TryHackMe! Bypassing Upload Filters & DirtySock

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and welcome welcome to a long awaited video i put out a little promo for this thing last week uh we had a cool little event in the try hack me discord we're having a little uh designing dungeons conversation with the little creator here uh so this is it here we are we're doing the year of the jellyfish room on tryhackme so i am uh not expecting this to go all that well i'm gonna fall down a lot of rabbit holes i'm going to bang my head against the wall for a little bit and it's all bundled up in a video for you to enjoy watching my suffering so here we go i'll get to my computer screen here this is it i am in try hack me i'm on the website and i'm opened up the year of the jellyfish room so uh year of the jellyfish is part of an oscp voucher giveaway which is generously donated by fawaz if you root the box before 6 pm utc on the 30th of april 2021 you'll be entered into the prize drawing the chosen will be the winner will be chosen by raffle at that time streaming announced on the try hack me discord server so you've got to jump into the try acme discord server uh and see what's going down see all the memes see all the laughter see all the gifs and uh maybe ask for some help if you're if you're playing this if you're working through it but no worries at all this is all for fun we're all here to learn right so that's that's the stakes though everyone's been having a lot of fun for uh some some try hack me giveaway here oscp voucher a couple notes though this box deploys with a public ip address so think about what that means for how you should approach this challenge internet service providers are often unhappy it's very generous of you they're often unhappy if you enumerate public ip addresses at a high speed okay it goes without saying any signs of cheating will result in an immediate and permanent ban both from both the competition and from the site and try hack me community oof oof can we get an f in the chat ladies and gentlemen and of course don't stream or release write-ups for this blog until after a week has gone past uh we should be in the clear we should be good to uh to do this thing now because you know the time has a lapse so let's do it i've got the machine to start it up i got my little p address here and uh i guess let's do this thing i don't know i don't even know what i'm getting myself into so i've got a terminal i'm connected with vpn which i apparently don't even have to be so year of the jellyfish also known as yacht jf or yachtchiff let's get a readme going because i'm sure i'll have a lot of stupid ideas that i'll probably want to keep track of that's large text year of the jellyfish if you guys don't know obviously i'm going to be a little more rambunctious i'm going to be a little bit more crazy i'm going to be a little bit more john hammond than usual um because if this is going to be a raw video where i'm just diving in what day is it today 28th is the day i'm recording 2021. let's get the ip address in here and let's start the show uh i'll make a directory for nmap and you know what my isc might get my isp my internet service writer might get angry at me if i uh were to scan this box but that's a risk i am willing to take what is that line is that like from shrek it's a lord farquaad he's like that is some of you may die that is a risk i'm willing to take 21 ftp 443 https port 80 for a classic web server http 22 for ssh discovered port 8000 um what else we got we got anything else a little aws instance here it looks like and now looks like it those are all the ports that found either i'm i'm i'm skeptical because like i know murray merlin oracle the one that puts this together is gonna throw some curveballs in here so maybe there are some other ports to scan uh i'm gonna stop that uh nmap scripting engine and just go kind of all out and we don't need those things anymore and let's throw it into like an all ports file let's go all ports uh and i guess let's do it i guess risky business screaming out across the internet uh what's the ip address do i still have that here yeah yeah yeah so it's going to redirect me to https right so uh i'm going to assume oh it obviously needs a domain name of course duh i i'm saying https because we saw port 443 but it looks like it needs a kind of name entry for robin's pet shop dot th okay uh let me start another little terminal boy and i will discover port two two two two two add this into nano add this into it set rehosts with nano um oh shoot what was the ip address paste that in tada now going to the web page certificate warrants okay and that's totally fine probably like a self-signed certificate totally cool take me there anyway living on the edge welcome to robin's pet shop i should take a look at that certificate though um so i'm going to click up here connection to the site is not secure can i see the certificate why can't i zoom in on that i want to make that bigger i want to make it so that people can see it gosh details let's see what we got here hopefully your eyes can like squint on that i'm just gonna scroll through here whatever information might be present in this certificate in case there's any new information that would be worthwhile like other domains oh in fact yes certificate subject alternative name i wonder if nmap would have actually carved that out in my nmap initial it didn't write it because i quit the program great all right so we have monitor beta and dev as some sub domains in here let's keep track of that i suppose and then let's also grab all of these to uh be put on other lines uh and add them into our etcetera host file someone yelled at me someone was in the in the stream chat last time it was like john you know you can just kind of put them all in the exact same line and etc host i'm like you're right you know fine and that works right spaces yeah i'm pretty sure let's just let's just grab one and then ping it yeah okay it gets the ip just fine ping is not going to want to respond though so that's fine so now we have some other sub domains we can take a look at but first let's dive into robin's pet shop it's the best pet shop in bristol we have the happiest collection of animals for sale be it a cute little guinea pig a puppy an adorable bunny rabbit or your first goldfish we have a pet for you this is a big goldfish now i zoomed in a lot he looks kind of sad not gonna lie he looks a little he looks like he's not all that happy to be here fred the goldfish honey the beagle puppy and credence the chameleon oh there are a lot of these you can you can get a giraffe does anyone does anyone have a giraffe an alligator please don't ask but please send help i'm having fun already as you can see we have a wide array of pets available be warned some may come with unexpected medical expenses goldfish bites yeah yeah that's that's the least of our worries here come and visit us at any time i clicked the link didn't lose did i did i just can is my map did my map scam kill it did my nmap scan kill it no you know i learned my lesson we learned our lesson real quick do i what do i just wait it out or reset the box or get a different ip address all right we're off the races bright and early uh let's revert the box i'm gonna you know just i'm gonna do that not a big deal and we'll wait for that to happen and i'll switch out the ip addresses and my etcetera host okay we got a new ip address a new box is up so let's switch out that in the etcetera hosts file and let's hope that that will behave a little bit better for us i i probably should have read the instructions you know like i mean i did but i just kind of totally ignored so i learned my lesson connection's not private yep redirected me just fine let's go all right let's not send a mass and map scan across all ports now did we even get anything from that honestly we saw a new two two two two two but what is on this page is there anything worthwhile other than these animals the contact page feel free to contact us anytime there's an email address are there any is there anything like hidden in these web pages i'm just going to quickly view source i'm just going to quickly control you to see if there's any hidden things i see an assets page so we can go visit fred the goldfish personally assets pets oh okay some directory indexing how about in assets just pets anything else we could do like neato and go buster but then we just run to the exact same problem so i could switch to like some vps or something maybe but if there's nothing else immediately as a telltale on this site then i want to go look at some of the other ports um we knew that ftp was a thing [Music] i don't think i have anything out of the nmap files yeah all ports and initial are are gone so what did we we saw and i mean we can do this again but we saw 21 we saw 80 443 we also saw an 8 000 uh obviously 22 um and at 2 2 2 2. oh and we can check out these other domain names too let's i want to see the ftp real quick just to i don't know spot check that in case it's like a dummy anonymous login i doubt it and it's also this is an up-to-date version of vsfdpd so probably don't have users we could just try a simple ftp username again empty no pass but i don't think yeah that's not gonna get anywhere okay maybe that'll come in handy later uh 80 and 443 ssh we don't know any usernames what's on port 8000. oh that's still using https so let's try and switch that to http site is under development please be patient if you've been given a specific id an id i haven't been giving an id how do i get an id anything nope please subscribe nope no one's handing out any favors i want a box where they're please subscribe is like a necessary part of the box it's like a password or a key or something um what is on this quad 2 thing or quint i guess is it because we're wait this is six that's sick what yeah how did that happen no i'm sure it was i'm sure i just typed it wrong ssh not gonna be that helpful let's look at these other domain names let's look at these other subdomains um dev it sounds kind of good not gonna lie uh is there gonna be like any development files redirects me to https again totally fine um that brings me to the exact same page okay what about beta does that bring me to specific betta fish beta yep take me there please oh it just brings me to 8000 again that's not helpful what was that last one monitor monitor r let's go to that okay take me there oh what the heck is this thing pet shop is online it took me a local host it was weird jellyfish jellyfin is on 8096. i just see the tooltip down there is that a thing is that a real port 8096 i didn't see that from nmap not that nmap was really all that useful considering it broke everything jellyfin what is this i don't know a username or password what is jellyfin there's a server id that's not something that i could use on like port 8000 is it i'm really really doubting that but i'm just gonna try it nope okay monitor i can turn on and off is this like a thing oh it is made for the community it's like an open source thing what does it do nothing else in here just a lot of javascript seemingly to do like the actual display what is this monitor is a web front to live display the status of any web app or service if updating to version 1.7 from any previous version before updating backup screenshots very cool very slick wow oh it's php is there something we could take advantage of there are there any like issues known issues like security things like things that i can exploit maybe a lot of feature requests um security security advisor is nothing new the thing had a version number on it that didn't it yeah monitor 1.7.6 are there any change logs in here 1.7.6 m this is 1.77d back in 2018. so this might be old yeah okay so this is the version 1.7.6 are there like exploits you know what i should just i should just check search split which i do have in my which i do have in my path here so i'm going to search exploit monitor uh authorization bypass and remote code execution unauthenticated that sounds kind of nice what do i do with this thing uh let me take a look at both of these search floyd i'll just use tac x to display that out uh let's use tack m because i want to get my syntax highlighting please just bring the bring the file over here and we'll open it up in sublime text authorization bypass specify parameters in the format python url user login username oh so we wait how's an authorization bypass if it takes in a user password and stuff allows creation of administrative accounts by abusing the installation url is that url like still a thing assets configurate let me go there that slash assets config installation register not a thing i don't know if that'll work my guy yeah so you could like create a user but that's not going to help us i don't think in this one because that it just genuinely doesn't have that that php file right now there's a link here what does this other one do remote code execution unauthenticated which is good because i do not have an account let's bring that down four eight nine eight zero this is the exact same one is it not what what it what do i just oh there's a difference they they looked very similar i was i was a little weirded out i'm sorry i didn't mean for that to just be complete nonsense they looked almost identical remote code execution unauthenticated um it needs a target url and lhost and l port so it calls back to me yep it tries to go to assets php upload.php does that location exist it does it gets like errors okay data user image is that a thing it's going up a directory so it's not in php anymore it's data user image oh thanks thanks oh so this this file exists there's nothing to it i'm sure it's going to be processed server side right because it's php so headers these look pretty fine can i like pretty print this or something so i can see what those headers are actually doing i don't really care that much but this is kind of hard this is kind of annoying to try and make sense of and read uh whatever this is totally unnecessary i just kind of wanted to be able to see a little bit better and data is a street straight up mess but it is uploading a file shell.php with an underscore in the mix image type jiff god you know what word rap where you at my man okay it includes a gif header and then a php exec bin bash calling back to nip address yeah okay a shell script should be uploaded now we try and execute it i mean that file exists so maybe that one has maybe that one's worth a try i'm going to move that to 890. pi uh exploit dot pi how about that python three exploit dot pi and i need a target url and l host and l port oh this this machine is on the internet so i will probably need to either use my vps like a virtual private server or use ngrok um let's use claud8 and then i'm gonna i'm gonna use ngrok if that's totally cool and grog tcp quad eight good and now i have this ip address import so if i just for kicks just to verify sanity check if i were to try and netcat to that i do see that connection come back so ngrok should be behaving for me yeah so when i run this exploit i need the target url which i'm assuming is just going to be the root of monitor just like this and checking out the exploit again it actually yeah does it add it adds a forward slash so i don't want that trailing forward slash there and then oh it needs the space for the port so if i try and run this it's getting an ssl error because of the certificate so we make a post request and a get request so we can just tell them to totally ignore the certificate verify should equal false don't bother verifying the certificate i know this is just a fake internet game so it's not real nothing is real uh why is it still dying oh uh i need to be writing the exploit scripts i just accidentally saved a copy of my old four eight nine zero eight at whatever those numbers were so now verify verifies false uh trying that command again uh shell script should be uploaded now we try to execute it it's warning about the certificate that's totally fine no can i like proxy that or something to like see what the response is i mean i guess i can like view the page is it in is there is there a is there a file created though data user image no no data user image no no new files um it tries to get the page but i i want to view the response as we try and print it as we try and upload it or post it right so that's the post request if we do print r.text we can see the response and [Laughter] you are an exploit how did you know my user agent is that my user agent like isn't python how does it if i post to it stupid stinking certificate you are an exploit that's just curl i didn't set a user agent there is there like something going on like tracking me oh there's a cookie there's an is human cookie and it's set to one i am human i am i know you people don't want to believe me i see all the i see your comments is human that should be one um and then let's supply that along with it i'll grab that same syntax for the get request and now how do we look it didn't it didn't give me that you are an exploit error but it says it's still not something that it wants to upload um what page was that it didn't put it there did it no is there like some weird stuff going on like will you upload a gif quote-unquote like genuinely a gif if i add that gif extension um i'm gonna try and download it so we have to we have to switch it in that path as well go back to my python it uploaded oh that uploaded so that uploaded but it's not very helpful to me because it's not running it's not going to execute php um does it is it like checking if the the presence of a file extension is there or like if it has a gif in it what is this what is this server doing that might um no that one failed what is the server doing to try and limit and constrain what i could send it or what i could give it like is there filter evasions is there some some like black list for data that i have to send it shift.php can it work with like other like php3 maybe no jif dot php three is not an image or exceeds so that one failed just as well let's try like p html will that work shell j.p.html is an image file uploaded we requested it but we didn't get a call back it exists is my tunnel still like happening i want to see if it gets the call back click on it what is happening the page isn't loading for me i mean it's probably like trying to call back but does it not like the ngrok let's try without the ngrok um let me just get to like a server that i can control uh let's get into shared memory and listen on claude 9. oh sorry i need netcat now when we try this connection please call back to [Music] john hammond on cloud9 that should request the page is it gonna want does it need to be like uh like a stupid like real port that's obviously not stupid that's genuine does it need to be something that like would actually probably allow outbound outbound traffic like i'll listen on port 443 oh it's running a website that makes complete sense let me maybe that was what was wrong when i tried to use ngrok let's just for the funds let's see if we can get pwncat in here that might be good and everyone can whine and complain because every time they see poncat it's doing horrific things but sometimes it's nice you know let's listen on 4 3. uh can i pseudo that will let me oh gosh that's gonna be that's gonna suck all right screw it no no punk cat suit on that cat tag lmvp 443. yeah now ngrok that pleat ngrok that yeah so now i am six dot tcp dynamic io eleven five five nine send that in no shell put it uploaded what are the contents of this file i know it's going to try and request it and it's going to be hell uh get to the vps one more time i'm going to sudo netcat tech lmvp443 that's already running uh i don't care everything please die okay um let's try that now what's going on oh no no no that's just random people scanning my computer that's just genuine traffic from bad actors dang it oh oh it wasn't uploaded because it already exists no it didn't make any changes because it already exists i should have read the error message um import random please import string so let's say file name can go ahead and equal like random dot choice of string dot ascii lower case for under thing in range of random dot random i think five to 12. that's totally fine so let's all put that together and then let's make the data go ahead and define that as the file name with an f string so that's pulled in and let's do the exact same thing over in the url that we request so oh and i never even requested that stinkin extra html thing the other the other like little file extension here it was never going to do anything gosh all right so what i did is i just hot patched the script to use a random file name each time rather than that constant one because it was going to end up trying to override itself and it wouldn't let it so now it just has a random script name and it will hopefully actually get the same file that we've uploaded to request it so i guess gosh darn it how much time do we waste on that um well here we are with my random file name that's a good one aguix sort of however you want to read that i am just dub dub dub data though and i want to make this a stable shell so oh sorry do i actually have python which python please nope which python three i do have python three python three uh taxi import pty gosh i hate unstable cell shell so much and you're not going to be able to see this because i can't clear my screen import pty ptly dot spawn arrow keys bin bash close parentheses do it ctrl z stty raw minus echo fg hit enter a few times export term equals x term so now i have a manually stable shell sort of are we in a docker container or anything no um what can i do what home directories are there robin oh sorry that's a directory she has nothing in her home directory where is this the flag that i'm supposed to submit is there one flag one where is that jelly fin um robin mckenzie she doesn't have a flag what's in dub dub dub flag one let's do it a one down cool hey i've got a streak one flag submission i'm truly sorry i'm truly sorry um now we need a priv-esque can we get into robin well she has nothing in her home directory uh we could run like lin p's to enumerate we could try to do some stuff manually but uploading something is kind of going to be a pain god i so show i so so wish punk at would work well for me because it's just so much easier like i could up dog stuff but i guess we could do that i guess we can up dog stuff let me copy um a rendition of oh lin peas over here and let's try and up dog that in this current directory so that i can ngrok tcp 9090 or i guess that should be i mean that would be http on 90 90. well let me do that seemingly okay do i have things to actually access those do i have curl i do all right let's get to dev as hm curl that on port what port oh it doesn't have a port seemingly can i download linps.sh uh just throw it into lin peace h i guess because curl will go ahead and put it on center output i mean it got it you know what you can't complain okay let's see how we do i don't know if he'll be able to find anything but it's kind of worthwhile to run and we can get a go about and do our manual enumeration if need be um what do we got it is a virtual machine that makes sense pseudo version is that an old pseudo version i feel like that's the i feel like that's the one that did that get patched i don't know useful software lxc are there like lxc and lxd containers going around i'm not in that group i'm just dubbed data i'm a real low privileged user right now so i don't think i'll be able to do a whole lot unless there's anything that like egregiously stands out oh yeah ftp's running you could dump credentials if you were root but i'm not root socket snap d on by root i don't usually see that that's that's not something i typically see would like lin p's output it's not really all that useful it's like an error message but that's weird and that's all i got of lin peace okay i guess that's all we're gonna get i that's weird to me i wanna look into that i'm opening up firefox now okay thanks i guess if you load the page ah socket files for snap though that's a snap i know it's not like anything that's immediately useful because it's just an error message but it's still really weird to me what else could we do um because we could do like we could go through got milk's privilege escalation since we don't really have anything out of um lin pease and maybe poncat would be able to track stuff down but again we'd have to have that working applications and services what applications are installed that might be fine ah i just read it all out in bin and user bin but lynn p's would have found that what about d package snap of course um this is a lot of libraries okay okay we're in libland i don't like it and that's it it has the version though that sock thing is still throwing me up the socket thing like with snap part of me wonders if that's a thing i've never seen that in lin pease before but it's not like it didn't know what to do with it what is snap i mean obviously i know what snap is but what's that version number is that a thing let me uh search exploit snap oh search point snap and that version number 2.3 2.5 is less than the one that's dirty sock oh like i always i've never actually done like a dirty sock exploit thing i i've known it through believe me it just sounds so similar enough through dirty cow and obviously this was kind of a big thing when it was kind of found out i remembered it being in the news and all um search exploit tacx on that yeah yeah january 2019 and the version number is lower so this thing should be vulnerable create an account at the ubuntu sso is that for real version 2. there's a lot in this what about this one what's the difference between that one and this one uh let me copy that down search floyd tac m four six please oh this is the dirty slot version too oh it has the snap like pre-created and it installs it snap.snap oh that must be why this box needs to be public so it could actually like reach out if it does need to get stuff from like the ubuntu like is that am i understanding that right what is this post to huh let's do it let's sing and do it um let's get back to the victim i guess i could download that since it has now been it's put in the location that i'm serving with updog and it's that four six two three two one let's just move that to dirtysock.pi and let's try and download that cool got it ls i guess let's do python 3 dirty sock has to sleep for five seconds has to sleep for eight seconds snoozing come on the suspense is killing me okay so i can see you to dirty sock with the password dirty sock i'm dirty sock is that root oh no but i can pseudo do i need a password i know the password oh that's cool that's super slick dunzo dunzo i like that one i'll be honest i haven't done dirty sock before and i need to google that and look into a little bit but that is that that's a good box um i'm sure like like if uh if those other subdomains had other stuff in them i would have fallen down that rabbit hole for a long long time um but i felt like between monitor having those um having those immediate version numbers that you could look up and and check through search split that was good to kind of keep me moving and the the privilege escalation i feel like i i feel like i cheesed that because like what lynn peace did which like wasn't a which wasn't a a specific message like hey this is vulnerable this is exploitable but it just gave me that weird error and i was like i feel like i've never seen that before i feel like i don't i don't normally notice that with socket files especially from snap so i don't know why but that like triggered me and i started thinking about it so i just kind of wanted to look at it just a bit more but going through got milk's privilege escalation guide is certainly a good thing to do uh if you don't have anything with lin pease or if you want to try other enumeration scripts i don't know if uh like smart lin enum or whatever xyz dot pi file that you can use for other automated detection for privilege escalation but it surprising to me that lin p's didn't actually like trigger and see that on its own maybe that's something that we could i don't know have better detection for when we're starting to script this or do this a little bit um i don't think that was too awful i don't think like i didn't spend an insane amount of time on this that's it though cool all right um this was a lot of fun thank you murray thank you merlin oracle for this box this was very fun and very slick i really enjoyed the goldfish and everything else in the in robin's pet shop uh i don't know i maybe if robin had a little bit more if there were other users this was cool this was a lot of fun so how many people have solved this at this point does it say 2 000 users are in this just about so jump in the discord are there write-ups available just the one by murray oh and that i mean it says hey don't share write-ups until after it but nice this was cool this was fun i don't even know what jellyfin was there for i'll be honest uh we went in a lot of different places we tried to look under every stone while we could but that was fun that was good and i enjoyed it i hope i hope you did as well i hope i didn't stumble or go back and forth too much um it was cool to see dirty sock so i think that's it i think that's the end of the video i think we did it thank you so much for watching everybody thanks so much for hanging out um hey i hope you enjoyed this sort of thing we had a kind of a cool conversation between murray and i in the try hackme discord about designing dungeons and how making this activity making exercises trying to create security training like that i don't know it takes a lot of thought like exploiting and taking advantage of breaking stuff is one thing but when you're trying to build it and where you're trying to make the environment that you have it a structured playthrough of how you want folks to get through the the room or the machine or the challenge that's a whole nother that's a whole nother ballgame it's a whole other can of worms so absolute credit goes to uh merlin oracle and of course serious props to fawaz for being willing to donate an oscp voucher uh but the way to do that the way to get in the way to party is to be in the tri hackme discord uh so if you aren't in there already please do jump in you can see who won this thing you can see if you won this thing if you solved it and there's a lot of great shenanigans going on so it's all part about it's all part of being part of the community that's it thanks for watching this video everybody thanks so much for hanging out with me i hope it was fun i'll see you in the chat as we're going through this live i'll see you in the comments love if you could like the video please maybe press that subscribe button i'd be super appreciative so thanks so much for watching everybody i'll see in the next video take care [Music] with [Music]

Info

Channel: John Hammond

Views: 67,690

Rating: undefined out of 5

Keywords:

Id: g2CnIgjHeX8

Channel Id: undefined

Length: 53min 37sec (3217 seconds)

Published: Fri Apr 30 2021