TryHackMe! Basic Penetration Testing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I want to introduce you guys if you haven't heard of it before - try Hackney calm so let's jump over to my screen here I want to show you guys this try Hackney calm is an awesome new I think it's I think it's new I think that got started just a little bit ago but it's an incredible learning platform for cyber security and hacking and penetration testing and CTFs and all that stuff it's very very much similar to hack the box and that there is a network you can connect to and you'll interact with all these different machines and computers and systems and enter in and work with them some cases try and break into them try to hack it right try hack me and it's it's honestly I feel like there's a lot of really cool stuff in this and I wanted to showcase it to you I want to do one room that's what they call some of their activities or some of the other other events and exercises and things that are just happening within the site within the platform it's really cool so here we go if you first register an account you can just go to try acme comm there's a registration button up on the top right and it explains to you kind of the concept of this rooms rooms are kind of virtual classrooms that are dedicated to different cybersecurity topics and things and a lot of times they can be certain penetration testing or web app hacking or any other security oriented thing it's just a way to learn it's a vessel you might think of it as like a box and hack the box or essentially a CTF because you'll have some challenges or tasks and assignments given to you within each of those and you'll have to find the answer or the flag whatever the case may be so you can just go view some of the rooms and jump in them and you can see other activities that are going on that's the tab to go find those things and honestly a lot of these are community oriented so if you wanted to create a room or some training pipeline you could do that in fact honestly I feel like I might want to sometime in the future I think that'd be really really cool there is a is commercial rendition of try hack me there is a free edition of it where you can go ahead and access it and use a lot of the training platforms for free there are free rooms but there also are of course some pro or kind of that subscribed or people that have a subscription can have access to the VIP server and access other rooms or specific things one really cool things you can actually deploy your own Kali Linux machine or a virtual machine you can access in your browser if you don't spend the time creating that environment on your own or whatever the case may be you just don't have the material the hardware or whatever that's I think an awesome thing and you actually can access in a different way so I'll show you that SuperDuper soon subscribing is only ten dollars or I guess what is that eight I'm so bad at these currency symbols eight pounds that's what it is eight pounds a month and it has the following benefits the pro content the Kali Linux machine and paths is another kind of like here's a pipeline for you to learn specific things or specific subjects and of course you can keep in control the machines in your browser or spin them up a little bit faster so it's very very cool it does require you to have a VPN connection honestly that's not new you've probably seen that in hack the box or in some CTF so it's very very cool and we'll get right into it we'll dive into it I'll show you that Open VPN stuff getting into your access page let me actually pivot to my other logged in page because I actually have my account and then I have the account that I want to show you guys some of these video tutorials in so this one that I have is with that VIP or subscribe to thing I think you should do it it's it's it's totally worth it and I didn't want to have all my answers already filled in in the boxes I mean the rooms that I've gone through so I had that other pain so I can show you we're going through it in a clean slate but let me show you that Kali machine again this is only something that you could spit up if you have that subscribed rendition of Troy Hackney subscription-only room it's worth it but I think this is a really cool perk if you're using the Kali machine you don't have to bother connecting with the VPN because the Machine already lives inside that try hack me Network and it's surrounded by all the other deployed machines so it has a 2020 version of Kali Linux which is awesome that's someone I think using what is it it's xfce that that jumped into isn't it so if you hit the deploy button just that green low cloud up there it'll go ahead and start it up and this is really cool all right I'll let this initialize while I read some of the things you can do with it you can access it through RDP so if you need that graphical user interface you have credentials that and you can go ahead and ssh to it which is also awesome in that case I think you probably do need the VPN connection so you can access it yeah yeah you would need to or can you just SSH straight into that let's find out I'm gonna learn to just a learning video man we'll do that once it boots up and it tells you a little bit about what the machine is built with how much RAM it has etc etc and hey don't do anything bad play nice right no like no illegal activity you can of course access to 2018 version if you're more interested in that I guess gnome yeah the gnome desktop environment so I'll let this finish initializing and we can jump into it but honestly I think it's super cool how quickly they can do this all right so now my machine is started I can see my Kali cursor and if I move just out of it looks like he goes back to my regular cursor so that's kind of cool it's fully in the browser nice and easy and you can see it's just it's just Kali it's just Kali you can interact with in your browser that's awesome if you want to hit that access in a browser you can pop it up in a bigger window but seriously look at this LS who am i doing things hack the planet check it out access and browser now you get a full screen one so it's like you're really using the machine without needing to spin up your own virtual personal environment very very cool let me see if I can SSH into that I think that would be a cool thing route and try hack me so let's try that do I have that IP address accessible to me without being in the VM and the VPN oh and let me grab that password again yeah and we just jump right in oh that's awesome so that is the Kali machine that you can just spin up if you have the subscribe version of Troy Hackney all right let me pivot to my other browser here that I want to use this to go find and track down the basic pentesting room you can take a look at some of the other rooms that they have it's awesome than I had they actually had an advent of cyber thing like you know those 25 days till Christmas cracking hashes learning about Metasploit the Kali Linux one showed an Oh wasp juice shop alfred some wireshark stuff reverse-engineering dvwa look i think they just had a really cool collection here basic pentesting is the one i want to jump into so I'll click on that and I will join the room just that green button okay I'm not gonna use a Kali Linux VM in this case because I want to show it to you as any player could anyone that is um using this with a free account so we would need to go ahead and deploy this and access our Open VPN configuration file okay spun up now and now let's go to the Open VPN configuration file page let me go ahead and download this I'll make a directory for this I guess let's make a THM directory download this save it into th um alright now I can sudo Open VPN oh I'm not even in the directory what am i doing I'll enter in my password so I can sudo just fine with that and now I am connected alright so I'm using Terminator so I'm going to move that up to the very very top with the split screen and I'll amp that up so you guys can see it now if it'll refresh that page to tell me hey you are connected when I check out that network information sweet let's go back to my rooms now because basic pentesting is a room that I am in and I can access it with just that we have the IP address so let's go ahead and take note of that I'm actually gonna start to take some notes what I like to do here is just sort of readme for each of these that I work through let's call this basic pen testing I'll say the IP is just this and then let's start with scanning okay can I even think the Machine seemingly no there's something a little bit more time I'm still connected there we go alright he's up now all right let's do some end map scans to start with I'll use n map tack SC tack sv4 default and safe scripts or default scripts that's what it is and show the version numbers and I'm gonna output it in to initial let me go ahead and create an EM map directory to do that in first now I will run that command attack oh and and and initial so we know we're up against for this box I should actually supply an IP address there we go okay now our n map results came back looks like we have a lot of information here I saved that in n map initial so let me go ahead and open that up and we'll see we're working with here we have port 22 open so SSH we could connect to it remotely also has port 80 open so it's running a website has Samba open looks to be Linux okay host is called basic two and seems to be all alright so what I like to do is actually just kind of keep note of these I'll just have like a open ports section we saw 22 we saw 80 we saw 139 and we saw four four five yep okay so now we can go ahead let's actually go and interact with that website that it has up and running let's see if I can open that up in my browser I'll create a new tab and I'll jump in there it says undergoing maintenance please check back later I'm hit control you to view the source or just right click and view page source it says check our dev notes section if you want to know what to work on our dev notes section I don't know where that might be we could try to go to like slash dev or something okay that's not right oh it does tell us this is an Apache server running Ubuntu running on Ubuntu so because we don't know what other paths might be in there let's go ahead and run a tool that we could actually hide try and brute force these locations I like to use der buster I've also recently just started use go Buster's let me do that I'm gonna use go Buster and it tells me hey we need a word list and - domain name to actually work with so I'm gonna use go Buster with the same word list that I would give to der Buster I'm gonna use go Buster with a word list that I would use for der Buster directory list two point three medium and the URL should be its that 10 10 10 1 80 10 10 100 there you go okay now door buster is gonna run and we'll let that go for a little bit of time I'd like to do some other enumeration so because we knew that four four five is open for SMB well we can go ahead and start another scan oh it actually just found a result though it found development so let's let's let's pivot and just go see what's in development - got a 301 so I'm gonna redirect it somewhere or something let's see slash development ooh we have some directory listings here now we can see these text files dev dot txt and J dot txt let's see what dev is since I've been messing with that Strutt stuff it's pretty cool I mean here we go Web Apps yet I'm using version 2.5 point 12 because other versions were giving me trouble is that the one that's insecure Apache struts okay maybe we could use that and - Kay SMB has been configured okay - Kay and I got a patchy setup we'll put in our content later okay what are we even being asked to do what are kind of the prompts inside of this room here we can go see it says deploy the Machine and connect to our network okay we did that we get it completed we can just kind of mark these if we did them some of them don't need an answer no answer needed find the services exposed by the machine we did that with nmap what is that hints I does it tell us oh yeah use nmap that's awesome one of the things I really really like about try hacking me is about how open and transparent it is with your learning like even if you score lots hoppier they'll willingly give you write-ups like community written community like produced if you want to click on that if you got stuck on something if you wanted to there's no shame and this the whole point is to learn the whole point is to practice and I think that's awesome that Troy Hackney is is open about that okay let's get back to it what is the name of the hidden director in the web server enter name without /o we just found that that is developments which we can go ahead and submit yep no one let's mark that other one was completed to user brute-forcing to find the username and password okay what is the username what is the password okay well his name the other user you found finding the vectors for privacy and was the final pastor you obtained huh it this is good because it also the asterisk that it shows you is like the kind of length so you have an at least an idea of what it's looking for that's kind of cool so let's get these user names we found development and it looks like there's nothing else that we could particularly look through what is that J dot txt we didn't see him I've been altering the contents of etcetera shadow to make sure we don't have any weak credentials and I was able to crack your hash really easily you know our password policy said please change it for J and K huh okay so let's go try and figure out what those users might be we know we have other reports we can enumerate and access we could use brute force random stuff on SSH but that wouldn't help us much let's try and jump into the SMB or see what we can access with that when I do that I like to use enum for Linux that should already be in your path if you're working in Cali I like to just go ahead and use it from my op directory because I'm wanting bun to here and I'm just gonna grab the IP address again 10 10 10 100 I don't want the HTTP nonsense in there I use tack a to do everything an enum and I go ahead and pipe that to T so I got an enum for Linux log file and I can save my results we'll go ahead and let that run okay now our enum for Linux can had finished I'm gonna go ahead and open up that log file that I saved it to because the output from enum for Linux is kind of hard to look at through the command line there there's a lot of noise and nonsense so some of the stuff we already kind of tracked down it's running samba we know the basic to hostname let's keep scroll to just some shares we get access I P see looks like again that's private anonymous hmm I don't know about that one we could check that out if we wanted to see what other users that might attract down nobody okay we'd expect that a lot of these some kind of groups oh and there we go and numerating users using that specific sid and we found a Linux user Kay analytic user Jan nice okay so that would help answer some of those questions that try Hackney had for us if we go back to that page let's say what is the user name well we had Jan you would submit that I guess we can yeah we can mark that as complete - and it asks for the other user name other user you found so let's let's put K in here and good and now what is the password we don't know that yet what service do you use to access the server oh that's gotta be SSH then access the server enter an abbreviation in all caps so SSH it needed only three things okay that's the correct answer oh and we could probably try and brute-force just as it said brute-force the username and password since we know the user name is Jan we could and we know it's a weak password from reading that dev note we could go ahead and actually Hammer this with Hydra so I'm gonna do that I'm gonna say Hydra if you run it'll give you a basic example usage of that command there we could use Hydra attack L with Jan attack capital P to specify you a password list I'm gonna use rock you I don't know what I was typing just there and then we need to specify the protocol and what we want to connect you so it's 10 10 100 and it was 180 right I promise I'll remember this eventually it was 180 I got it all right now we will let Hydra go beat this machine up if you don't know Hydra is a password guesser or it'll-it'll brute-force passwords by trying to connect to a service with given credentials so you could specify a user file or a list of user names that you would want to try and a password file just so we did there if you use a capital L that allows you to as an argument or parameter specify user file or just a user name with a lowercase rendition of it same thing with password if you want to use it lowercase P you could use a once attic password and a group through a list of user names or one specific user name etc and then the protocol you're gonna connect to SSH or FTP and I think it has support for some others I think you can even do like web stuff you can do like a forum post etc really cool things of Hydra but that is what we can use to try and run through rokkyo text and attempt to spray that service and guess passwords until we could try and login with it ok it looks like we got a credential looks like Hydra was able to successfully brute-force and actually log in through SSH with a password with the username Jan so it looks like we have found that Jan has the password Armando Armando I don't know I don't like to pretend all right what is the password we can go ahead and submit that our mando submit and there we go that answer is correct ok so we could at that point login to the machine now right so let's go ahead and take note of this let's say found credentials or we should we should actually note how we got all those answers questions and answers hidden directory on the web server that is for slash developments found via a go Buster and let's get another one here the username chan and k via enum for linux and then password J Armando Armando found via Hydra with SSH there we go ok so found credentials we have J and Armando that's all I've been saying Armando and that's not how you say that whatsoever because there's a know again it's our mando all right let's SSH in lab machine we can SSH to Jan at 10 10 100 180 yes we want to do it and our mando is the password there we go all right and we are logged in to Jan to it basic let's stop this stupid go bust we don't need to don't need to do that anymore we're logged in and let's see what we got okay seemingly nothing in their home directory unless history let's check out what that is oh we can't okay it's owned by root and we are not root and only root can read and write to it interesting let's check out that's a password just a manual kind of bumping around Tomcat pump got nine is in there K is in there we see that okay can we do anything with sudo to your prove esque nope we cannot run sudo one basic - okay well we can't read etcetera shadow can we see any other users home directories let's move into K we can move into K oh she has a past dot back file can we read that no we cannot she has a vim info file Kat an info I still can't read those all right well to speed up our numeration process typically when I get on a machine I like to run lynnie numb or now kind of the new one Lynn peas I can show you that Lynn peas github one of the privilege escalation awesome sweet scripts these are hilarious I love that image and Lynn peas wind peas will let us do this in Linux it has a SH script we could just go ahead and run and it's pretty pointed it gives you a nice highlighted color output as to what things could be used as a potential privilege escalation vector etc etc so I have that currently just in my off directly with Lynn peas and win pssh we can go ahead and actually SCP that over though let's SCP it because we have Jan's credentials through SSH jan10 dot 10.1 hundred 180 and we just specify the file that we want to bring over so Lynn peas Lynn peas and let's go ahead and put it in Davos HL and I like to put things in dev as a jumper shared memory it works well for us okay it looks like that copied over let's go check out dev sh m and there it is alright Lynn peas oh I lost a Kel yeah okay cool let's mark it as executable now let's go ahead and run Lynn peas dot slash Lynn peas and I'm going to T that to a file so I have the output Lynn log text and let's go okay so that's gonna run through a ton of stuff it'll make our lives a lot easier because we won't have to do that manually ekang all on our own and once it's done we can go ahead and take a look through it actually let me just scroll up now so you can get a good idea as to what this is doing and how so Lynn peas gives you a little legend or what you're actually going to be looking at with the colors that when peas gives you and its output for things that are red and yellow that is very very much likely a privilege escalation vector for things that are red you should take a look at that because you could if you explore it do some manual stuff with it you could probably find a route or vector in that so scrolling through we know the operating system kind old version of sudo maybe we could abused that path looks okay I'm looking for those red and those red and yellow things the nice quick easy easy hits that Lynn peas helps us figure out oh it's interesting we have a lot of a Perl and Python in here we have GCC alright so things running as root those are the things we should check out there's a weird one running at root n MBD that's kind of after apache which is peculiar I wonder if there's other other like local services or open ports only locally to this machine services on there we go yeah in the active ports you can see we only have one thing listening locally and that's noted in red for us here hey here's oh here's a local loopback address only port that we could access 8005 we can explore that super-users is route obviously users with consoles of Jan and K which we found all users Jan ek and route my sequel nothing bear ooh looking for SSH files 422 for SSH public key authentication is on use Pam oh and they have a private key for K so k SSH directory has an ID RSA file which we could use to log in as that K user I wonder if we could actually read that I was just in home k so let's take a look hello stuck LA we could move into SSH and we can read her private key alright let's do that let's cat that I DRS a file there's a lot here begin RSA private key I'm gonna go ahead and just store this in a new file let's say nano k ID RSA let's paste that all in here just quick nano file and then we can mark it as only read-only by us because that's how ID RSA and private keys like to be used for SSH so SSH tack I with that k ID RSA with the K user at 10.10 dot enter passphrase for the private key okay so this private key has is password protected what could we do to figure out what that password is enter John the Ripper right so John the Ripper if you don't know has a cool tool that comes with it SSH to John and you've probably seen a lot of these between like JWT to John or zip to John for other things that John can still crack let's go ahead and say SSH to John with our Katie ID RSA and now we have that hash that John the Ripper could understand but not just the original file so we have to run that tool before we give this this this file to John the Ripper to run and we're so I'll call that for John Donne text or web doesn't matter now we could go ahead and actually run John the program itself with that for John utility or in that for John file because we just saved all those hashes in it in a thing that it could use I should specify a word list here and because we're you can use rock you let's let's actually do that we can use tak tak word list equals and I have rock you dot text which is a big long dictionary file of common and known kind of uh often we use passwords so okay and found it right away it found beeswax that is apparently the password for KI drsa so what is left in our community oh all we need is that final password you obtain let's let's go let's go get that now that we have a new user maybe we have a little bit more access so SSH attack I okay ten ten one hundred one eighty and we'll want to use the passphrase beeswax alright and now we're logged in as that K user so we can LS check out our home directory now we have access to that past dot back file it's owned by us so let's check it out and here is a really long strong password that will follow the password policy that looks like exactly what that last question might be asking for and it is alright okay well we can mark those other ones is completed and boom we did it we completed the basic penetration testing room and try Hackney so I won't I won't go through I guess like routing this machine or doing anything with it you might be able to drop some like kernel exploits or explore some other privilege escalation venues like like that weird port that we saw locally maybe that has some good stuff for it I just kind of wanted to make this video to show you guys try hack me and I'd really like to do a lot more videos for a lot of these stuff I think a lot of them are fun and really you can learn a lot obviously this was kind of a beginner basic of room here you can see kind of difficulty there but I think there's there's a lot that you can do with this and I really like all the variety in the different kind of rooms that they offer so I hope you guys go check out try Hackney if you haven't please go do if you're willing to kind of drop just a little bit to get that Cali machine maybe that'll come in handy and the speed to work with the machines actually really really does help when you're trying to scan things or spin up the virtual machine you could see it took me a little bit to go through a lot of that so go for it I really hope you guys enjoyed this thank you guys so much for watching if you did like this video please hit that like button if you didn't don't do anything rewatch it again until you like it just keep watching the same video until you decide you like a comment would be great to see I'd love to hear your feedback constructive criticism subscribe maybe discord patreon PayPal Instagram Facebook Linkedin I don't know thank you guys for watching I'll see you guys the next video take care [Music] [Music] [Music]
Info
Channel: John Hammond
Views: 1,840,574
Rating: undefined out of 5
Keywords:
Id: xl2Xx5YOKcI
Channel Id: undefined
Length: 30min 13sec (1813 seconds)
Published: Wed Mar 04 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.