TryHackMe! Buffer Overflow & Penetration Testing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everybody this is John from the future I'm doing a little quick edit at the beginning of this video so I can include this little announcement I'm really excited about this I hope you guys are as well the past couple days I just spent some time building creating developing a try hack me room so I'm very very excited about this I kind of have my own custom one out there it is being released tomorrow May 20th or sometime around then hopefully you can keep an eye out for it and check it but uh Peak Hill is a new room that I'm very excited about Peak Hill PE a khol and I am pleased with it it sounds like everyone that played tested it had a lot of fun so I'm really looking forward to it I hope you guys go check it out and I'm so so grateful for your support thanks so much I hope you guys enjoy the video take care hello everyone my name is John Hammond and welcome back to another try hack me video in this video I want to be taking a look at the Cod caper room it is a free room so you do not need to be subscribed to access it it says it is a guiding you through infiltrating and exploiting a Linux system so I have it deployed already I'm joining this room and I've got a little IP address set up and created for me the background on this and this is a good guided one it explains hello my name is whatever that is I've come here to put in a request to get my fish back exciting looks like he's banned from something etc etc so it looks like we need some basic pen testing knowledge and we're not gonna be going through every tool in detail so let's just jump in okay cool we've read that let me move over and make a directory for the cod caper caper and let's go little readme going let's see where's my sublime text okay so the cod caper code caper that's also cool Kate I you know I can't type I don't know why you guys even follow I don't know I don't know why you even watch this this series this YouTube channel I don't know if you can hear that a ambulance driving by but that's totally getting in the way task one no answer needed task two I'm just I just like to have some documentation sorry I know it's stupid post-enumeration looks like we want to go ahead and run nmap okay so I should probably start that up let's create an nmap directory let's go ahead and get that IP address in the scope for our terminal and let's fire that off and map initial on the IP address okay I should be able to ping him just fine I believe he's up already yep okay cool so let's let that go how many ports are open on the target machine well that's scanning let's just kind of throw these in our little write-up here I'd like to do this even if it's just crappy because hey you might be able to just kind of throw this up on github or medium and be like yo this is my write-up of this thing that I did and you can put in as much as you want to in this I just like to slap in like nmap scan results if it's on a separate file or any of those things but I just like to have an extra copy of all of these answers when I go back to them this does discuss a little bit of nmap showcasing some of the arguments and switches and parameters you can give to it I think I've covered nmap a lot in a lot of my different videos and I've used it all the time so that tack SC script that I always throw in well run default scripts on the port the tack capital a will go into aggressive mode that will try and get as much information as possible anyway let's go see what we've got here only two ports it seems okay so 22 and 80 there are two ports on that box let's go ahead and slap that in as our answer what is the HTTP title of the web server so with that default scripts tack SC it did already track that down it's just the Apache to Ubuntu default page so let's go ahead and copy that string and slap that in as the answer yeah we can keep note of that here what's the version of the SSH server OpenSSH seemingly Ubuntu throw that guy in I don't think we need the parenthetical okay that looks like more of the format that Troy Hackney needs did I throw that in the wrong spot what is the version of the SSH service oh I totally missed a box here you guys should have told me I should have just screamed at your computer screen and obviously I would have heard it version of the web server do we have a version yes we do okay let's still output from nmap slap that guy in what format does that need to be in Oh looks like that as the server header is what's asking for maybe yeah okay cool I like that Troy Hackney gives you there's little asterisks and helps you showcase what you're really trying to submit so because we know that this is running Apache or it has a web service on here we can go ahead and kind of brute force directories or some files or content that might be available on that website they actually give us a link here so let's go ahead and download that for the word list that we will use to go ahead and pull down or try and Hammer the website to see if there is any actually interesting text files that might be potentially there or PHP files or directories or anything that we'd like to look for go Buster is an awesome tool to do that in so I'm going to go ahead and fire that up I'll use go Buster attack you on HTTP our IP address I'll use the word list of big and I'll supply some extensions here because they kind of suggested it a sage text CGI Jas CSS HTML maybe some Python files whatever we might happen to want to search for let's see we got what is the name of the important file on the server hmm I don't know task 3 just slapping these answers and questions and for good documentation what is happening what is going on a lot of nonsense in here failing to parse some stuff that is not what I expected okay is it adding more to that no it is yeah it definitely is maybe I don't need to look for all of those extensions maybe let's just look for PHP text in HTML holy content I have no idea what that could be because that's a long long filename and obviously a 301 could be PHP it could be text let's go take a look at that web server though let's go see what this website actually has to be displayed on it for us that default page that's why we're running go Buster I'm a fool what is going on guys what is all this all right let me pause this diffuse out okay so I realized the error and I realize kind of my mistake I'll show you just kind of my troubleshooting process I redirected the output or the standard error of go Buster to dev Nell and just grep for 200 so I would only be able to see things that would had a successful return and then I was like what is that big list actually returning for me and I realize oh it is an HTML file it is not a wordless so the fact that I use W get probably kind of borked that so let's go ahead and redownload that and ideally that will work better now okay it's not an actual text file that's that's exactly why now that that's moved in downloads let's copy that over here let's move our downloads big dot text into this guy is he still going no he's good what do you mean it's not downloaded where'd you put him whatever oh I put him my home directory Google Chrome how could you do this to me all right so now let's fire that back up hopefully that should work some learnings some mistakes and I was trying to be nice and clever but I was using a simple of W get that big dot text was mixed leading I thought they were giving me a real text file not at github like I guess I should have looked let's blame me so what is the potential interesting stuff in here dot HT password it seems kind of peculiar HT password text might be useful well PHP I probably won't be able to read dot HT access is all accessible that one in here how about HT access dot PHP nope okay guess we're still gonna be waiting can I access those can we go see what those have let's go back to that uh let's go back to that website see we got there's our flat page let's check out HT access dot txt I'm not allowed to view those I probably should have known that by looking at the status will stand by I'll keep waiting for go Buster to finish that up okay so now I see an administrator dot php' that sounds like the right number of characters and is probably an interesting page so let's try that guy looks good all right let's throw him in our notes here and let's keep moving on web exploitation the admin page seems to give us login form in situations like this it's always worthwhile to check for the low-hanging fruit case of login forms one of the first things to check for is sequel injection so they actually showcase sequel map here and they suggest using attack you argument to specify the URL dumping stuff with forums or just grab everything from the database so do I actually have sequel map installed here I only have used it in a bit sick well map nope all right let's fire that up it's probably not the best to take it from the repositories it would be a much better idea to pull it from the github repository but I just kind of want to move through with some speed here because I think we've dawdled enough in this video all right cool sequel map why do I keep doing that now that you're in my path great let's fire that up the IP address is this guy so let's fire that and sequel map attack you let's go take a look at that page first and see what it actually looks like administrate or PHP okay it just needs a login but it's probably vulnerable to sequel injection let's try sequel Lite nope let's try regular sequel try again one equals one try again does I need to be in the path okay let's just run our stinking sequel map try to let's use TaxACT form and that needs to be on the administrator PHP using tak-tek form because there isn't an argument through debt that we're passing this is all through post so we won't be using anything after like a question mark VAR equals value in here it's going to be determining it on the form on the page here because it's a post method go yep test that form do it do it fill it with random data figure it out looks like the backend database is my sequel do you want to skip payloads my faces in the way yeah we want to skip payloads we don't need to do that stuff yes go ahead and continue with all the tests sequel map likes to be a very inquisitive it's very very curious let's see if that gets new results for us okay sequel maps seem to find some things where it's thinking a post parameter is injectable but it's asking do you want to try with random characters rather than null values and I say yes that's totally fine just keep beating it up and maybe you'll track down and potential injection great now figured out that username variable is a vulnerable and we can inject into it do you want to test any others I'm going to say no here and that you want to exploit this sequel injection I'm gonna say yes and now we have that kind of payload saved in cash a sequel injection can use it later I do want to specify the tactic a because that will dump everything from the database as it said not tak-tek or just a regular - just attack grabs just about everything with the database let's grab it all let's see what you can get you will probably need to go select and enter everything that already found test parameters don't need to be injectable you already found this you already figured this out I hate doing this because when I use tactic form it doesn't particularly have an idea what I'm referring to let's just try and use tech data is that a thing let's check out the man page for sequel map mmm data string data to be centered post so I'll use tack tack data and username equals so we can supply that field I'm going to use an ampersand here and password because I'm using that ampersand bash might interpret that as me trying to background a job so I may use single quotes here and let's see if that gets the exploit in okay so now I can use tack a and start to leak out everything so that tack a as was suggested in the text year will retrieve some password do you want to store hashes a temporary file for a venture eventual further processing with the database tools yeah that's fine go ahead and perform a dictionary based attack on those password hashes feel free to do it with the default dictionary no we don't need to use password suffixes let's see if it tracks anything down so maybe this is a hash for root Oh looks like it cracked some passwords here okay root password is simply root and maybe that will work maybe that is the answer okay so it's dumping out all the privileges wow there's a lot of stuff in here I've never actually used hack a for sequel map that's kind of cool it's his password oh it's not just straight root we know the admin password how many forms of sequel injection is a form vulnerable to we found three for the time base error the blind error the error based or injection time based injection air base injection and blind injection if you're treating a lot of stuff I don't know if I want all of those can we just dump the databases name or maybe it is maybe this will be helpful I'll just leave it on and we'll pause you know what that is taking a long long time and it's getting some useless things I don't care about so I am gonna break that and let's just use tactic DBS to leak out the databases information schema okay it already found some of these let's just use tactic D users and then sorry attack D users and then tactic tables to dump out the tables there we go so users okay now I can specify tak T for users and let's dump that out username password there we go okay so username pingu dad and password is secret pass so let's slap that in and pingu dad ping goood dad Wow alright I'm going to steal that syntax and just kind of slap it in here for our notes Allah see actually also keep track of that command I'll copy and paste that guy there we go and I guess I won't bother filling those in let's do some command execution it seems we've gained the ability to run command since this is my old PC I should solve user accountants from a few test commands and try and get probably just what's going to allow us some communication on like some ability to actually run commands on the admin panel now that we have login credentials we could probably do that that's totally fine okay so if we wanted to run commands we could just run LS and kind of see some things around here but we could try and get a shell so what I'm gonna do is I'm actually just going to fire up quake and use my poor man's pen test because it looks like if we have that netcat on the box we could slap in a netcat reverse shell and then go ahead and get that connectivity so now that that is accessible for us let's try and see if we have python python taxi prints OOP please sub son I suck at typing that works so let's go ahead and stabilize this shell and now we should have a usable utility okay what is it asking for following this how many files are in the current directory we saw three here do I still have an account let's cat out it set a password and see Pingu he exists so let's say yes I'm assuming that's it cuz it's three letters yep that's fine what is my SSH password well let's go into home and he has a home directory so let's go check that out is there anything in here there is nano that's a directory it also has SSH in here what is SSH password would it be he doesn't have any bash history GB history which is kind of interesting maybe he has something in LS tech la nothing in here so no history in that well we could go ahead and get his SSH key maybe that has a password set on it maybe that's what it's referring to let's cut out that ID RSA key so we have his private key and let's go ahead and create a directory to actually in Iraq with that that put me in my caught the rectory because that is where Wake tends to live so let's say pingu ID RSA slap that in make that something that SSH is willing to use and let's actually grab our IP address because I'm in a new shell so I can SSH Takei that guy at pingu at the IP address log me in please yep that's totally fine and he needs a password that's not secret pass again is it could we brute force that with Hydra what am I missing why do not see his password well if I go back and read the prompt here assuming my father was modified to go over my OPC I should still have a hidden password stored somewhere we don't know where it is so we could find it with find search for files at a specific user owns so let's go to the root directory and let's do find directory user tak user Pingu and let's force all of that bad noise to dev null and let's see if he has any files that he owns it might take a little bit of time to come through no cache is that it No be weird to see it in gdb history whatever let's just freak and get Lin peas in here because I'm not seeing it in that now that we have Lin peas let's mark that as executable run it and T that to Lin log so we have some saved output and let's look for some interesting things so the my sequel database is in there papa that's the other user those are all the my sequel strings we were able to determine already that's all arcing private SSH key yep we've got that but we need to know his password maybe there is some stuff that Papa owns that is interesting o var backups shadow dot back let's take a look at what that guy is I can't read that okay okay after a good while of looking around I think I found it ended up finding it manually in the var directory with a little hidden folder named hidden and there was a pass file there and is a ping you up ping you so that is the password there we go I guess I had not found that because it is not owned by pingu it is owned by the dub dub dub data user which I guess I maybe I'm just stupid maybe I just didn't think of that but obviously if we were to go run our find command again and I tried to add some other arguments like hey why can't I find this apparently the user is not thank you it is dubbed at that data so let me this guy there we go interesting okay that's that now we could totally ssh into that machine so let's ssh takei that pingu ID RSA and to that Pingu user on the IP address and checking that password again just to jump in here there we go now we are logged in via SSH so it's telling me to go ahead and do some Lenny num I would do the same with Lynn peas so that should still be executable we can go ahead and run it one more time it's apparently looking for interesting su ID binaries maybe I had not found it or it just didn't look for it due to checking passwords or there might be some peculiar ones in here s UID the group CHF n looks like it has an interesting path with a long name in the middle secret root that one that I found earlier I don't know why I missed that let me go ahead and add some more time to this because it has taken me way too long to go track through this OP secret root is what we're looking for good looks like this is a binary can I go check that out can I hop over there hello stack L a file root I can execute it it is a binary able to grab the source code for my dad's flash drive it has a shell function interestingly enough that will go ahead and cut out the VAR backup shadow back which looks like a backup of etc shadow and will read an input ok so this looks like a classic buffer overflow so what's going through in the triac me walkthrough explaining this is what you could do with pone debug or some added plug-ins for gdb I've showcased a couple of command line Linux buffer overflow stuff before so what I'll end up doing is actually just using read elf to go ahead and determine the address of that shell function and then doing kind of their trick to exploit manually using Python and print all that out it looks like they have Python 2 in here so that should be accessible if we were to do with Python 3 let me check if python 3 is in here it is ok great so I'll use Python 3 in that case hopefully get that right do we have read elf we do so let's go ahead and read off the symbols on that binary here and the shell function has this address so if we were to use cyclic which I don't know if we have ok we do because it gave us pwned tools in here nice gonna check for some versions of pwned tools which this machine probably doesn't have internet so that won't work we totally don't have Metasploit but we can go ahead and use pwned cyclic on our own machine so let's get cyclic 50 and let's throw that at the binary dub-dub-dub shell I guess I don't need anymore so let's echo tech any that cyclic pattern into route and see where it crashes we get a segmentation fault I'm gonna run D message to go see where that's at and then I'll go ahead and cyclic I think it's tak L to look up and I think it needs a 0x in here or maybe it doesn't ok sub pattern must be 4 bytes so it totally does maybe it's tack Q or tack P attack l hello oh that might be whining because it's doing some Python 3 things and maybe that is specific to Python 2 okay so now if I use that lookup and I'll use 0x here 44 is the offset which is good because that match is kind of what the Troy Hackney room was walking us through so we know our read elf tack s on route with the shell function Oh shell so that is the address that we need so Python 2 let's go ahead and print out nonsense 44 times to get to offset where we can go ahead and grab the instruction pointer and now let's import struct over at the beginning of that so we construct dot pack and make that and some bytes we could supply use 0x to include that close that and that so now we have the raw bytes and we'll go ahead and pass that to the root function which will cat out the backup file for us there we go we could do that with pone tools just as easily and that's the next section that they discuss they actually offer the script here where they're doing that they use pone tools to create a process grab the elf file so it has the binary and search for the actual address of the shell function and then do a really cool technique I actually haven't seen that fit function before it'll fit 44 characters and then grab the shell function right after it so that's kind of neat Emma just sends it along and make it it makes it interactive so same sort of technique same thing just some Python poem tools access and there we go I marked that as complete and now we need to go ahead and crack that hash so they're using hash cat I think I'm just gonna go ahead and use John there we have Papa here as his string so I'll go back to my host and I'll just say subl shadow I'll pass that guy in and I'll use opt drawn the Ripper run John tack tack word list equals opt rock u dot txt and I'll run it on that shadow file okay now I found the password there it is postman so back to our shell we could su to Papa enter postman as our password and now we are Papa and submit postman here what what what is the root password I'm sorry that's not Papa what can Papa run can he escalate our privileges note we can't sudo well what else could we potentially do then maybe in that output we actually had a root password could we crack that let's include that guy here run that one more time and let's see if John the Ripper could crack that I guess I'll go ahead and go check out if there was any routes for privilege escalation with the popping user well that's going and okay actually John the Ripper was able to go ahead and crack that root password and that answer is love to fish there we go now we could just go ahead and switch user into root use his password here and is there anything in the root directory nope so no root flag to go into looks like that's just a simple thank you and says great we completed the room so okay that was that wow that took a little bit of time I was fumbling a lot on that one I hope you guys enjoyed that was kind of cool to get a little bit of binary exploitation or at least just a simple classic buffer overflow and they do a really good job of showcasing the different ways to go about this pone debug is kind of cool giving you the source code you can understand where that vulnerability comes from and being able to go determine okay what's the address and where can we track down all of that information to build that buffer overflow in that classic exploit okay that's that that's all I wanted to cover thank you guys so much for watching if you did like this video please do hit that like button comment do the YouTube algorithm stuff please subscribe I'd love to see you guys let me see you in the discord server let me see you on patreon PayPal LinkedIn Facebook Twitter Instagram all those other things thank you [Music] [Music] [Music] [Music]
Info
Channel: John Hammond
Views: 75,597
Rating: undefined out of 5
Keywords:
Id: 2ZZPwwXOH08
Channel Id: undefined
Length: 30min 33sec (1833 seconds)
Published: Tue May 19 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.