ShellShock & Kernel Exploits - TryHackMe! 0day

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is john hammond welcome back another youtube video and in this video we're going to be taking a look at a try hack me room and this room is called zero day it's put together by my good friend ryan here or zero day in the try hack me community it has a medium difficulty but we'll see about that it says exploit ubuntu like a turtle and a hurricane which is interesting and weird uh so i've already deployed the machine and i have already filled out the answers here so please forgive me in that regard but of course i will showcase how to find user.txt and root.text and how to work through this room so i've got the ip address and let's hop on over to a terminal here i've created this zero day folder in my directory structure and we could take notes in a readme file if we really wanted to you guys know that i'm bad about that well i say i'll do it and then i don't so let's get started though with our typical nmap scan or rust scan whatever you want to do to start your enumeration i will actually create an nmap directory and i'll map tax c for default scripts tac sv to enumerate versions i will do on to output into an nmap folder or excuse me nmap log file in a specific directory that i've just created i'll call it initial and i'll include the ip address there so i will let that run and while it's going i will go ahead and start another terminal down below here and maybe enumerate manually i'll go see if there's a web page open it does say root my secure website take a step into the history of hacking ah okay so let's open up a new tab i'll paste that in here to get the ip address and it's loading there we go zero day ryan montgomery good i didn't know if i wanted to say your last name i didn't want to dox you buddy internet marketer dev entrepreneur and all of the classic socials that's good dude gotta get that marketing in marketing makes the world go around let's view the source on this in case there's anything interesting here i don't see any particular weird html comments other than i guess i commented out microsoft icon nice these are all external links other than a main.javascript file but it looks like that's just toggling particles to look pretty and lead but that's about it nothing interesting in the css file nope it's css so static files nothing particularly interesting there okay we could close out of that and let's see if our nmap scan has came back it looks like it has okay we've got port 80 open as we saw and port 22 for ssh good to know all right well because we know we have port 80 we can do some other enumeration so i will get started with a little nekto scan i'll need to attack h on that ip address you do have to supply the http schema if you use neato and i will t that out to a little neato.log so i can keep track of the results there and i'll also do a little go buster i will do a go buster with a dur methodology or dir to look for directories and stuff like that i'll use tac u to specify the url again http as the schema and then tac u to specify the word list i'm in cali right now so i should be in user share word lists dur buster i always have to like fumble find this thing yeah directory list 2.3 medium that's the one i want so directory list 2.3 medium and whack okay cool so now go bust will go along ooh and it found cgi bin and img and uploads and admin there's a lot of stuff here okay cool this is this is cruising for us let's go check out that slash admin seemingly empty page it gave me a 301 though so what is that that's a redirect http 301 response code i should probably have these things memorized i google everything move permanently okay yeah it is a redirect i don't know where it's actually going though nikto's cruising over there we found backup also backup what the f we got an rsa private key here is this just for ssh is that it is that it i actually i'll be honest i'm peeling a little bit behind the curtain here i'm breaking the fourth wall i had not seen that when i went through this originally uh let's slap that in a subtle id rsa to create a private key is this oh it is encrypted ick let's uh let's tinker with this for a little bit let's specify this and i can assume right we probably have a username ryan um what was the ip address of that box again 10 10 14 250 10 10 14 250 whack invalid private key format what the what yeah yeah okay i gotta ch mod the thing make it so only i can read it chmod 600. if you ever see that warning unprotected private key file then that's what you gotta spit on it invalid format it has new lines it's supposed to have new lines whenever i get that invalid format i know it's supposed to have new lines does it need to have two for some weird reason what oh yeah yeah okay no no so it does just need a pass race let me see if i can crack that um i have john the ripper right don't i i also know that i have rock you locate rocky excuse me do we need a little update db kelly let's keep looking around while that's doing its thing um also slash secret these are stuff that i had not seen before i just kind of went straight to what i expected so what is in slash secret turtle what is this turtles and we have that turtle link can i like download this yeah copy image location and then i guess that's like w get that i'm gonna create another terminal up here w get that guy is there anything like weird in this turtles i'm just going to strings it to see if there's anything hiding in this it is a png file so if there's any steganography we could use z-stag stagheid won't work on this because stack hide only works on jpeg files fun fact and zstag also only works on png files another fun fact update db is taking a long time i'm pretty sure it's just in wordless like i probably don't need to do this so uh let actually let's copy user share word lists rock you that thing yeah yeah i literally saw it earlier and just didn't realize let's gun zip this and now we have rock u.txt which is huge and ginormous fantastic let's use john oh i need to use like an ssh to john don't i do i have ssh to john i'm probably going down a rabbit hole here i don't even know if this ssh private key is a thing that i care to use why does cali linux not have ssh to john fantastic question internet let's uh steal all of this as we do great is that a python 3 thing or a python 2 thing python 3 ssh to john yeah okay i guess it just does it id rsa spit that out let's redirect it to a forage on dot text good and now let's try and use that john for the ripper on for john with the tack word list equals our rocky.text in the current directory let's see if that actually ever gets anything i don't know it will oh let me in is the password i don't know if you can see that down there great can i use that let's control r to kind of reverse search in our terminal and then i'll look for that ssh tag i gimmick and i'll try the password let me in what let me in okay i don't know ryan's password but i did know that id rsi lame um maybe that is a rabbit hole i i'll be legit i live not i did not see that when i went through this the first time so ryan you can scream at me through your computer monitor if i'm being crazy i probably am but hopefully that was a little fun jaunt it was a fun little uh excursion that we went on together and i found the turtles page so what else do we have in that um go buster output img which was images adam and css.js that stuff's boring uploads we didn't check uploads yet did we you guys that know this room know that i'm just beating around the bush here let's get to it let's get to the real stuff cgi hyphen bin cgi bin let's check out what you got in there forbidden we do not have permission to access cgi bin on the server ick well we know that it's a thing and what is a cgi bin if i were to simply google that let's take a look common gateway interface in computing a common gateway interface or cgi is an interface specification for web servers to execute programs like console applications running on a server that generates web pages dynamically some programs are known as cgi scripts or simply cgi's cgi bin is a folder used to house scripts that will interact with the web browser to provide functionality to a web page your website a common gateway interface of cgi is a resource for accommodating the use of scripts in web design okay so i don't know if you were able to process that but it is going to be running console applications if we're running on a particular like linux server and maybe we can get an idea as to what we're actually looking at if i go back to that page i'll hit f12 to open my developer tools and i'll take a look at this network tab i'll bring this up so you can see it and we'll look at ryan's mean mug over there okay refresh the page i can take a look at this get request and we'll see if there's anything in the response and my face might be in the way the header response here let's see if it tells me anything interesting yeah server is apache 2.4.7 on ubuntu so ubuntu i know that i'm running linux right i know that the server is linux so if we're looking at console applications we're probably looking at like bash shell scripts for cgi so with that in mind we can try and enumerate some of this stuff let's close out this go buster instance and let's try and run another one with go buster dir mode attack u for the url and let's include that cgi bin and then a forward slash know that we're going to start enumerating from there but now we don't want to just be looking for like directories we want to be looking for specific files so you have to supply this tacx argument to supply the extensions that you want to be looking for if we want to be looking for these bash shell scripts let's use sh let's look for a cgi file extension that might be there we could look for log we could again look for html in case there's like any index there or php or js or css whatever you want but let's just let this roll and see if we find anything i'll let this go for a little bit i don't know how well it will go but let's also go take a look at our neekdo results sorry frantic vial changes here i hope you can see this oh nico has just found admin and backup and maybe those are particularly interesting oh what also found in cgi bin test.cgi site appears to be vulnerable to the shell shock vulnerability and it gives me a link here that i can go check out okay so nikto found it gobuster probably hasn't yet but it might get to it real real soon if there's a test.cgi file let's take a look at that in that cgi directory let's go to test.cgi and that tells me hello world great fantastic okay let's take a look at this chromium page that opened up for me gnu bash through 4.3 processes trailing strings after function definitions in the i don't need to offer a new password for a keyring can you leave me alone thank you sorry function definitions and the values of environment variables allows remote attackers to execute arbitrary code by a crafted environment as demonstrated by vectors including force command feature in open ssh shd and mod cgi and cgid modules found in the apache http server scripts executed by unspecified dhcp clients and other situations where the setting environment occurs across a privileged boundary from bash execution also known as shell shock ooh okay so i'm excited about this because i actually don't think i have a video on my youtube channel that showcases shell shock or at least like when i did a cursory search for john him and shellshock i don't think anything showed up so i'm kind of excited to be showcasing this i hope this will be kind of fun and kind of cool hopefully i don't take forever but maybe you'll learn a thing or two so go buster found it great uh nikto has apparently found it a second time i guess uh and we know we have a response from that we know we can read it with an http 200 success okay we've got that page now how do we go ahead and abuse this vulnerability what is this shell shock vulnerability i will do a little bit more googling and research because if this is literally the first time i've ever done a video on this i do kind of want to give you a little bit of background shell shock also known as the bash door is a family of security bugs in the unix bash shell the first of which discovered on 2000 excuse me 24 september 2014. so some time ago like this thing is old right shell shock could enable an attacker to cause bash to execute arbitrary commands that's dangerous and gain unauthorized access cool cool cool cool there are a lot of cve has identified this probably because of all the different ways it can be reached like we discussed dhcp we discussed apache we discussed that sshd gimmick i wonder if this version of ssh is actually also vulnerable to that in some way okay specific exploitation vector cgi-based web servers when a web server uses the common gateway interface uh cgi to handle a document request it copies certain information from the requests into the environment variable list and then delegates the request to a handler program if the handler is a bash script or if it will execute one time maybe using the system call bash will receive the environment variables passed by the server and will process them as described this provides a means for an attacker to trigger this shell shock vulnerability with a specifically crafted document request security documentation for the widely used apache web server states cgi scripts can be extremely dangerous if they're not carefully checked nice okay let's figure out how to abuse this now let me do a little bit more googling this page is apparently useless for me so shell shock pock or shell shock proof of concept there we go oh mubix has some great stuff we could check that out something on github like a little gist another repository here mubic so rob fuller's got a ton of great stuff here he's an incredible guy i have a lot of respect for him um okay it showcases all of these different potential gimmicks the bash command line on linux osx and windows via sigmund this is a specific cve and they're setting an environment variable which we understood with a little syntactic sugar there and trying to snuff in another command cve vulnerable and bash id okay could we just like try that how do we do it let me copy let me copy that syntax copy http oh there's a metasploit module yeah okay i want to showcase that once we get to it so stay tuned join us next time in five minutes all right that's enough uh scrolling through this page let's actually tinker um let's open up this page here let's try and curl and invoke this http 1010 14 250 cgi bin test.cgi so we get our hello world response now let's try and actually supply one of those headers right so header um user agent and i'm completely working off the cuff here so i have no idea if this will actually succeed in fact i don't think it will but let's supply this user agent variable and try and spit in this other syntax here echo cve vulnerable this is using another set of double quotes so i don't really want it to because i'm already using double quotes for the header itself let's try it no okay i'm not a thousand percent certain on that syntax so let's keep exploring this looks like it has the exact same code as the other page yep yeah it literally says taken from mubix let's check out this other resource this looks like a full play full like fully fleshed out tool shell shock also known as bash door straight copy paste from wikipedia oh they give you like a vulnerable that's really cool they give you a little vulnerable docker environment to poke at and play with oh simple example the category password supply the user agent echo echo and then running command with bash what was i doing wrong there do i need like one of the echo echoes in there echo oh does it like need to be on a new lines no all right let's just try this syntax maybe i don't need this environment thing that might be because of it's expecting you to be on a regular linux command line like within the terminal maybe i don't need to specify that environment variable it'll just be kind of loaded echo echo and i don't need that vulnerable notion there they just use a bin bash and then a command how about that what that did nothing that gave me nothing does it need to be like an absolute path bin slash bash okay it needs to be an absolute path so that's something to take note of if you end up running a command through shell shock try and be explicit about your absolute path for the programs that you're trying to run at least when you're invoking bin bash and then you can you don't have to do it when you supply the actual command or argument within that bin bash taxi sub process uh so we can do whatever we want with this now right like we have remote code execution as that dub dub dub data user we saw that in the id command output but to read files we can cast hey there's that ryan user that we took a kind of a guess on so you could go through this and get your reverse shell now you could fire up pwncad if you wanted to use that you could do this super easy right that's the proof of concept and that is the little sweet sauce to trigger that shell shock vulnerability um you could do this manually and you could run that and you could get a bare bone basics reverse shell uh we did notice that hey there also is a metasploit module i am of the opinion it's there's no shame in using metasploit if you know there's something available uh it for one thing is going to be more stable and more trusted and maybe not as detection sensitive right you could do a little bit more evasion stuff so i've fired up msf console now i will go ahead and search for shell shock great okay there's a lot of stuff here so i'm going to kind of zoom out so you can see this and let me discuss some of the things that we can see here the description is actually going to do a really good job of telling us what's up this is an auxiliary scanner though it's not an actual exploit so while this reads hey excuse me apache mod cgi i want to go for the exploit so the exploit mod cgi bash environment variable so let's use this library or this module i copied that and i will use just that copy paste that i got there no payload configured defaulting to interpreter that's totally cool i'm good with that let's try and show options so we know that our l host is wrong right we've got to go ahead and set lhost and i can just use the interface here so i'll set it to ton 0 or my current try hackme interface we also know that we need to specify our hosts and that our port is probably the same yeah 80 is totally fine so let's set our hosts to that 10 10 14 250. so we have the proper target and then what else do we need in here timeout is required you can see that yes there and the required column but it's already supplied target uri is what we need duh of course right it needs to know what cgi script is actually vulnerable and in the way here so let's set target uri to cgi hyphen bin and it's test.cgi in our case great i think that's everything we need we know ourselves we know the target we know how to get to it so we're good let's just do it run how do we look setting the stager nice interpreter session one opened and we've got aim interpreter shell let's get uid heck yeah no user at ubuntu that's kind of weird uh if i just hop into a shell i'm going to use bash tac i so i can actually see my prompt because otherwise i'm just kind of like driving blind here let's use bash hackeye great okay now i can run the id command and i am still www data great um let's go explore i can't clear my screen in this let's exit out of this and let's get back to our interpreter shell ctrl c to terminate yep okay uh let's go home a cd slash home and let's see what we've got in here there is a dot secret what is that hey is that real let me get back in that shell i'm sorry materpater is great when you need to do like okay extra commanding control or stuff not secret what the f can i just read that is that real no but it's all readable it's a sim link i guess maybe i just can't read to the sim link whatever all these curveballs that has been thrown at me while i'm trying to record this thing we're already like a half hour in let's get into ryan's home directory because we can traverse into that it has an everyone executable bit so let's hop over there and let's ls attack la and it looks like his user.txt file is world readable so we don't even have to be that ryan account we can just go ahead and cat user.txt nice there we go that is that shell shock rules flag you could submit slap it in there and get some points on this guy now we should try and do some privilege escalation to see if we can get root um we don't even have that ryan user yet so let's just do some regular enumeration and uh looking around let me ctrl c again to terminate this channel this is the benefit right so because we have interpreter open and also the benefit of pwncat let me remove everything that's in there can i i still have some of my stuff when i ran through this earlier don't don't tell anyone don't tell shh i don't i just ran shell tack arm everything clean it up okay good you didn't see anything you didn't know that i staged this it's all art artifice let's uh let's go ahead and upload opt linps and now that that's uploaded let's get back to our shell again again i just really like my interpreter for the command and control or post exploitation as needed but i keep supplying tac-i to shell and i don't need to i didn't bash let's lstackla we've got our lin p script there let's mark it as executable when ps.sh and now let's dot slash linps.sh and let's t it so we can keep a log of it to like linlog.txt or whatever you want so if i fire that up there goes our little p head and we'll do our enumeration i'll scroll up i'll scroll to the top here to see what we've got i thought i saw something interesting already because you know how uh lin pease will give you like that color-coded key or the legend right oh this terminator is not gonna let me scroll all the way up you jerk i need to uh adjust the scrolling here scrolling infinite scroll back please thank you now i can't actually scroll to the top dang it and this is going to take a little bit of time let me just stop it here yeah we don't need to run that we've got that linlog.txt with a couple of stuff in it so back into my shell bash tac i uh if you want to see the colors you can use less tack r on linla excuse me linlog.txt linlog may be a binary file yep i don't care show it to me anyway why did you not let me paginate through that oh probably because you're weird through interpreter right now but i've still got it out on my terminal and i can see everything that lin p's returned for me so there's that beautiful p-head and let's see what we've got remember that legend remember that color-coded key here red and yellow is 99 a privilege escalation vector so when we look through here the operating system version or this you name tack a output like when you try and check the kernel version it's immediately notifying us like yo there's something up here you could probably bork this you can probably muff around with this so 3.13.0 is an old old old kernel version and just as we saw with shell shock and just kind of as we saw in the room here for try hack me it's saying look take a step back we're going through the history of hacking so let's grab like this kernel information let's just grab this string let's try and look for maybe something in search split so i can stop go buster because we don't need to still be running that um i can stop neato because we don't need to still be running that and i can also stop strings let's go ahead and search split though and look in exploit db for something with this kernel name so i'm just going to slap that in and it doesn't have anything so maybe let's widen that search a little bit let's remove the attack generic still nothing let's remove the attack 32 ooh there we go now we've got something linux kernel this and we've got some code and a text file we could look at let me zoom out so you can see that a little bit better still on ubuntu and it's not going to tell me more than that i guess because i got to shrink my screen so let me just examine one of these let's search floyd tack x to examine this text file and see what it says the overlay fs file system does not correctly check file permissions when creating new files in the upper file system directory this can be exploited by an unprivileged process in kernels with config user ns equals y when overlay fs has the fs userness mount flag etc and they showcase it okay cool create namespace i don't know what that is maybe is that something that they've got configured oh yeah okay and they overwrite like it said reshadow the attached exploit gives a root shell by creating a world writable etcetera ld.sl preload file the exploit has been tested on the most recent kernels before 2015 on older versions of ubuntu so cool if it's a privilege escalation thing this this explanation was handy let's take a look at this c code maybe we could uh work with that exploit title overlay fs local roon ubuntu yup everything that we just read about in the comment they showcase the example use here and you just get root okay looking at the source code it's making a little ns exploit taking advantage of the overlay file system overlay fs cool cool cool cool all right i'm cool with this let's give it a go let's give it a whack you know let's uh search exploit tac m to mirror that 37292.c file and now it's in our current directory here great so because we still have our little interpreter shell let's go ahead and upload that i will upload tilde ctf try hack me zero day and what was that called 37292.c did i get it right nice nice that's why they pay me the big bucks just kidding youtube doesn't pay anything okay uh no such file or directory because the tilde meterpreter is going to trip over let's slash home slash cali whack cool that's done now if i ls that's over here and let's get back to our shell i'll bash tac i so i have a prompt here and let's gcc to compile this 37292.c and it compiled hello sec la no app yeah okay there's just an a dot out file in our directory now no problem with that whatsoever when i had gone through this the first time i noticed that it couldn't find like cc one or one of the compile binaries um it just didn't know where it was so i needed to specify the like path to it i need to export my path variable and include that in there it just had a no such file or directory for the cc one command um in case you ran into that i just want to let you know but it's not obviously important right now and maybe the box got patched or something or it got cleaned up where we didn't run into that hurdle if we weren't able to compile it on the target machine like if it didn't have gcc then we could just compile it locally and pass it over or create a docker container with the like specified version and everything to try and match it but let's go ahead and run this right we got adot out that's so nice kernel exploits are crazy dude now we're root that's it okay little privilege escalation stuff let's uh hop on over to cd root and let's grab that root.text nice good job zero days pleased i have pleased the zero day got let's uh can i check out that like little dot secret stupid thing now i mean obviously because i'm root but oh car duh dot secret wtf why is that there hey that was a lot of fun uh i hope you enjoyed this video hope you were able to have some fun with me uh i hope the little walk through through shell shock was not painfully snow slow and annoying i hope you got to learn a little bit there and see it from a lot of different perspectives between doing it just bare bones in the command line and also using a little bit of interpreter and jumping in and out to clear us up from interpreter and a regular bash shell so we could submit this get that root dot text and consider this room done so very very cool very very fun uh i really like all the references to turtle and now a turtle and a hurricane i realized the shell shock joke there in the gimmick so thanks for this room ryan thanks for this room zero day uh i really appreciate this one thank you all so much for watching i hope you enjoyed this video uh please do all those youtube algorithm things please like comment and subscribe you know i'm super duper grateful i'd love to see you on patreon or paypal or whatever if you're willing to help support so thank you so much i love you i'll see you on the next video take care [Music] [Music] with [Music] you

Info

Channel: John Hammond

Views: 74,034

Rating: undefined out of 5

Keywords:

Id: TS_yfDqr_3s

Channel Id: undefined

Length: 35min 10sec (2110 seconds)

Published: Tue Oct 27 2020