways the creator of my career I met amoeba man oh man it's been a while now when I was working in it support and I wanted to get into pen testing I was streaming some of the ad networks by try hack me and posting them on YouTube and some dude joined and was helping me and I found out he was the one who made the network so we kind of struck up a friendship from there and in many ways he's been a mentor and I'm pretty sure the dude hasn't slept he's watched all these streams it's like 3am where he lives and he says he goes to work in a couple of hours so amoeba man dude you're you're the real MVP uh in this thing the other thing guys I have a cold right so I'm a little bit sick uh I feel better than I have the rest of the week though but if I cough and stuff I apologize ahead of time I don't think I will but that's the price of having kids is they they constantly get me sick okay I think that's everything I have by wave introduction I'm going to share my screen and turn myself back on in the top right corner and let's go ahead and blow it up I told you my Cali VM broke just for a second so I just need to open up try to hack me again and if you are following along I would encourage you to follow along with me go ahead and log in and try hack me you can see that we're already here to the red team Capstone challenge and we are going to do some bank hacking I don't know where my Mr Robot mask went if I had my Mr Robot mask I would definitely pull it out just for the inspiration I feel like we are F Society taking down this Federal Bank of whatever the government I forgot the government name already but such a cool video by try Hackney cool platform cool stuff network is already started so it looks like we should be good there I don't think I can extend it you can only increase it for a maximum of two hours well it's not two hours yet but whatever it probably has to be less than one hour and then we can do it and here's the other thing guys if you ever join me for my regular streams here's what I do that's a little bit different than most of the content creators you stumble across on YouTube a lot of people go through a network or a machine on try hack me or hack the Box they do it offline then they jump on stream and they complete the machine in like 10 minutes and you're like hey how the heck did you know what to do in each one of those parts that's not what I do guys so when I work through a machine on stream I am doing it completely live this is my first reaction to each thing that we're going to see I have not prepped this ahead of time either this one or my other stream so hopefully you learn from my thought process you learn from my methodology and you learn from my frustrations and we learn from this together so we'll be a team right I always tell my kids Teamwork Makes the Dream Work all right without any further ado let me get a drink of water and then we'll dig into it all right we're going to read everything in his entirety We're Not Gonna skim I've learned from experience skimming usually means you miss stuff and I'm even a man tell me make sure you read everything so we're gonna we're gonna read everything let's learn what we can learn welcome to the red team learning pathway Capstone challenge I want to pause here guys um because I've seen some people in the try hack me Discord like confused on a few different things on here because they haven't done this yet so this is supposed to be the Capstone for the red teaming pathway the red teaming pathway my friends is a massive it covers everything from Red Team fundamentals initial access post compromise host evasions network security evasion compromising A.D if you extend these each one of these are networks um challenges machines okay look at that guys I'm at a hundred percent bad progress so I would just say if you are stuck on a spot on the red team Capstone Network just know it is supposed to be a Capstone uh if you follow the right order you should go through the red team pathway and then do the Capstone Network so if you're stuck go back and look at these resources here even if you don't do them use this as kind of a place to search through when you're struggling with stuff we'll do that ourselves and I think that'll be a good way to approach the room I'm saying that as someone who hasn't done the room yet so I might be completely wrong but that's my perspective if you are reading this we hope you're ready to apply and test the knowledge that you have gained from the learning pathway this is an in-depth Network challenge simulating a red team engagement the challenge includes several phases structured around the Cyber kill chain that will require you us remember Teamwork Makes a dream work we need a cool hacker name well I guess we are hack smarter we are the hack smarter hacking crew require you to enumerate a perimeter breach the organization perform lateral movement and finally perform goal execution to show impact and guys here's the difference between a red team engagement and a CTF right a CTF is often hey just get root or an active director get domain admin but a red team engagement there's a goal to execute at the end so getting like d a is merely a means to the end that's not the end goal we have to perform a fraudulent transaction if I remember right so we'll have to research the Swift banking system see how that works so just know our focus is on goal execution this is not a typical CTF to best simulate how these engagements usually occur there is no single right answer instead there are multiple tasks paths that can be used to achieve the final goal man I should have done a swag giveaway y'all see this shirt I'm going to show you guys my sweet shirt every time I get a chance to show it off I have to there we go guys custom made by Yours Truly hack smarter this is the only one in existence um if anyone wants a hack somebody's shirt message me and I'll tell you how I made it I'll just send you the designs but this is the only one all right let's keep going competition please see task four the competition we are running until the 31st of May 2023 so we'll check that out tested learning objectives we're gonna do some oh sent simulated enumeration and fuzzing fishing AV evasion lateral movement ad exploitation Linux and Windows security testing privilege escalation and post compromise exploitation a word from The Challenge author so this is from amoeba man and I will just say guys if you have not met him even man he's a cool dude if you go to my YouTube channel which if you just type Tyler Rams beat and YouTube is not hex motor but type Tyler MP and YouTube you'll find it he and I have made a couple of videos uh we made a video where he guides us through how to set up your own active directory hacking lab using was it terraform I don't remember which platform we use now that I'm going off the top of my head we also have another one where he just shares his journey how he got into pen testing so check out those videos all right a word from The Challenge author this room is rated as hard but because it is a mountain that lies ahead of you it could have been rated as insane that's encouraging however when you break it down into various stages of compromise that you have to achieve no single one of these stages is actually hard I'll be the judge of that they just require attention to detail which is pretty hard and sound application of the knowledge you should have learned by doing the red team a learning pathway normal red team engagements last weeks and even sometimes months take this into consideration as you tackle the challenge this network was created to simulate what you would typically find on a real client engagement during a red team none of the attack pass in this challenge were created as a fictional CTF guys I just want to highlight this again when we look at this network up here and we'll dive into it more once I get IPS each one of these aren't like separate ctfs so for example the information we get out of this machine right here whether it's a web server or whatever we might need that information to compromise this machine up here so even when we get root or NT system on one of these machines we need to perform post compromise enumeration look for creds and all of it might add up in the end I'm saying that as much as for me as for you instead you will find misconfigurations of vulnerabilities that I have personally seen during engagements however you will also face the real challenges that I had to face with certain tools or techniques simply not working out of the box or having to use Ingenuity to get something to behave in the way that you want it to now in a real pen testing team you can ask the senior pen testers when you get stuck so my question is are you the senior pen tester I get to ask questions too when I get stuck that would make it more realistic right similarly unreal engagements the answer was never to pick up the phone and tell the client that hey yo I can't compromise this host because you know the tool I'm using says XYZ error simply will not cut it very true the answer was to start a debug process to try and understand what was different and to leverage this knowledge to adapt to be able to still perform the attack some advice for me as you scale this mountain all right what do you guys say to me man firstly make sure to properly read through the information provided this information is to help you avoid attempting this as a CTF which can cause frustration secondly this challenge has multiple compromises per stage if you get stuck on trying to get a specific attack to work my suggestion would be to perform additional enumeration to try and discover other attack paths as well that's what I'm really looking forward to I don't know about you guys what drives me crazy about ctfs is there is only one way to compromise a machine now that didn't actually drive me that crazy until I gotten a real pen testing but like for example web app pen testing we're doing much more than just trying to get rce on a web app we're looking at the whole thing holistically we're researching different Technologies there's a lot of different ways that you can approach an assessment but a CTF it's like hey there's just one obscure thing on GitHub that you have to find and modify the code to get code execution this one obscure thing you have to do to privilege regulation not realistic there are multiple attack paths I'm looking forward to that aspect of it find your very own golden path to complete the challenge once then go back and try to conquer other attack pass as well just glancing over the chat so I don't miss you guys and we may have said nope even I will ask others with more knowledge in the office for help svido says hey yo what's up dude J money's a question and even man why is there a time on this box is there a reason for the time oh yeah so J money I'll I'll answer this question real quick and me man feel free to correct me if I misstate this so if you guys even just look at this machine I believe there's 14 hosts here and it is not cheap or easy to have the infrastructure to host all of this for the thousands of people who are going to be accessing this so what's going to happen with the red team Capstone challenges a few requirements to access to it right now you need to First be a paid subscriber and try hack me which if you're not get it it's it's well worth your time even without this network try hack me is incredible right so get that VIP membership and the second requirement at least right now is you need a seven day streak to access the network so if you don't have that seven day streak start building it up you still have the rest of the month of May to dive into it now at the end of those 24 days it's going to be available to try hack me business customers so if you have a business or if your business wants to learn more about Hands-On cyber security or pen testing get a business account um I don't have one yet but I'm working on getting one they cover everything from Blue Team to red team they also teach AWS pen testing on the business side of it and this network will be available for business customers so um I know I don't make the decisions amoeba man also doesn't make those decisions but it's part of the cost of Hosting all this infrastructure it's just not possible in many ways to give this out to everyone a meme man please let me know if I said anything wrong in my explanation there oh it actually was going to explain it here I should have just kept reading geez see I told you guys I don't I haven't read this ahead of time um most important to remember to conquer this Capstone challenge this is a practice practice exercise for red teaming not a capture the flag game your CTF skills alone will not be sufficient to complete the challenge the exercise tests the skills you learn in the red team learning path we recommend completing at least 80 of this path before attempting the challenge I've done 100 but I'll still get stuck if you get stuck go back to the path as it covers the techniques you need look I already said that guys I should have written this there are different ways to complete this exercise if you have trouble with a specific attack try different approaches and avenues and carefully read tasks too the project brief as it contains crucial info you will need to complete the challenge subscriber only okay here's what it was I'm just going to read this and make sure I didn't miss anything the red team caps on challenge Network you just joined will be available to subscribers until June 5th after this data will become exclusive to users on our business plan we warmly encourage you to take part in The Challenge and make the most of this opportunity and we hope you find this challenge Network to be a valuable experience to keep everyone on the same page please refer to this timer to keep track of when we're making the switch we appreciate your participation in our community and as always we will keep you updated on any future opportunities and perks now if you guys want business access I'm trying to get the firm I work for to get a business account with try hack me but if they end up not doing it yeah I'm not kidding I'm making a hack smarter business just for this but it takes a minimum of five seats so if there's more of you who want a business account and I end up going that path just like follow me and I'll post on Discord like hey come join the hex motor business and we're going to make our own business plan so we can get access to it we appreciate your participation in our community and as always we will keep you updated on any future opportunities and perks note that the essays of access next to the room title refers to the time you have left in your particular Network instance we need to clear those up periodically to ensure a good user experience but Russian sure you'll be able to return to the room for as long as it's open to sub scribers okay looking over the chat now maybe man's just answering questions J Money said Tyler are you gonna put this recording on your YouTube channel yes I it'll be going on YouTube so each one of these streams guys I will be streaming this evening as soon as the stream is done I'm recording this right now with OBS to my local computer and as soon as we're done I'll start uploading to YouTube so at the end of each stream you should see the full recording from that stream the next day I'll do my best to keep up with that all right I am ready to start My Capstone challenge Journey are we ready team I'm gonna pretend like I heard you guys all say yes even though I'm sitting in my basement all alone where I can pretend like you guys are hanging out with me so it feels like I have friends project brief this section details the project brief for the challenge the challenge is an end-to-end red team engagement that you need to perform please make sure to read this information as it also provides you with details you need to start your challenge Journey let's download this this video is just a video guys I played kind of as my trailer when my countdown hit zero so if you weren't here in the beginning you missed out but it just explains kind of what we're doing and the end goal it was the video they released I'm going to read through this page then we will look at the Capstone challenge resources and actually what we should do if I see do you try hack me we'll make directory and we'll just call it red team red team Capstone and then a copy from Home Tyler downloads um what was it called I don't know what the file was called Capstone challenge you guys he has secrets in the cloud that's uh a new Cloud goat scenario coming out soon stay tuned for that for those of you follow Cloud goat okay there are My Capstone challenge resources so we'll unzip that oh it probably is going to tell me the password in a little bit let's keep reading all right project overview try hack me we're going to replace with this hack smarter because that's who we are hack smarter a cyber security consultancy firm has been approached by the government of trimento to perform a red team engagement Against The Reserve Bank the reserve we'll just call that FSI no not FSI who's F Society hack evil Corp right this is evil Corp tormento is an island country situated in the Pacific while they may be small in size they are by no means not wealthy due to foreign investment that means all the rich people are putting their money there to evade taxes that's what that tells me the Reserve Bank has two main divisions corporate The Reserve Bank of trimento allows foreign investments so they have a department that takes care of the country's corporate banking clients and Bank The Reserve Bank of trimento is in charge of the core banking system in the country which connects to other banks around the world which must be where the Swift stuff is in play the trimental government has stated that the assessment will cover the entire Reserve Bank including both its perimeter and internal networks they are concerned that the corporate division while boosting the economy may be endangering the core banking system due to insufficient segregation the outcome of this red team engagement will determine whether the corporate division should be spun off in its own company project goal the purpose of this assessment is to evaluate whether the corporate division can be compromised and if so determine if it could compromise the bank Division and we're going to say yes we're going to go after it a simulated fraudulent money transfer must be performed to fully demonstrate the compromises do it to do this safely the reserve will create two new core banking accounts for you for us you will need to demonstrate that it's possible the transfer funds between these two accounts the only way this is possible is by gaining access to Swift the core back-end banking system note Swift Society for worldwide interbake Financial telecommunications is the actual system that is used by banks for back-end transfers and this assessment a core back-end system has been created however for security reasons intentional inaccuracies have been introduced in this process if you wish to learn more about actual Swift in this security feel free to go do some research to put in other words the information that follows here has been made up meat man's trying to get stop the NSA from coming after him to help you understand the project goal the government of trimental has shared some information about the Swift back-end system Swift runs in an isolated secure environment with restricted access while the word impossible should not be used lightly the likelihood of the compromise of the actual hosting infrastructure is so slim that it's fair to say that it is impossible to compromise this infrastructure however the Swift back end exposes an internal web application okay guys we need to be taking notes um one second I need to do a few things one you guys have to look at my face for a second because I need to make sure I open the right notebook okay notebook is open let me go back to sharing my screen uh let's see oh you guys don't need to see that that's for a hack the Box active machine I don't want hack the box to get in trouble for me so don't look at that here we'll go over to this okay let's go ahead and start taking notes and I wonder the best way to do this I'm just going to create a new section and we'll call it trimento like that and here is where we're going to fill out some of our information so what I like to do at least when I'm doing an assessment is copy down some of the main notes that we have and we have here I'm gonna pull this to my other screen one of the first things that I want to copy down is we have this internal web application so we know that this is in scope so let's go ahead and grab this and we'll just say notes for now we'll organize this later but for now let's just get our information down so here's our web application and what does it say it does the Swift back-end system exposes so exposed by the Swift back and system we know that and the reserve uses it to fillestate transfers facilitates transfers I obviously can't spell the government has provided a general process for transfer to transfer funds all right so here's the transfer process hopefully I can just copy this a customer makes a request that funds should be transferred and receives a transfer code the customer contacts the bank and provides this transfer code an employee with a capture or role okay hold up a customer I'm trying to understand everyone involved in this a customer makes a request that fund should be transferred receiver transfer code okay so the customer does it they receive a code the customer then contacts a bank and provides this code an employee with the capture roles this must be like a specific role they have permissions of certain things almost like an ad role with a capture role authenticates to the Swift application and captures the transfer hence their name an employee with the approval role reviews the transfer details and a verified approves the transfer this has to be performed from a jump host once approval for the chancellor is received by the Swift Network the transfer is facilitated and what the customer is notified so we have customer transfer code employee one employee two a jump post a jump box to make it all right separation duties is performed to ensure that no single employer can both capture and approve the same transfer honestly better security than most real places let's go ahead and copy this and we'll see if it lets me there we go yeah it looks nice so we know the transfer process here separation of Duties is performed to ensure that no single employee can both capture and approve the same transfer project scope this is the other thing that is going to be important for us to take note of so we'll want to copy this down in our notes as we go through it so we'll say in scope first we'll just read it then I'll copy it down in scope security testing of the reserve's internal and external networks including all IP ranges accessible through your VPN connection ostentine of the resource reserves corporate website which is exposed on the external network of the reserve so we're probably looking for usernames job titles emails things like that no this means that all osin activities should be limited to the provided Network subnet and no external internet oh sentine is required what about messaging amoeba man asking questions maybe we'll trick him uh fishing of any of the employees of the reserve is in scope okay so fishing is in scope so there must be a bot that clicks it that'll be cool attacking the mailboxes of the reserve employees on the Webmail host ooh so we know that that's the Webmail host will want to record that using any attack methods to complete the goal performing the transaction between the provided account so basically almost everything is in scope we can't physically go to the government trimental and break in but other than that everything seems to be in scope uh oh it is bullet points okay and just a word on this guys if you do real pen testing or if you want to get into real pen testing one of the things that you may not realize the importance of is scope so if you're used to doing ctfs your scope is like hey just fire off go ahead and get root whatever it looks like when you're doing a real assessment you have to remember that you're attacking a real company a real business and the difference between us and criminals is we have ethics and we follow what is in scope and out of scope so when you do your first assessment there's a few things you want to pay attention to the big thing is scope what attacks can you perform what attacks should you not perform usually part of that scope is sensitive data Maybe sensitive endpoints sensitive things they don't want you to scan they don't want you to hit um things like that will be in scope out of scope you want to make note of that come back to it you'll usually know whether it's a production environment or a QA or Dev environment obviously if it's QA or Dev you have a lot more freedom on the attacks that you perform but you want to make absolutely certain you know the scope when you perform a real assessment so I do like about this that it provides us with the scope and brings kind of that realism factor to it out of scope security testing of any sites not hosted on the network all right security testing the try hack me VPN it's going servers or attempts to attack any other user connected to the network I'm coming after you guys any security testing in the Webmail server that alters the mail server configuration or is underlying infrastructure attack in the mailboxes of other red teamers in the mail portal all right you guys are going to see my web box and my IP don't break the rules and attack me right external ocean Gathering attack that just means internet um Uli love says F Scopes were going full in I like the attitude attacking India hosts outside of the provided subnet range once you have completed the questions below your subnet will be displayed in the network diagram this 10 200 24 network is the only in scope Network for this Challenge and conducting dos attacks or any attack that run as a networking operable for other users okay that all makes sense I don't think I'll accidentally fall out of scope if I do we got some issues you know I should probably get connected to the VPN as well I did already download the VPN connection so if you haven't done that you can go ahead and get that downloaded I believe it guides you through the process basically if you go to your access and then you have to click networks to get to the right VPN sudo openvpn I think I renamed it red team yeah all right we're on you guys see my IP alright remember the rules don't attack my IP project tools in order to perform the project the government of trimental has decided to disclose some information and provide the other Ringo set too late I'm gonna get my connections is going to stop the government of trimental has decided to disclose some information and provide some tools that might be useful for the exercise Alliance is already in map scanning I love it you do not have to use these tools and are free to use whatever you prefer if you used to use I'm going to stuffed up if leonta has used Cali Cali I actually did not use Cali Cali this is a custom Cali image not just their typical one if you wish to use this information and tools you can either find them on the attack box under root rooms Capstone challenge or download them as a task file using the blue button at the top of the task above the video if you download them as a task file use the password of Capstone that's what we're looking for to extract the zip what do we got here oh we got password baseless password policy ooh bunch of Cool Tools looking over the chat someone says he uses Tyler Cali Leon says Tyler Rhino Tyler Rhino smart it's just Tyler Tyler I know what you guys are talking about not Cali Cali Tyler that's how I do it I should open SSH on my box and see if you guys can connect to it but then we'll be breaking the what's in scope and out of scope oh man a note that these tools will be flagged as malware on Windows machines while we're not on a Windows machine for the provided password policy that requires a special character the characters can be restricted to the following so if we cat the password policy the password policy for the reserve is the following at least eight characters long one number one special character the characters are restricted to those okay note if your network goes offline while you are working please refresh the room page before clicking the start button again if you click extend instead instead you will place a network in a lock state where the timer first has to run out before you can restart the network alright let me remember that if your network goes offline while you are working please refresh the room page before clicking the start button again if you click extend instead okay I think I did this once on stream and we fixed it by doing the sweet can I extend now the sweet hack oh no I can't all right I might just have to start if it dies on us it may be good to extend your network now well look dude it doesn't extend but maybe I should refresh the page quick oh it extended I just had to refresh we're good we're at one hour 36 minutes all right we got project tools patching in all right going into the Matrix let's do this thing before I do that guys get your black hood up so real hackers do all right if your network goes offline while you're working please refresh the room page we already read that if you use the attack box we don't you can verify blah blah blah you are however welcome to use your own machine should you wish you do so go to your access page oh that's just how to get the VPN we did that we did that project registration the trimental government mandates that all red teamers from try Hackney participate in the challenge must register to allow their single point of contact for the engagement to track activities as the islands network is segregated this also provides the testers access to an email account for communication with the government and an approved phishing email address let's go should fishing be performed to register you need to get in touch with the government through its e-citizen communication portal that uses SSH for communication here are the SSH details for that are provided let's go ahead and grab this down because if the network resets I'm guessing we may have to redo this process so we'll drop that stuff in there so we have to ssh in password and set up our account once you complete the questions below the network diagram at the start of the room will show the IP specific to your network use that information to replace the X values in your SSH IP got it once you authenticate you will be able to communicate with the e-citizen system follow the prompts or register for the challenge and save the information you get for future reference once registered follow the instructions to verify that you have access to all the relevant systems the VPN server and the e-citizen platform are not in scope for this assessment and any security testing of these systems may lead to a ban from The Challenge especially if you do it live on stream as you make your way through the network you will need to prove your compromises in order to do that you will be requested to perform specific steps on the host that you've compromised please note the host Mains and the network diagram above as you will need this information Flags can only be accessed from matching hosts so even if you have higher access you will need to lower your access to the specific host required to submit the flag right lateral movement if the network has been reset or if you have joined a new subnet after your time in the network expired your e-citizen account will remain active oh cool I think I had to redo that however you will need a request that the system recreates your mailbox for you this can be done by authenticating the e-citizen and then selecting the option three summary please make sure you understand the points below before starting if any point is unclear please reread this task all right or I'll message him maybe man he'll get annoyed with me number one the purpose of this assessment is to evaluate whether the corporate division can be compromised and if so determine if it can result in the compromise of the bank division perfect and we'll copy this into our notes as well my wife is sneaking around what are you doing I had an intruder in my hacking workspace all right to demonstrate the compromise a simulated fraudulent money transfer must be performed by gaining access to the Swift core back-end banking system the Swift backing infrastructure is secure but exposes an internal web app used by the reserve to facilitate transfers a general process for transfers involves a separation of Duties Hood's too hot y'all I can't be a hacker that one employee cannot both capture and prove the same transfer got it you have been provided with some information and tools that you may find helpful in the exercise including the password policy but you're free to use your own There are rules in place that determine what you are allowed and disallowed to do failure to adhere to these rules might result in a ban from the challenge that's how I picture them saying the word Band After gaining access to the network you need to register for the challenge through e-citizen communication portal using provided SSH details you would need to prove compromises by performing specific steps on the host that you have compromised these steps will be provided to you through the e-citizen portal but don't hack the e-citizen portal I understand the project have read the scope complete I have registered for the challenge and verified that my access is working uh no uh wasn't there a step back to do to see my IP range maybe I need to keep going I think I said the next step but we'll just say I have let's keep going in order to prove that you've compromised the estate the government of trimento requires that you interface with the e-citizen platform from specific locations in the network once you compromise a host you should initiate an SSH connection to the ecitizen platform and perform the requested action to approve the compromise so every compromise we do that is kind of like the OSAP when you submit you know flags and IPS and all that fun stuff after which a flag will be provided that you can submit below there may be several paths to compromised hosts so you could receive the same flag on different hosts to get new Flags you need to compromise additional hosts and systems the flags indicate progress in the challenge and lead to Gull execution doci said is this the new THM challenge it is the new THM Challenge and what up more house hacks thank you for raiding with four appreciate it we got like 50 people here guys we have grown the hack smarter hacking team to 50 of us all right we're on a team together let's let's do this in other words if you reach the level of access that will Al final goal execution that level of access will also allow you to get all the other flags all right notes flags are provided both for the initial foothold which is low privilege and full compromise administrative access we're going da in one night just kidding I'd probably be stuck in certain cases your photo may also directly provide administrative access that's what I might do in these cases make the submission for the administrative access flag and then use this level of access to make the submission for the initial low privilege foothold as well the flags are not in any particular order you may find that your compromise path allows you to submit Flags in a different order than what is listed below Let The Heist begin so you're breaching the perimeter a d corporate division tier two just glancing these so we have different tiers on here so this is we have to go tier one tier two tier zero parent domain parent domains their child domain I wonder if we'll get to abuse like trust between the two domains okay competition Ling girl said he read a book for 45 minutes that's what I'm good at dude I will say we are doing a lot of reading and we're going to spend a lot of time doing enumeration guys but surely this is realistic when you do a real assessment it's not all just lead hacking you have to slow down and make sure you understand what you are doing to celebrate the launch the red team caps on challenge will be hosting the competition also these are just the competition Swift is hacker make all the way to flag 20 that's not going to be me red team challenged the right way to document oh so we can submit a write-up how about submitting a stream up does that count we have prizes answer the questions below put me in coach okay sweet now we have IP so that was what we had to answer to get to the eyepiece fantastic so what we have so far is we have a web right here that's an expose web portal we have a VPN we have a we have a VPN Webmail so we have three hosts here and then we have to get past the DMZ firewall and do some sweet kind of pivoting type stuff which means one of these hosts might have a couple of IPS on them all right well the first thing we have to do guys is register which I believe it talked about it here let's look at our IP range so we're 10 200 113 okay so let's go ahead and take note of the host that we have and the way we'll do this is we'll set up this house we'll just call it web server 10.200 113.13 like that we have our VPN 10.200 113.12 we have our mail server 10.200 113.11 and then we need to get past the DMZ but it looks like we're going to be compromising these first or one of them or maybe if we compromise one we can get past the DMZ right away maybe we can do some sweet fishing stuff I don't know but the first thing we do need to do is register our account with those SSH creds which I think I actually dropped in my nose didn't I if you go back to my notes Here here they are so this would be for us 10.200.113.250. so that's the first thing that we need to do I'm just going to pull this over to my other screen and we'll see if we can do this so SSH e-citizen at 10.200.113.250 like that and stability through currency welcome to the e-citizen platform please make a selection register authenticator exit and we can't hack this remember so we're going to register please provide your THM I don't even know my dhm username tenebrae something uh tenebray 93 okay thank you for registering that e-citizen for the red team engagement against the reserve please let me know the following details they will not be displayed again okay let's take note of this as they will not be displayed again copy that and I'm going to drop these of my notes Here we'll just start a page we'll just call us creds for now so there are creds you guys can go ahead and log in as me now if you want the details are now active as you can see we have already purchased a domain for domain squatting to be used for fishing ah beautiful we got our Elite three in there trick those employees once you discover the Webmail server you can use these details to authenticate and recover additional project information from your mailbox which we have the Webmail server we should figure out how to authenticate to it once you perform actions to compromise the network please authenticate the e-citizen in order to provide an update to the government if your update is sufficient you will be awarded a flag to indicate progress please note once again that the e-citizen platform and this VPN server are not in scope for this assessment any attempts made against this machine will result in a ban from The Challenge best of luck and may you hack the bank let's go guys I already feel like a real hacker um let's see we have this Swift back-end exposed internal web application what we want to do is add that to our Etsy host file which I have it right here and we'll just drop this there we'll copy this IP first oh not not that I don't have terminal open there and let's add that to Etsy host that's just so it resolves that pseudo mouse pad Etsy hosts that's where I type in Tyler Tyler or using the root account heck yeah we are that's what hackers do swift.bank dot the reserve.look for local and I just want to copy this to be saved okay and we can ping the web server now when I would if I was first guys I should say again I know a lot of you have joined if you're looking for like Elite hacker to just run through this guys I am not the dude I'm still the noob I am a pen tester but I do web apps and I've been a pen tester for like seven months guys so I am constantly learning constantly realizing how much I don't know so we will uh we'll stump This Together Coke said Shane for not using Vim just listen to what I just said dude Vim is too late for me I'm using my newbie mouse pad over here it's how we're how I'm gonna do it I barely use Nano dude you're trying to get me use of him I would spend the rest of the stream trying to exit out uh someone said but he's done awesome for seven months we've worked together oh sweet I got uh a lurker from Rhino good to have you here whoever you are okay let's uh pull up our notes here so we have a web server we have the mail server and I said we can authenticate to the mail server and see more stuff but guys I'm I just want to look at this web server for now so when I approach a web server like this especially in a bigger Network I like to make a to-do list and the reason I like to make a to-do list is it's easy when you see something that this will be especially important for those of you who are studying for the oscp so I pass the oscp back in I think December is when I first took it and I made a video on YouTube if you want to see my full experience how I passed it but the big thing about the OSAP is enumeration enumeration enumeration and the good thing to do enumeration is having a checklist so that if you do get stuck fall into a rabbit hole you can go back to your checklist and see hey what have I not checked but have I not covered so when it comes to http a web server there's a few very basic things that we'll start with right the first thing we'll that we'll do we'll just call this our to-do list we'll browse the website right pretty simple but we're going to look for check for user names emails anything that might be used for attacks especially fishing there might be some employee information on there so we're going to browse the website we'll check the source code see if there's anything there we'll check robots.txt that's honestly more ctfe to have something in robots.text but you never know we will um search for directories we'll do go Buster dur search we do go Buster for V host as well a drink of water we'll run nicto against it Necto is a very basic web vulnerability scanner and might find something cool for us it might not but it's a really easy tool to use and we'll run those things first uh J Money said use cool so I don't know how you say cooler Sewell cool is it creates a custom password list based on the site that's a good idea so we'll type in cool there as a note that we can do but let's go ahead and get some of these scans running and I always forget the Syntax for some of these I'm opening a few more terminals just keep my North organization guys I have a cold so apology apologies for coffee into the microphone Go Buster you can see when I was just using it last so you http we should be able to grab this hunterbot said what are some things that you thought were ctfe but when you did real engagements is actually real huh I don't know if I can really answer that question and the reason for that is like without especially on live stream I don't want to accidentally give away any type of like information about a client and so uh unfortunately I'm gonna tell you I can't answer that at least not live on stream and I have to spend a little more time thinking about my thoughts I don't want to uh wing it say something on accident that might compromise you identity of a client if that makes sense or do that a word list user share word lists we could just use der Buster um we'll do like the medium one I think that's the correct syntax let's see if it works beautiful and we'll call this dur just so we keep our notes organized and now go Buster V hosts you W user share I think I have secless on this box and Discovery Maybe DNS Maybe uh Fierce hostless is what I use on hack the Box Academy so we can try that we may have to specify a length if they all come back let's see what happens right away yeah so on this there's a few things that we can do I believe it is what is it exclude length going off memory the filter for that length I might have that switch wrong I had it right beautiful so we'll call that V hosts looking over the chat nothing else okay and let's go ahead and throw nickto at it and then we'll just start browsing the website and see what the website's actually like nickto Dash h Swift Bank the reserve.loke and I'll do a very basic web scanner against it and we'll see what we can find okay the reserve welcome to the reserve trimento's finest and public and private banking how can we help you the reserve is a river bank Mento blah blah blah we welcome those from other countries looking for something different in other words they welcome the rich people to evade tax and perform tax evasion trimeter offers a digital nomadship program that allows those that meet the prerequisites to join our country and embrace a different lifestyle no need for cubicles in the old nine to five why not work from your own private Villa looking out over our crisp breaches why not use your lunch break for a safari ride why not choose working hours that suit you and enjoy your leisure time exploring our world renowned markets this livestock can be yours as support from the reserve beautiful no already finished one second let's give this a bigger word list and then we'll go back to reading on our website what do we got here we got all right we're gonna we're gonna do this one big one okay that's not find anything yet oh found October okay what else do we got here just on this main site meet the team um a new man said it did tell you that the Swift website is internal so this might just be a different website and not the actual banking app sitting on trimentals internet oh sure that is true Bank of trimento looks like if I look at this however the Swift backend exposes oh I see what you're saying my Etsy host is wrong the Swift back end exposes an internal web app there which the reserve oh I see what you're saying what I'm on is just this isn't okay good good clarification of you a man the Swift Bank the reserve.loc is internal it's not probably this web server right here it's probably something in here so we'll have to fix our Etsy hosts because I'm running all the scans right now we'll just leave it like that but if you're following along this internal website this domain name right here is actually going to likely be something else in the network because it's not going to be public facing good call okay we have our team right so we have gosh doesn't she look friendly I wonder where he got these pictures from uh we have Brenda Henderson Bank director you can see just how Frenchy she looks like being a bank director sounds like a fun job which by the way Guys these are employee names and J money's saying cool Dash M7 URL we'll do that we'll we'll pull it down big beef said that's probably his mom dude probably is I mean man if it is I apologize I apologize yeah J Money we'll try that at the end we'll just look at this manually and then we'll we'll pull it down with cool however you say it we have Deputy directors we got Leslie Morley Mark all right how can you wear a hat in your bank picture I used to work at a bank y'all they're not that informal we got Leslie Morley and Martin Savage we got our corporate executives look at these people we have the CEO Paula the CIO Christopher he looks like a CIO the CTO Anthony the CMO Charlene the CEO rizz rise personal assistance to the executives Linda he is happy dude I like Roy the project manager I don't think you get that happy being a project manager a project manager has to be frustrated in getting the all the pieces of the project to fit together but he's he's a happy dude corporate customer customer investment managers just got pitchers and many more oh we have their names see each one of these pictures as a name who who we have octo I see some really interesting stuff here a path that we can look at I'm actually just wanting to copy this path down so I remember to check it we'll just drop that in here but we have all their names there so that's Emily Emily Harvey so even if they don't tell us their names their names are included so like that one just called them Roy we know that he's Roy Sim so if we can figure out their email how their emails are set up and if we look at our own email I wonder if it's first name dot last name at corpthereserve.loke so his would be like roy.sims based on that naming convention right there I bet so because look at that naming convention lynda.gordon I bet those are their emails and if we log into our email and we try to email them and it doesn't work we might be able to get it other thing I noticed down here is we have Amy Walker and Patrick Edwards they're the lead developers at the reserve so this page has a bunch of usernames that will come in handy later we will we'll copy those down we'll try to use cool to copy those down but for now we'll just say um user enumeration there and we'll even try that command over here so if we do cool Dash M7 and although I need to just change this so it's not confusing to people but remember this isn't the real website for this it's going to be an internal website we'll just do it Bank dot tax does this work nope what did I do wrong oh well figure that out later what else do we have in here contact us page oh use our friendly to-do list Creator to create your list of what to pack for your trip once you are ready send us your CV I'll try the full URL I did let's try just the IP otherwise I'm just gonna I'm gonna keep doing my manual stuff yeah it's not with the meet the team page oh I got you I got you I got you so we have some names here the part that is not going to get for us this way though is all the names included in those pictures but there's probably some sweet script and python we could write for that like a web scrape type thing to pull all those usernames down we'll do that we'll get to that I want to check this out now like so right now guys at least the way I approach an assessment now once again my assessments are limited to the web apps is I like to initially just kind of browse a website use it how like a normal user would use it and just see is there any like business logic that I can exploit is there anything that just stands out to me and then just try it a little bit like the when I do uh legit assessments my first day is just what I call like my fun day I just view it as my playground and see like what can I do what can I do with this what what might stand out to me so use our friendly to-do list Creator to create your list of what to pack for your trip once you're ready send us your CV in the last three months of banking statements to applications that sounds like a good place to fish right so let's grab that down and we'll say this so what is what are they requesting they want send us your CV so that means resume you know so we can maybe send a resume that's like a whoops just a doc um I think docx is a normal one but basically with macro if we do some macro fishing depending on what they have for like AV or how they're going to open it there's some things we could try there drink of water all right what needs to be done so do I not have foxy proxy on this Beast let's just use burps browser I'll keep it when I use foxy proxy I always forget to turn it off and turn it on and then I get annoyed when things don't load so we'll just use the internal burp proxy to keep things a little bit different or just using Community Edition so a real assessment I'd use Pro but I don't think I Pro on this VM so we're just going to do community Edition and that also allows you guys to follow along if you don't have the Pro Edition so let's get burp started up I have a feeling this might be vulnerable to like cross-site scripting or some injection attack just by looking at this to-do list thingy but I don't know and first we need to fix this like our precious hacker eyes can do this light mode craziness like why why would burp a hacking tool default to light mode every time you open it doesn't that just seem insane to you guys my goodness open browser and are these still running this probably isn't going to find anything I want to update well let's go like this if I go um that'll be our public IP so remember this is going to be a different web server internal in the network I just said it wrong in the beginning we're going to call this the reserve.thm so we stop confusing ourselves I should be able to Ping it now yeah there we go so okay here's the reserve let's get this pulled up and I'll just show you guys how I like to kind of watch these requests I'll usually just like load a page and see like what are we loading I see we're loading the session almost like we're logged in October CMS demonstration this is almost like some type of demo thing I mean that stands out to me so I'm curious that's a JWT token if you don't know the JWT token it's used for authentication at least it looks like a JWT token to me um what we can do is grab this yeah it is so you can see this and if we go to if we copy this we'll go back to Firefox jwt.io I think is what it's called did that copy it in we have this what IV initialization vector or something and it probably isn't interesting but it just stands out to me initially let's keep let's just keep glancing at these requests okay I want to see this contact us page so if I type like test turn intercept how does this do it new item equals test okay new items items test oh must code it only just disappears all right first of all I need this side by side oh it looks worse to-do list or maybe I'll do it the other way I can see a little more well let's just make it big sorry I can't make up my mind so we have this demo that's what stands out to me is the demo thing we have this to-do list and it's passing it button type close pull right true and it's adding it to the list and it just keeps all the items together we have them all here sorry only three items are allowed what a bad to-do list I didn't break it if you do like nothing I said I don't think anything I bet this is vulnerable to something weird like some type of cross-site scripting just the way it's being executed but um I don't want to spend a whole lot of time on it because once again guys that's the difference in this and the CTF we have our goal is goal execution we want to compromise stuff and gosh there's just a few different ways to do it we'll go back to the drawing board in just a second over in the chat you guys see anything cool about this that we should try to exploit one thing that stands out to me is just this October thing so this is like a theme right because if we go to meet the team okay hmm can we list all the images oh we can we have directory listing so we'll want to take note of that so if we grab that just go like that and we'll say we have directory listing and now we have all the usernames right all right here's all of our usernames we could easily clean that up later okay I just paste just text right so we have the usernames I was talking about before that I noticed in those images what's this oh can we go back a directory oh we can we have more directory listing CSS fonts was JavaScript probably nothing cool looking for any like hard-coded crowds anything interesting like that probably nothing there should have looked at this as well so guys if this is a real pen test we would point this out as version um disclosure right you don't want to reveal what version the server is running I don't think Apache 2.4.29 has any big cves we'll just check that real quick request smuggling that's not going to help us right now so I make sure there's no like cve attacker to use a path to map urls ah that'll be a rabbit hole we don't need to fall down that um Ranger 5280 said Tyler what are you using for screenshots I think it's called you know what am I using light shot light shot is what it's called I'll type it in the chat I used to use the Microsoft Snipping Tool but light shots beautiful and it just maps to your print screen button um works really well I think that's for Windows Linux Mac I think it's cross-platform oh I need my notes pulled back up okay none of this stuff I don't think is going to be too interesting to us here here's our theme and it's the October theme right let's go back what's a vendor we have the bootstrap version but that's not gonna help us Leon says I use flame shot his flame shot pretty similar to light shot I wonder where the difference is probably not much got some old jQuery October CMS oh that demonstrates a basic core functionality so we know that we have October CMS I don't know if that's a real CMS or not CMS stands for Content management system demonstrates a basic core functionality utilizes the accompany demo plug-in it is a great theme to copy and building a site from scratch this theme acts as a reference blah blah if you clone the sleeve to use as a starting point you may follow these instructions to clean up delete the theme doesn't combine assets for performance reasons Ranger just posted October CMS so it is a real CMS beautiful let's let's look at that real quick and Guys these are the things you want to pay attention to in a real assessment or legit on the oscp so we do have October CMS we don't want to get ahead of ourselves but we will check for exploits for that but let's once again guys big overview right we don't want to dive into one specific Rabbit Hole yet we'll spend a lot of time here um just doing enumeration you know what an even nmap scan this Beast I wonder if there's anything else running on here but we'll we'll worry about that later goodbye in CSS and JavaScript combine JavaScript make sure you keep the style scripts placeholder blah blah blah do I see a version hmm I don't see one yet but we might come across one I post an exploit Suite Ranger thank you we'll check it out mayman said still a full other two host to also look at it's true okay we know that none of this other stuff will be interesting to us that will be interesting we have maybe some version information there okay well that's the website I think the main thing that we can take from the website if we pull up our notes a possible attack path if we wanted to go from the website from here the main information I think that we have is we can say we have some user enumeration and we were able to pull down all the names we can easily clean this up so it's just a christopher.smith emily.harvey and I would assume those are valid emails so we know that that's one attack path let's actually type this out so possible attack pass we have user enumeration we had an email oh I never shared the email obviously disguised as a resume and if we go ahead and grab that contact us I think that's burp doing that to us oh shoot what did I do all right whatever there it is it might just be because I have those two things mapped in my Etsy host name it doesn't like that whoops there we go and then we have October CMS and we'll we don't really have version stuff I want to uh I want to look at these other hosts we have this VPN server we don't know if it has a web portal or what it has if we just grab this IP and go back to our terminal none of this is probably helpful to us patchy remote filing I think that's a false positive Apple from PHP oh there's really ooh that might come in handy might also be a rabbit hole but we have an output from PHP info on a real assessment we'd of course want to report that this is actually the first like very minor vulnerabilities I found when I was working it supported the college I just stumbled across this and I was like hey you guys might want to turn this off uh there's probably not not much in here honestly we have the host we have this HTTP cookie that I found interesting this like seemed to be a session cookie type thing oh I should make note of that as well there was like a weird session cookie probably nothing else here that's gonna stand out to us you guys see something let me know but I'm not going to spend a whole lot of time looking at this doc if we need to come back to it we will has a version information type things and it's 9 20 G so we've been going for an hour and 20 minutes so we might jump into a five minute break guys and then we will uh start enumerating the next host actually let's start an in-map scan first and then we'll we'll dive into a five minute break so uh we'll we'll note this down maybe we'll come back to it some possible version enumeration and the next host we want to just spend a little bit of time looking at is this one and we'll see how far we get let's make sure we can ping it okay we can ping it see if I can at least finish this what I like to do is oh we do have a web server running run a full port scan against it uh this is probably more on CTS but even real companies they'll try to practice security through obscurity which isn't a good security practice but they'll run like a port on a on a non-standard port a new man just told me to extend the network timer a good call there we go out now we'll be good till the end of stream they'll run something on a non-standard port and it'll be some high port and you won't see it with the typical M map scan so what I'll often do is I'll do this and I'll do like nmap full and then we'll do an nmap targeted scan this didn't detect anything and so then we'll do nmap ports 2280 I think that's what it was so SSH Chanel web server yeah Dash a for an aggressive scan although technically if this is a red team exercise we want to be a little quieter an aggressive scan is going to be picked up by a scanner but it is a public facing whatever so I'm sure it gets scanned all the time from the internet if this is the real world so we might be able to hide in some of that traffic and that will perform an aggressive skin against that but guys it is um been an hour and 20 minutes let's go ahead and take a five minute break and I will be back I'm gonna see if I can figure out how to pause my stream instead of stopping it I can only stop it oh well YouTube always just yells at me when I have music and then they put ads in the video but that's fine guys let's take a five minute break I'll throw on some music for you I'm gonna stand up walk around a little bit and we'll be back in five minutes to start enumerating this host a little bit further here we go telling me it's loud I don't need you talking when I'm trying to rap I don't need my name coming out your mouth I don't need you using me to get respect I don't need a picture with you for some clouds [Music] worry about yourself yeah I don't need your help yeah what's your name what's your name what's your name doesn't ring a bell every time I look down and your number pops up on the south shake my head threatening me trying to get me to respond well you really knew me you would know that that's the quickest way to make me turn my back on you amen [Music] I feel like I'm at a standstill waiting for you to tell me I'm okay if time heals tell me why do I kill myself trying to show you I'm not a mistake I've got qualities that I'm not proud of I made promises that I walked out on other days I feel I don't deserve love so think what you think just don't call me a mistake but I made some can't argue with that but I ain't one even I sometimes get afraid of having to face the wrath of an anxious it's me I get it cause I actually feel the same sometimes I think I might be a lost cause who turns off cause the way I read into what I've been through you think I'm mental but it pays off throwing or in stool I pursue what I love and if it goes out then falls down just know I stand on my own two feet don't you see those that oppose on me most won't leave thinking I might Retreat your teeth quick if you turn on me cause I felt like I'm at a standstill waiting for you to tell me I'm okay time he'll tell me why do I equal myself trying to show you I'm not a mistake I've got qualities that I'm not proud of I've made promises that I walked out on I've had days I feel I don't deserve a flaw so think what you think just don't call me up [Music] just don't call me up just don't call me your mistake cause I'm not one misplaced but I found a lot of resentment causes a mess when you let it get to the place of no confidence struggle with it that's obvious but not enough to make me second guess if I die for the ones I love so don't you get confused thinking if you bring me down imma just choose to let myself get used I don't live like that I feel trapped I might lash out I gotta watch my back cross my path especially within 10 you'll regret you ever took that task if in when this thing could all go bad don't you act like no one warned you here cause I felt like I'm at a standstill waiting for you to tell me I'm okay okay Time Heals tell me why do I kill myself trying to show you I'm not a mistake I've got qualities that I'm not proud of I've made promises that I walk out on days I feel I don't deserve love so think what you think don't call me mistake [Music] thank you [Music] [Applause] [Music] foreign [Music] and we're back just like that what's up everyone hopefully you had a good five minute break we're gonna go for another 30 minutes or so probably won't get a foothold or anything but we are doing some good enumeration which I think is helpful and uh we'll we'll see where we get to so if you are just joining us maybe on YouTube or whatever we finished kind of enumerating this first public-facing web server now we're looking at this VPN and it is hosting SSH ssh probably isn't going to be able to be attacked by us and a web server now what I like to do everybody does this differently but the way I like to organize my notes is I'll post kind of the full nmap scan here on the main page and I'll make sub Pages for each one of these services and if we enumerate them or get access that is what we'll do so we'll call this one SSH which is Port 22 of course paste that in there make that a sub page and then do the same with this so I'll call Port 80. paste it in here for a web server and we'll go like that and kind of the same process as before so if we go to this web server and we go to our to-do list very similar process make that a sub page let's grab this IP so we have it and let's just kick off our scans against it and then we'll check it out so if we here's our V host we don't we'll have to figure out the content link that we need to exclude but let's go ahead and just run V host I I highly doubt there's going to be V hosts on this if it's just a VPN probably with the authentication login screen but you never know this isn't going to find anything I don't think same with this we'll run nickto against it probably won't be anything real cool and same with gobuster and then we'll check out the website I'm guessing it's just uh authentication portal if it is a VPN but let's check it out let's close some of these extra tabs whoops I didn't mean to close try hack me I'm just gonna try hack me open back up I was right VPN portal login no your internal count should be used so hello login failed please check your username or password and it's passing our parameters right there which that's a no no right you don't want to pass your password in the in the URL so if we're doing this for a real client we'd maybe point that out to them like hey not a good idea I'm curious if we can perform username enumeration so if we pick a user that probably has an account login failed your internal account should be used so if we get some creds we could check this out is there anything in the page source oh the email is the user or ID is replace enter user so if I do Linda Gordon at what was the corp.reserve.loc oh my goodness whatever let's copy the whole thing what's that do submit okay no we can't so what I was checking if you're wondering what I'm doing sometimes an authentication portal like this will provide you with username enumeration so for example if we had a valid user but an incorrect password it will tell us wrong password and then we know hey we do have a valid user or I doubt it's this way but sometimes you can actually figure out whether or not the user is valid based on response time so if you use something like bird professional and you try to submit a bunch of false logins with a correct login to a web portal like this and you can actually look at the response time and sometimes you'll notice a pretty big difference in response time between a valid user and an invalid user and then although the error message might be the same it might be generic you can still assume hey I know which users are valid and which users aren't valid for kind of a Brute Force attack I'm assuming this is a valid user and that is their email but there's not much more we can do with this I that's not going to find anything though isn't going to find anything I doubt Derby's not gonna found VPN which is redirection oh my goodness what is this oh we have an open VPN file well would you look at that we might be able to connect then and we'll want to take this down for our notes so let's go to VPN and we'll just say I'll drop the link to it there mouse pad because I'm not lead enough for vim and we'll just call it Corp username Dot ovpn oh I need to fix that this just can't resolve the host of course we just need to edit that so right there which is what are we 113 200 right I think one or 113 I mean so 113 12 maybe should be connected to VPN server 1 13 12. I don't know if that'd be right so do we have it is that it right there are ton zero yeah oh shoot did we just get access to the internal Network with this VPN I think we did okay there's a few things we could do now so we know that that is our IP so we know that's going to be the internal Network grab this I'm trying to think of the way I want to organize my notes so if we do like like that an internal Network like that and now we could do find other hosts can we just do nmap here that side let's go like this let's pull up chat GPT a meme man said you have something you just need to figure out what you have I have a v some type of VPN file that I have access to on ton zero um looking at amoeba man he's giving us some hints over in the chat like what does a VPN actually do think about it in the context of your Capstone VPN how does that work what does it do read the text as you might scan something and get into trouble oh so slow steps is the way to go here ah I see so My Capstone VPN gives me access to of course it's internal or this network on try hack me and now we found this Corp username VPN read the output when you're on the Capstone VPN read those long lines don't be shy I got to read them out loud note Cipher is not said open VPN versions two before 2.5 defaulted to bfcb hold up oh that's the same thing if you need this fallback blah blah Cipher it's not supported openvpn 2.6.1 I'm just trying to see if there's anything different between the two library of Origins open SSL 3.087 used validating certificate extended key usage certificate has EQ TLS web Authentication oh man someone's writing with a party of 45 welcome 45p oh my goodness 100 some people what's up everyone Welcome to My Stream y'all good to have you here you can help me not be a noob guys I don't know if any of you have looked at the try hack me red team Capstone network but that's what we are working on we found uh we found an open VPN file this Corp username.ovpn and a meme man tell me don't start scanning stuff you're gonna get in trouble so we're trying to figure out like what this is going to show us we have we have this guy right here that I thought would maybe so my initial thinking is that hey I have this VPN now I have access to their internal Network and I'm just going to scan for what hosts are alive and the internal network was kind of my plan but he told me not to do that oh I see net route ad I think I'd see what I'm missing this is the this these are the networks right here those are the two things that we have access to I don't know why I didn't see that before right because if you look at this and this is our IP but this is what we're getting access to is this network right here this 24 Network same with this one right here this is our IP that we've just been assigned and this IP allows us to act these access these two machines these dot 21 and Dot 22 which if you look over here they're not part of the external facing Network so these are machines somewhere in this eternal Network one of these is the dot 21 one of these is a DOT 22. I'm pretty sure that's what amoeba man was saying that's what we have access to so let's go ahead and record this information grab this from nmap and we don't know what these are so we're just going to drop the IPS in here for now there we go um he's a 12 100 actually exists on the internet if you scan 12 is that like the ec2 or something you'll scan the internet sadly it's a band in the challenge based on assessment skill well thanks for catching me I get banned on my first first try Acme stream that would be amazing um but yeah I think this is what it is right so this is our IP of course but it's giving us access to these two machines right here so let's let's just start very simple can we ping the machines he said no it belongs to someone else no clue who though someone in the U.S almost broke the law there guys well I mean oh vpns there's a plural vpns VPN files will be stored here okay I wish they were there but we do have VPN um distracting Myself by looking at scan results let's start simple let's start with this one can we ping it it's going to be the question what's this doing Nick though we can stop that and it may not accept pings if it's a Windows host so Windows Firewall by default will stop those pings so it doesn't necessarily mean it's not alive if we can't ping it let's try nmap Dash p 10.200 113 21 Dash p n which I mean just ignore host discovering just assume the host is alive and let's see if we have anything oh it is a Windows machine I can tell by the first part that comes back this is some type of server oh cool cool what's this one yeah we got RDP SSH SMB might be some juicy stuff on these ones and let's rename this I like organization if you guys can't tell by now and we have similar stuff here might be a workstation of some sort or a jump box of some sort let's do a targeted scan gosh I'm glad I did this jar I wasn't even going to do this because I was like it's a VPN what does it have on there I'm glad I did that so we see these different ports open there yeah these are one of the hosts so we're on the internal Network now at least these are two hosts on the internal Network these ones are not public facing so if we just I'm just gonna actually let's open these notes here we'll keep it in my VM so we're going to do like nmap Dash p 139 22 135 445 3389 -a for an aggressive scan 10.200 11321.pn Dash V and I think it's the same ports here and what I'm doing guys you could use auto recon to speed this process up um I just do it manually I don't know why but it worked for me on the OSAP and so that's how I do it on these machines too and I know I can also output it to a file but I once again I just like to copy it into my OneNote for good or for bad but while those I doubt those are going to find other ports but while they run we'll start doing a more targeted scan I wonder if that's going to find anything like that and we'll do it again to the other one um even man said interesting how all three streams thus far had a completely different pass taken that is cool so I did find the third path I told them even man before I started the third path was going to be me hacking his real email and figuring out the the entryway but this this instead was my third path although I almost got banned from the challenge by scanning a real IP out on the internet I thought maybe you guys are hosting something like an ec2 but okay we'll give these a little bit to return I doubt these are going to find anything else these are probably just going to run I bet these are just the ports that are open on here it looks like some type of workstation based on what's open and you know we could there's a few other things we can do because we already know the ports on some of these uh we know what services are running I'm honestly just gonna stop I doubt there's more I don't want to miss something though all right we'll go like that I don't know if my syndax is right here 10.200.113.22 items okay so we when I'm checking now guys if I can list stuff on the SMB anonymously but we're getting into status access denied so we can't probably list stuff on these workstations okay so one of our or both of our targeted scans are done so let's check out this information that got back so this is for let's close these out uh which IP is this 21 okay all right let's get our notes organized this is 21 right here we'll drop in our nmap results and I'll show you guys how I do notes it's SMB all that stuff has to do with SMB so I'm going to move this up okay so we have SSH 22 keep our notes organized make that a sub page and we'll just call all of this SMB oh come on and then RDP and then we'll look at each one of these results and see if we can figure out what this is being used for okay so RDP we have what appears to be a workstation so we have a name right here for it work one so we can actually update this we have that so we know it's a workstation because we have work one at least I'm assuming that's a workstation and it would make sense to have RDP open on a workstation and expose only internally of course because we are on the internal network with the VPN file that we discovered so that stands out to me SMB we have message signing enabled but not required we might be able to abuse that later SSH that's probably not going to be vulnerable to anything let's check out our other results real quick did I not oh shoot did I did I close the scan I did for the other one I'm dumb I must have closed it silly me we'll run that one this might be like workstation 2 or something I'd assume you can't SSH SMB is here and what I'll often do guys is to make a to-do list for this I have some of my own notes but you know who makes better notes than me hat tricks all right so here's what we have access to explains what it is server enumeration so we don't need to do that t-shirts that I love the way you formats my notes but I can't get my OneNote to look like that to look like what I don't do any I don't have anything special I use no plugins it's about as plain Jane as it can be we have here that's done now possible creds attain them from oh a new for Linux we could try new for Linux against these these hosts we'll put that as a to-do list and we're going to jump back over here now and check out these results so same thing let's copy add to our notes kind of the boring stuff but this is having good note taking still guys is what what pays off in the end in my opinion and I'm sure there's better ways of doing this faster ways of doing it if you guys know them I'd love to hear them but I've known it's also really hard to break my own habits I've tried to use another note taking things and I always just come back to one note just because I'm used to it but curious for those of you in chat what you guys use for note-taking does anyone else use one note like me or am I the only OneNote Noob here 135 139 445. cardi box said I'm obsidian obsidian obsidian school because some of the the coding stuff there is one note one note t-shirt said face palm there's two different one notes that's true a lot oh more people use one note than I thought I thought I was I thought most like you hacker people use cooler things and I was like there's a weird strange Dude using using one note glad I am not alone am I OneNote usage I just like the way things are organized and I mean I have all my notes throughout here um okay so I was right we have workstation 2 is what this guy is or gal I don't know whose workstation it is Visual Studio code with markup dude you're the or ma'am you're the real hacker neon resin I've actually used Visual Studio code a little bit for note-taking but usually just like on the spot note taking kind of like how I use whatever this is mouse pad I'll use code for that I like the way code looks but all right so similar stuff open on both machines I'm guessing we'll get the same results on SMB one thing that we can do a little bit I'm getting tired now that we're like almost two hours in we're gonna go guys until the top of the hour and then we'll call it a night but like I said I'll be back on tomorrow night I'll share more information about that as it gets and we could let's see so if we get username and password we can do that um I want to see if a nymph for Linux is gonna work at all on these hosts I'm just curious we'll just run it full on both of these what is this doing oh this is my full skin a meme man said it might be time to dust off your massive ad chart oh sweet are we at the ad hacking part all right let's let's pull up let's pull up my 80 hacking tools show you guys an amusement man is referring to um it actually expanded my ad hacking stuff let me look through here real quick uh did I include it here 's my full hack the Box Academy path on ad two my ad lab is it my hacking guide I'm telling you guys are taking notes on all this here's on my windows enumeration Linux enumeration active directory here's the attack map you guys are going to be blown away are you ready if you've never seen this see this you guys see the beauty just kidding we need to zoom out this is orange cyber defense shout out to you orange cyber defense let's see who made it who's who do we owe credit to mayfly Viking and Santo rule or whoever you are thank you for this thank you orange cyber defense some commands can break stuff be sure to know what you're doing yeah good idea so pen testing active directory oh man this might be a good spot to pick up in our next stream we're starting out with no creds right so we can scan the network find the domain controller IP try Zone transfers if we figure out the DNS this guest access that's what I was trying to do initially was guest access stuff enumerate ldap find a user list do some poisoning oh I wonder if poisoning would work on here and coerce petite patom or whatever it is um this is where we're going to pick up off of I think this is a good ending point since we're about two hours into the stream and I got like 70 people on here guys thank you seriously for hanging out with me I'm gonna self-promote myself real quickly before I sign off I'm gonna get my YouTube channel pulled up what this is used for my twitch right here is really just for my live streaming my main platform actually is YouTube on YouTube is where I post all my live streams when I'm done but also just other videos as I make them about pen testing and hacking so I just dropped my YouTube over in the chat would really appreciate you guys getting to my YouTube page subscribed and followed me on there and all my streams that I work through even when I'm not doing the try hack me stuff this is exactly how I do my stream so a lot of content creators I shared before they solve a box then they go back through it in like 10 minutes you're like how the heck did they come to that when I do this guys I I'm first reaction everything I'm learning as I go I'm stumbling through it I do not solve the boxes ahead of time than to show you in 10 minutes how to solve them we'll sometimes spend like four streams on one box as we struggle our way through it so this is how I create content really do appreciate all you guys hanging out here so once again I dropped my YouTube over in the twitch chat would appreciate it subscribing to follow on there otherwise my plan if I am able is a stream every single night throughout this challenge now I really say if I am able because I have uh two young kids so like I work all day then I usually go outside hang out with them and then put them to bed and then I'm on stream and so my start time can be a little bit buggy because it's whenever I can get my kids to bed but I will say this I I think I can for sure say that I'll be live at 8 30 p.m central time so I'll just drop that in the chat as well around eight o'clock 8 30 p.m central time and we'll go for you know an hour and a half to two hours each time just depends how tired I get we're at two hours right now but every single night guys come back 8 30 p.m central time and we are going to continue to work our way through this network and tomorrow night we're going to pick up where we left off by attacking active directory we have two workstations on the internal Network and I would say um I know I'm rating myself on this so a little bit uh weird but I think I think guys we can Pat ourselves on the back the hack smarter security group did a decent job uh we enumerated some internet-facing machines but we found a VPN file we stopped getting banned from try hack me thanks to Amoeba man's help for telling me to pay a little bit closer attention to what I'm looking at and we gain access to the internal Network so we have in our first stream we have breached the perimeter we have two workstations we have access to and we're gonna see if we can compromise these workstations we'll see if we can enumerate the network maybe we'll drop some sweet username stuff I don't know what we're gonna do we'll figure it out on the next Stream So guys thank you for hanging out with me really do appreciate it and I will catch you guys hopefully tomorrow night I'll see you guys then peace

Info

Channel: Tyler Ramsbey

Views: 8,742

Rating: undefined out of 5

Keywords:

Id: xrh3g5VjY6Y

Channel Id: undefined

Length: 114min 57sec (6897 seconds)

Published: Fri May 12 2023