TryHackMe! Looking Glass... with PWNCAT

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is john hammond welcome back from the youtube video and i am super duper excited to bring this to you this is a video walkthrough and write-up of the looking glass room on try hack me so let's hop on over to my screen here i'll show you this looking glass is a challenge room that is a sequel to the wonderland challenge room and i still need to give you guys a video on that so hopefully that can come out soon maybe tomorrow we'll see uh but this room is only like less than a week old um i have completed already so forgive me for having the user flag and root flag in here um obviously i'll showcase how to get each of those and what we'll be doing to get through all of those but i don't think there are any write-ups for this out just yet so i'm very excited to bring this to you and let's get to it i've spun up the machine already so let's grab the ip address and hop over to our terminal well all the good stuff happens so i'll start off as we start off with just about every box with a classic nmap scan tac sc ford default scripts tac sv to enumerate versions tac o n to save into an nmap format i'll save it in nmap directory that i created and initial being the file name and of course the ip address of this box so what i normally do while that is running is fire up another terminal and i hop over to see does this actually have a web page associated with it so i'll just throw that in but it looks like there's nothing listening on port 80 okay so we don't really have nikto or anything to run or go bust or anything we could quick fire off what we could do is just maybe try other protocols and see if anything actually responds while we're waiting it doesn't look like there's anything on ftp we could run like enum for linux or just smb client to see if there's actually anything there on samba or smb port 445 i will promise you there's actually nothing there but those are the things that i would do while i'm waiting for that nmap scan to finish uh since this is a video and i wanted to prove that that i would be running in a map scan i will just pause the video and let that finish and i'll see you in just a few moments okay our nmap scan has finished uh that did take a little bit of time to run so please note that'll take maybe a few minutes but let's open it up in sublime text to see what we're looking at here i'll zoom in on this so you can see it looks like we have port 22 open with ssh just a regular open ssh client or server there running on ubuntu so we can assume the target is linux and we see a lot of other seemingly ssh servers oh there's some weird ones on 900 and up to 903. we can take a look at those manually if we need to but if you see my mini map over here there's just a lot of the same entry of like 9 000 up to 13 783 and these are all dropbear sshd or the ssh daemon or server so dropbear must be a kind note here that nmap only ran it's the most common a thousand ports so if we wanted to we could start an all port scan and i'll turn off the scripts running here and i'll save that as all ports and i'll let that run while we start to just enumerate and look at some of those oddball ones i want to see that port there and we have this ftp line so that already has the ip address and i'll just connect to that and i get the exact same banner doing a simple banner grab with just netcat connecting to that port same thing with 91 000 okay okay so we're just seeing a bunch of ssh drop bear i hadn't heard of that drop bear before so i had gone to do some research on that what is dropbear ssh and are there any like known vulnerabilities or exploits for it it is a secure shell compatible server uh i would just simply okay google exploit or see if there's anything worthwhile there and exploit db had some interesting stuff for remote code execution uh apparently there's some gimmick with like a format string or a printf and this explanation explained that you needed to use a hacked ssh client to be able to actually trigger that and activate that i thought that was really weird um but looking at it for the very first time i had gone ahead and just started to like try to supply a username that would actually have that printf format in there so i would ssh like on a specific port like 9000 we knew had that and i'd specify like a percent s at that location yes we'll go ahead and accept that key or figure print or whatever and i thought it was weird it would respond to me with just the word lower um it didn't ask me for a password or anything so i was like okay do i need a different like format specifier if i were doing that printf kind of technique but i would always be responded with lower and i didn't exactly know what that was or why that was there uh i thought like okay is it going to do the same thing on every single port or every single service that had that so i would try some of the other ones with that 9100 or whatever but every single time i did this even without a username specified if i would just let it use myself i would just get a response like lower or higher and for every single other port i have to accept that key but you'll notice when i tried one of those other ones like the top thing that uh ssh had suggested this port over here that would still return some weird message but in this case it was like higher and i didn't exactly understand or know why it was saying lower or higher um and when i used a really really high number it specified the word higher and i used the lower number 9000 which is where i saw the kind of that string and strain of ssh ports open that would tell me lower um so obviously though there's a little bit of a distinction between those if i'm lower or higher or if i'm too on to either ends of something uh maybe i would be narrowing down to actually retrieve some proper information uh maybe there's one service that is actually what it should be but i'm maybe i'm too high or i've used a port that's too high as to what it should be when i use this big 13 000 one or maybe i was too low when i used like a 9 000 port that was odd and funky to me so i thought like okay let's just simply look at all of these ports are they all going to respond the exact same way so we'd have some wank like janky script and loop to literally try and connect to ssh for every single one of those ports and it might take forever it might take a way way way long time but we could do it like ssh spam.sh let's make a simple bash grip where i could show you how that's done i'll use a for loop i'll use like port in 9000 to thirteen thousand as we saw uh i guess the limit was one three seven eight three does it go up to like fourteen thousand let me try that on the command line fourteen thousand nope it didn't but what about 13999 that seemingly will respond but that once again tells me higher okay so maybe i need to be somewhere in this mix so let's do a simple for loop and i'll use ssh tac p to specify that port and i'll use the ip address which i can just kind of copy and paste here slap that in obviously if i were to run this and do this you might see some interesting problems and predicaments because it's not going to be automated all that well uh sure we might be able to try a port oh and actually actually i should like print f what port we're working on so you can see that output and how far we've moved along in the loop but notice obviously whether i get a response lower or higher or whatever the case may be eventually if i reach a port that i didn't already accept or connect to i will be prompted to accept this key and that takes away a lot of the automation here so you could actually supply i i started to memorize this now because i've had to use it so often strict host key checking equals no with attack o to specify an option for ssh that way it'll stop you from asking all those silly annoying things like oh do you want to accept this um in this case yeah obviously that's a good security thing to do to check but in this case yeah we just kind of want to see what's there so i would let that run and it would just take gosh darn forever because it's going through however many thousands of ports and i would always get this response lower from the lower numbers and higher from the higher numbers so i thought like okay if there must be something that i need to be smack dab in the middle on and get the right value um i i thought lower maybe referring to like okay network big endian uh because it's a it's an ssh protocol port thing doing things with networks maybe i'm too low when i specify that number but obviously i don't know maybe you would expect to read that in a different way so let's go back to kind of what we were doing we're just manually connecting to it but that script could work for us if we just let it run maybe eventually we'll get a hit but if we had the methodology and the thought that okay 9000 was too low could we try 10 000 and yes we'll accept that that says higher okay so let me actually do a strict host key host strict host key there we go set that to no and run that command again we we know that this one was higher that so that was too high so let's do a little binary search because we knew that 9000 was too low so we could go kind of in the middle of that and try to see is that 9500 where is that is that too high or is that too low and that's too high okay so we'll kind of cut that in half we'll go like 9200 is that going to be too high or too low that's going to be low so what about 300 now that we know okay we're sort of finding the sweet spot in the responses that it gives me we know that that one is too high so let's go from 2000 in between excuse me 9 200 to 9 300 let's go to 50 within that and kind of have that range too high okay let's shrink that down again let's go like 20. and i would use this manual process and it's very annoying and frustrating because it's a little whack-a-mole game right but it would at least be a little bit faster and we could automate this process if we really wanted to but okay 240 is too high so let's try 30 because we know that 220 is too low but i would literally just do this until i kind of found the sweet spot so 230 is too high and 220 is too low so let's check out that last digit there with a five and that's too high okay so let's go to two too low so we got to be between three and four then i'll try three sorry my face is in the way but that's too low so let's try 9224 we'll find the port hopefully hopefully hopefully that has something real here to return to us and yeah okay cool we get something super duper new this says oh you found the real service solve the challenge to get access to the box and it says jabberwocky but solve the challenge to get access to the box that sounds kind of promising jabberwocky and then seemingly a lot of gibberish and nonsense and we have to enter a secret um so i looked at this and it's pretty easy to tell okay all of all of these are english letters right so we're at least using the regular alphabet uh maybe this is some substitution cipher or rot13 so if i took this and maybe i just simply let's make a directory for this like jabberwock or siri or a file slap that in let's cat out jabberwock so now we've got that on standard output and let's bring that to rot13 still didn't give me anything interesting uh rot13 is actually part of the bsd games package so if you're on ubuntu or a debian based system you can get the command line things to do caesar cipher or other specified key cipher with bsd games other than rot 13 you could also use caesar with a specific key specified or a shift value a number three four five obviously 13 will just be rot 13. i would do this i would just try each of these and i would put that in a little loop i'd go zero to 26 or like one to 26 i'll do it done and then a do and done here and specify that iterator um what's the issue for i in excuse me okay and i would have all of the possible rotations or rot 13s in there but that still didn't particularly give me anything good so okay it's not a rot it's not a rotation cipher but what else could it be another thought that i would have if i'm looking at something that doesn't look like obviously readable english but it we know that it's using english letters it may be a simple substitution cipher and quip quip is really really great at handling those so i went to equipquip.com and i'd submit this and see if it would work and it tries its darndest but it just didn't get it when i was looking at it uh it would it would have a couple letters that might have been correct maybe but it also had a lot of question marks and things like hey i just don't know exactly what i'm looking at um all this it it couldn't trigger it it couldn't track it down so that was not the right route and i was banging my head against the wall trying to get that right these are just i i want to showcase like the thought process of the things that i'm trying when i'm encountering this thing that i don't know what it is my other thought was that okay still english letters maybe this is a another classic cipher thing maybe a beaufort cipher or a vegineer cipher vigeneer vignere i never pronounced that right and the internet yells at me so i would search for veneer cipher and i'd throw this into just decode.fr that's kind of a simple cheesy one um i think my geocaching profile that's a website that also does a good job here and i would try like okay knowing a key like i don't know a key this thing was labeled jabberwock when i looked at it so maybe jabberwocky is is what we just supply here and i could specify decrypt but that didn't seem to get anything when i was just clicking around in here uh i just let it try to do an automatic decryption and see if it could figure anything out and suddenly i noticed that it it did figure out a key on its own it said the alphabet cipher it's kind of hard to read there but that is the key that it seemed to use if i paste that in i wonder if it'll get it just right yeah yeah yeah and that reads it out totally fine it says twas brillig and the slithy toves i did geyer and gimble and the wave uh i don't know what any of that might be but at the end here it says your secret is beware the jabberwock all right so let's save this just have a copy of it i'm just going to say decoded jabberwock and because there are a lot of moving pieces and parts of this room we could probably get started with a little read me or whatever and whatever secret or foundport9227 to be real service um received cipher that was vignir cipher i can type with key the alphabet cipher and got secret beware the jabberwock there we go okay so if we needed to actually interact with that ssh service and supply that secret maybe that will work better for us now connect to it and there it is okay so enter secret i'll paste that in shift ctrl v and we get a response jabberwock faces a glow affectionate rocked um now for some of you that have already worked through this room or you've tried to take a look at this uh i will tell you that this changes the port that you will find this little puzzle on and you'll have to supply the secret does change and that can be really really frustrating especially as you do some of the later parts in this machine so we've got some credentials but consider these kind of temporary but with that said now we might be able to connect to just a regular ssh port with this credential jabberwock with his password and i copied that connect to it slap that in and there we go okay we've got access to the box temporarily right let's check out what we've got in here we have a user.txt user.txt great this key looks to be reversed because you can see the mht or thm backwards so you could pretty easily correct that with just rev piping it to rev and now you've got the proper key and that's what you would go ahead and submit for this here okay so now we would like to do some regular enumeration right we can sudo attack l uh looks like the jabberwock can reboot the server cool that's kind of interesting and peculiar there are obviously some other files in here poem dot text and that looks like the exact same poem that we saw when we connected so what is this twas brillig script in here oh it just it walls the poem to everyone that's logged in that's really funny cool um but it's a shell script right that's kind of interesting that it's just in his home directory that there's a shell script that will seemingly do stuff um why would this be here we can do some other enumeration to find out uh to speed that up i will just fire up quake so i can use some of my cheesy poor man's pen test and like upload actually you know what let's get pwn cat in here uh because people always tell me that they'd like to see some pwncat so i added a simple uh pwncat.sh script in my poor man's pen test sort of functionality here just so i have a quick and easy trigger to activate that working directory it's going to put me in my clone repository of pwncat and activate my virtual environment and then go ahead and run pwncat listening on a given port with a data point rc file so i will then just run a simple reverse shell with bash and that should work so let me try and see if i can get that to work pumkat.sh we've funneled that up and that failed we probably didn't have enough time to get it there we go now pwncat's up and running i'll zoom that in and i'll make this a dark text background so we can kind of make sense of where we are does he actually ever get a hostname oh it's backgrounded let me foreground that that command i've been trying to figure out what i could do to like spawn a reverse shell and then continue the operation in that original shell uh it's weird to do that because obviously you would if you wanted a pwn shell or session you would just start off with that and pwncat i think can ssh but i've been having some funky issues with it um i might just not have the like proper libraries or things needed but okay we're jabberwock there we go okay let's uh let's go ahead and switch to our local prompt here and let's upload a local file i have lin p's stored in my op directory so let's upload that uh linp's excuse me dot sh there we go we'll zoom in on that kind of screws up in that little uploader but now if i hop back to jabra walk we do have a lynnpeas.sh file so let's go ahead and run lin peas you could do enumeration uh just with poncat itself like poncat has an enum functionality that is meant to do a lot of the enumeration that lin peace already does and still be smart about it and use it uh with its own privilege escalation techniques and other interesting things it's slow on a target but i can show you like okay if you do enum tech show attack a or something it'll start to enumerate things but this might take a while especially when you're going through whatever vpn connection uh and it'll start to look for stuff if i give it a little bit more time without boring you too much it will like okay look for cron tabs and there we go look for set uids and capabilities etc etc but it won't show you at all until it's kind of done which isn't an issue but there should be some other stuff that we want to do so that's a thing uh let me stop it okay there i lost that phone cat let's do that one more time we'll just connect to it again there we go maybe i was too quick okay and now he's gonna make his connection running in bin bash and let's make that dark cool okay back in jabberwock uh let's go back to his home directory we already put lin p's there so let me just run lin p's i'm sorry for for beating around the bush let's speed that up here we go lin pease might take a while to run also but looks like we have a old pseudo version maybe we could kind of abuse that what do we got cpu environment nothing particularly stands out lynn pease does a really good job of like color coding the stuff that's interesting oh and that just died oh you know what that's probably because of all of the listening ports and netstat will return that so let's just do it through the ssh session i'm sorry let's let's capture that save that output we're taking our time here guys there's a lot to unpack here okay what is this what section is this this is a cron tab it's the cron jobs so looking through everything that we saw earlier we have some interesting software lxc is in here for containers that's kind of peculiar and we have a compiler maybe that will come in handy at some point for some reason binary process is running ps looking at cron jobs a lot of these look as they should but one down below has an interesting note here upon reboot the tweedledum user will run that twas brillig script oh and we have control over that because that's in our home directory okay so that way we could at least move into that tweedledum user because we can control that code and maybe we can make it come back to us that's a thought let me keep looking through this before we forget to and there's a lot here obviously nothing immediately stands out with the color coding oh gosh and all of these netstat entries all the listening ports let me turn on the scroll bar and and zoom right on past all of that output holy cow that's a lot okay okay that's enough are we done yet oh my gosh okay we're at the end there we go my user is jabberwock as we know no pgp keys i'll receiver attack l output linps.sh oh this is like an error and i've seen this a little bit in linp's it's weird it like tr it trips up on the suitors.d readme file um and i don't know why but it's actually i think kind of a good thing because it reminds me to go check out that directory where some things might be able to hide so i'll take a look at some of those if i can i guess users with console there are a lot of users we have humpty dumpty tweedledee and tweedledum of course uh try hackmuser and alice sorry i almost forgot about alice a lot of users to work through oh boy we are in for a treat okay alice seems to be logged in that's funky and try hackme is logged in wait is that last logins yeah yeah yeah okay so some time ago and almost done i swear i know this is like probably the most boring thing for you no seemingly weird set uid binaries at least right now remember when we're running lin b's we're only running it from the perspective advantage point of our current user so jabberwock doesn't have a whole lot that he can do seemingly other than his reboot he can pseudo reboot he can actually read with the box and we know that cron job will fire off as the tweedledee or tweedledum user whichever one that was that would actually execute code that he has control over okay so that's fine now that we have that game plan remember pseudotech l oh and before i forget i do want to check out sudoers.d i can get in there and we can cut out the readme file i can't cut out the readme file can i cut out myself no can i cut out alice whoa i can cut out alice alice salg nuke that's that's looking glass backwards oh and that must be specifying it for the host and he can just run as root been bash okay so it looks like alice is like the keys of the kingdom right if we get into alice and we're good peculiar um okay okay good to know what else did we have in there we had tweedles tweedles can i read those nope i can't whatever let's get back to our mission here to modify our twas brillig and go ahead and get a connection back as the tweedledum or tweedledee user before i do that i know this is going to come to bite me because as i said it will change like the port that you connect to with and the password specifically for this jabberwock user so before i go crazy let me try and make another ssh connection to this machine jabra walk at this thing well i'm gonna have to reboot it so that wouldn't work either gosh i hate this this gimmick you're killing me with this gimmick is that password still there is that still the right password currently or did it change on me because i know it does okay good that still works uh regardless we need to modify our twas brillig script twas brillig so let me just have pwncat listen on a specific port and i'll slap that in with my current address and 21564 will be the port that we use okay so we could just run that upon reboot and since we can reboot it will work so let me spin this up make that black and let that listen and let's try to let's let's just remove this session because we're gonna have to stupid reboot the box which is a weird uh sensitive thing to do and let's ping him actually sorry let's reboot first pseudo reboot and it requires no password he's doing it now let's start to ping and in a little bit we should see our pings come back online and we should see a connection from our listener uh i realize this output's really really wonky because i zoomed in so i'm sorry about that but you can still see uh rich with his nice little loading bar that's kind of nice and fancy all right i will pause just a moment and see when this comes back online oh okay there are pings and we've got our connection okay great punk cat's running in bin bash setting up our prompt and we are the tweedle dumb user all right where are we we are just in the root directory let's go home and we have humptydumpty.txt and poem.txt let's check out poem.txt tweedledee and twiddle dumb agreed to have a battle oh this is just another silly poem from like alice in wonderland stuff humpty dumpty let's see what that has humpty dumpty that looks like just hex nonsense are these hashes how long are these echo that into your word count tack count 65 okay well no because that's not incl oh that is including the new line so maybe that's a hash whatever let's cut that again um oh this one's funky this looks like ascii or like the six the sheer amount of sixes and sevens makes me think that this is just going to be like actual english rex stuff that's a real thing uh let me try that let me cat uh humpty dumpty again and let me xxd tack rtac p to like unhexlife all that so the oh the top stuff is nonsense but the bottom part is a password the password is that thing and what is it a password for is that a password for humpty dumpty or myself do i can i pseudo attack l uh oh i can get into tweedledee because i'm tweedledum right now no password bash okay so we have two things going uh let me just jot this down humpty dumpty's password maybe or whatever we found that in humptydumpty.txt let me see if i can get into tweedledee so i'll pseudo attack you to specify that user and then i'll run that to bin bash and there i am okay i'm toodle-d can i do anything interesting as tweedledee i can get right back into tweedledum okay what's in what's in their home directory oh i it doesn't think that that's set right now so i'll have to go to home tweedle dumb d tweedle d that's the current user that i am and we have humpty dumpty and poem.txt the exact same literally identical tweedledum fantastic useless great um let me exit out of that let me go back to tweedledum and let me try that humpty dumpty password can i ask you to humpty dumpty try this password yes okay cool so that gets you in as humpty dumpty and tweedledee and tweedledum might have been able to like see more in the file system maybe maybe they had access to some set uid binaries or set group id stuff so they would be worthwhile to run lin peas on that as well um but we could do it as humpty dumpty just as easily can i ssh into humpty dumpty because i have his password right like ssh humpty dumpty at gosh why do i always lose this ip address every single time we slap that in this location and his password no very weird i have his password but i guess does he wait is that public key that's a public key am i just not allowed to log in as a password with him no it's just permission not okay whatever um let me set my prompt back tactic fancy what can humpty dumpty run as root did i check that already we have his password humpty dumpty may not run sudo okay what was in his home directory poetry poetry.txt oh gosh what is this you seem very clever at explaining words sir said alice okay alice isn't play and then jabberwocky let's hear it is there going to be like steganography in here is there going to be like something funky and weird are there like i could download this let me download uh poetry.txt there we go where am i oh i'm just in the in the home directory or in the repository of pwncat whoops i guess that makes sense right there's no like extra tabs or spaces in here i don't know what that could be whatever okay maybe that's a lost cause okay so enough acting at this point um i was stuck on the humpty dumpty user for so long like i had no i i could not track down what the heck to do um while i was just bumping around the file system like i would run lin p's again i would run linum again when i went back to take a look at the users and to see like oh would i be able to actually move into any of these other directories like it was weird to me because i could tell that jabberwock was able to be accessible from like everyone because lin pease and linum would always see files within jabberwock and it would know that i could see them and that was just weird so i took a look in the home directory and i noticed a really weird thing where alice this this other user alice has her home directory executable by everyone so when a directory is executable that means you can actually move into it but if it's not readable you can't read anything in there which is really weird and funky so i would try to move into alice and i could be there but i couldn't actually read anything in there i i couldn't see any files uh but a weird leap of faith weird thought and it took me forever to friggin come to this and i i owe all the shout outs and kudos to the people that were like helping me kind of bump ideas back and forth uh if we're looking into their home directory and ssh is a thing maybe we can access that ssh id rsa or their or their private key so i thought let's go ahead and try inside her home directory let's check to see if we can her see her private key and we can okay uh if i like try and ls this it's a thing i can ls attack elvis apparently that private key is just owned by me owned by humpty dumpty because i thought like well why why did i not see that or was i was there a reason i couldn't see that as jabberwock or as tweedledee or tweedledum and twiddle d and tweedledum were like a weird rabbit hole in themselves because they could just circle back into each other with their pseudo privileges but alice's sshk is apparently just owned by humpty dumpty it's owned by this current user so regardless we have a private key i'm scrolling up way too high so let's grab this uh let me just slap that into like a alice idrsa file and then let's hop on over to its youtube looking glass and let's ssh tac i alice idrsa alice at the ip address and see if we can log in oh i need to mark that as hours and hours alone so chmod 600 try it again boom now we're alice okay so we got that user and we remember with some of our previous enumeration if you were to check out that pseudoers directory alice has her own file that once again for some reason we could read so alice just seems to have weird permissions uh but note like if i were to try and pseudo attack l it would need a password and that wouldn't work so i wouldn't be able to see that with sudo tak l because i don't know alice's password but we were able to find it and see it within etcetera suitors and that alice file weird gimmick though they set this they set this issue where you are using a different host name for sudo rather than it would normally be so if i were to sudo bash it would need a password so it's not triggering this uh no password setting because we aren't at the right host name right now we're at looking glass and not looking glass backwards or that mirror right the reverse of it so what do i do here how can i fake the hostname uh i tried to google this a little bit i was like pseudo fake hostname and how to change the about like the host name these are all things you could do with like modifying etc hosts or et cetera hostname and i tried to see like okay can i actually modify that file i have permission denied on reading or writing on that and that didn't work pseudocommand trying to search for hostname set a hostname ctl i couldn't modify hosts same thing and it set rehost name still unwritable that would not work and i'd have to reboot right and i don't know if that change would actually take effect so i would do a lot of research for this and it took me a little bit but then the answer kind of came to me pseudo with different host name i have i'll look through some of my previous research to see where the solution actually popped up i think it's here yeah yeah yeah it's right here the sudo command can actually take a hostname parameter so you can just straight up specify that like you don't need to do any hardcore or crazy things to modify it uh like the real legitimate machine hostname you can just simply pseudo attack h and that looking glass in reverse and then try and run bin bash and there you go your root that's it now you now you've rooted the box right cat root.text there we go rev that again for that nice gimmick and you could slap that in and get your points so that was that interesting room interesting things here what is this the end file i don't think i actually took a look at some of these nice i like the alice in wonderland theme i thought that was very cool kind of fun and clever what are these passwords that we've got here past generator oh as you can probably see like how uh jabberwock had his password reset or changed for some of you that might have been struggling with that i know i was when i was going through it passwords.sh yeah pass generator to try hackme password and they would they would just apply it to jabra walk gosh dang so weird things right let me let me explore a little bit more and kind of showcase this if you're totally cool with it i know we're on a long video and it's going to be even longer um alice i noticed that she has that weird directory and i was so confused why couldn't i read that or why couldn't anyone else read that uh id rsa key any other users so moving into alice's home directory oh she has a kitten file i never showcased that whatever but her ssh directory still executable people can move into that and this dot idrsa is owned by humpty dumpty very weird interesting mis configuration uh so i was thinking like how could i have ever remembered or thought or made myself actually see that leap of faith or be able to take that and know to go there other than oh i see that alice's home directory is very weird with a with an executable bit on it that tipped me off to it but how do i make sure that i will catch that in the future so let me deviate and actually go back to some pwncat stuff um just because i want to be able to know how to make this better and make me smarter so for those of you that just wanted to walk through for this room that's the end of the video i hope you guys enjoyed i i think they were really interesting and cool tricks for for rooting this box and some fascinating gimmicks and stuff to to stumble on and trip over but i hope you enjoyed and i hope you learned a thing or two that pseudo attack h trick is kind of neat um okay to seeing how we could smartly determine alice's private key um i go to i go to pwncat right because this is how we're trying to weaponize or automate some linux red team operations or things and how can we track down this private key so if you take a look at pwncat.readthedocs punkcat is a labor of love project that i've been working on with my with my good friend caleb stewart and it's on github if you have any interest in this tool github caleb stewart phonecap there you go you can play with it and tinker with it but we're trying to do some more interesting things with it because we might end up making it look like a little bit more of a metasploit methodology and trying to run some things or communicate with some things but uh poncat is supposed to smartly be able to understand the victim or the target or what you've connected to with that it could do enumeration it can automate privilege escalation for simple set uid or pseudo password stuff and it's also really just a great thing to have working alongside you for easy upload and download and transfer c2 x fill whatever there's a lot you can do with it because you can automate and script on the victim without ever being on it before and that's kind of neat so i had the thought because poncat has some enumeration like it will try to enumerate the same way that linp's will and it has different providers or types of things to enumerate and look for to to do that to actually make that happen so i would run enum tac t and if i tab complete you can see some of the things that it could look for look for file capabilities crontab f-stat maybe some kernel exploits that lin like i don't know the linux exploit suggester might show okay so the screen version or the process is running or the private keys or sudo set uid there's a lot of stuff it could look for and uncover and find the user private key is the original thing that you would see if you're actually still working with pwncad and you're tinkering with it uh let me actually show that and see if it can dig it up or track it down this user humpty dumpty does not have a private key right so let me uh start to let me ask you to alice and i'm kind of going off script here right now right like let me run that one more time my timing was probably just a little too quick make that black one more time so i'm running as alice right now once pwncat starts up and i can run that enumeration one more time so let me simply enum user private key to see what we've got and it hopefully would okay apparently just not find her private key or long nope not gonna show it fine that demo was useless incredible so let's look at what else we could do because i would just look for a private key that that user owns and since alice doesn't own her private key apparently maybe it's just not going to showcase what i wanted to do was i wanted to write something where you would look through all of the home directories and just check to see can you read that user's home directory the and their ssh private key is that going to exist will that work so i took a look at pwncat's code and i recommend you kind of doing this as well if you would like to tinker with it if you're interested in that sort of thing you can download clone the repository work with it but pwncat is nice in that its victim module has a lot of information already stored about what it's what it's really working with so there's a section here the victim object and you can simply search for like users and it actually has in the victim object an understanding of what users are available on the target return a list of users the local database cache if users has not been requested this will call victim reload users and reload users will search and find those and get all that info so i had a disconnect now let me just get a regular shell sorry cd get pwncat inside of ponecat source code obviously there's a poncat directory the enumerate directory has provider scripts and code that will work for an actual uh enumeration provider or a type or what you're actually looking for so there was originally private key and i'll show you this private key would work with a function enumerate that will do the thing that you are trying to automate and it will store and return and keep track of all the information that it finds as what are known as facts and this is a private key fact so what this would do is it would look with grep to see anything that looks like a private key that has that syntax in common directories like home etc and it would run stat on them and stats pretty nice because it's actually like i don't know is stat pretty well known or is that's not a built-in what is okay yeah it's a binary but it's pretty common just about everywhere so we would read all this information out and then it would grab like by running this command stat on a specific file i cre i tested this locally on a syslog account so i would stat home syslog dot ssh id rsa and it would tell me okay that user that owns it and the path there those are the format specifiers uh that these arguments are being used for so that's how that original one worked it would grab the uid of the user and the path so the path would then be enumerated and returned as a fact and it would return with this private key object they're kind of to denote that and i thought like let's tinker with this let's recreate this let's have another private keys enumeration file that will do stuff not just looking in these directories but trying to check in every single user's home directory what their actual uh ssh key like permissions and privileges are can we read that private key just by looking at all those home directories and seeing if we can just cat that out maybe a little brute force so i wrote that and it's just a slight tweak to what this code already does what i would do is i would look through the username and user data in this victim user's dictionary because it'll have a username and then the user object that actually has some information and there's a home directory property inside of that user data object so what i would do for every single username i would stat all of this out and see if in their home directory i could read their ssh id rsa and to just read it as we did previously and append that to a list where i'm grabbing the username uidpath i added the username as an element here so when it's read out into the source and displayed to you you can work with it just fine and then we try and import the private key to make sure it's a real thing but read all the content as we need to so that's a thought uh this can be made better and i still need to do this by combining the stat command into just one stat command that will be a lot faster and uh let me let me can i try that i really want to let me all right let's let's go into uh unknown territory here let's grab the user data home for each of these in a list oh and i want yeah user data home dir i don't i don't ever use this variable that's funny so stat or no no no it's going to be user data home data for each of those so let's just say a space to join all of those because that's going to take the place of stat here because you can supply multiple can you not um it's at rehosts i guess there you go okay yeah so just as another argument in there so we're putting all those together as priv keys and then we don't need this loop anymore and we can stat f priv keys so now we'll have a list joined together of all the user home directories for the usernames that it finds um and we actually don't even really need that oh no now we don't have the username if i specify the uid let's just do uid and then we won't need to specify oh do we ever even use that we did not i removed uid sorry i'm just again this is the disclaimer of me going into unknown territory is that i will uh self.uid which is passed good and we'll stat all of those private keys and we'll read them all so that might be a little bit faster so it's just one command ran rather than multiple and this could obviously be made even faster by only looking for files or only looking for users that have an actual shell that they'll interact with because obviously if you're looking at like root users sys log games or mail that's not or nobody that's not going to have an actual thing to ssh into so that would be a waste of time to to look for but maybe that will work so okay anyway that's how i've been reading and just getting that data by looking in their home directory and dot ssh id rsa and we can make that a little bit faster but the idea would be to have this utility so that uh let me get a su humpty dumpty let me kill this let me kill this let me kill this oh okay let's just fire up phone cat with humpty dumpty one more time there we go he's initializing and because i've saved that script and it's using a local uh virtual environment that i had created it should have those changes so i should be able to show you that black and we're humpty dumpty okay so let me flush my numeration so far because i don't want the stuff that's stored in the database to showcase it obviously you just want to simply be able to run a showcase everything like tacs for show and take a to show me all the information that you can find but as i showcased earlier that takes a long time so please bear with me uh because i'm just gonna do some suspended disbelief obviously if you're doing this for real you want to just run all and just keep doing your manual enumeration your manual interaction later in a different terminal or somehow and you would just let that run you'd let that go to see what information it can find for you in this case let me just use a specific type of enumeration we'll use the one that we just wrote which is system users dot private key and let's see if it could find alice's or that that other the the private key for alice that it found yeah yeah yeah okay perfect so it found a potential private key for that uid which we know is is owned by humpty dumpty so that's actually going to be humpty dumpty's we should we should keep track of that username in the code but we know that that's a thing and it was able to find it so if we actually just run tac tac long it'll just give it'll poop out that rsa private key that's it so i'm trying we're trying to figure out how we can automate some of those things even when we're doing this sort of thing because the methodology and mentality behind katana and phone cat and our other projects is to remind us and do the things that we would otherwise forget to do especially just checking a directory you wouldn't expect as a user to see something that will really really help you but okay wow that was a lot of me talking i'm really sorry for all that nonsense but i hope you enjoyed that little deep dive into pwncad on what you could do to also write and explore some of the enumeration modules and scripts and code and stuff that you can do let's exit out of that let's submit our route and let's get our points for looking glass wow let's end the video guys we've been talking for a while hey thank you so so much for watching i know this was a long long video and we got into maybe some rabbit holes that we didn't need to get into but i wanted to showcase everything for you i want you to be able to kind of see hey what i'm what i'm doing what my thought process is and what uh i don't know maybe that that might help you so alrighty thanks everybody i love you if you did like this video please do press that like button please leave a comment please do hit that subscribe button the bell whatever you'd like to do i'm really really grateful hope you enjoyed this video i'll see you in the next one take care [Music] with

Info

Channel: John Hammond

Views: 66,356

Rating: undefined out of 5

Keywords:

Id: Wqvy1qGOAVA

Channel Id: undefined

Length: 59min 28sec (3568 seconds)

Published: Fri Aug 21 2020