TryHackMe RootMe - Walkthrough | CTF For Beginners

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey how's it going everybody uh this is antoine matthews and today we're going to do something a little different if you listen to the podcast if you follow me on linkedin you know that i'm a huge advocate of try hack me so today i wanted to show everybody what the platform looks like and actually go through a room with you this room right here is something very simple was for beginners the name of it is called root me and it even says right here in the description a ctf for beginners can you root me so this is what the platform looks like when you actually do get into the room uh right here this is my attack box so uh with my subscription i'm able to um you know log in and this is giving me a ip address so this is essentially like my computer this is the computer that i'm going to be using to attack the um the target with so this is my ip address okay so then i scroll down so we can actually start the um the the box so right here once again it'll tell you the title is root me this is the target machine ip address so this is the box that we're going to be trying to get root on this is the box we're going to be breaking into uh right here it'll let you know how much time you have and as you can see i already completed this but i want to um walk through it so i can show you how we can accomplish some of these goals okay so let's go ahead and go and click task one so deploy the machine uh we've already deployed the machine that's what this was um if you did want to use your own uh version of like uh cali if you have it on like vmware or something like that you can go ahead and open up you know your vm and get started that way it'll download a file for you and you can go ahead and get that started so this is already finished um let's move into ties to reconnaissance so for this box let's see what the very first thing is it says first let's get information about the target scan the machine how many ports are open so i have this open up over here or actually let's go ahead and refresh this get this started up and let's go ahead and hop into our terminal so the first thing we want to do is scan using nmap and i'll do a send scan lower attack lowercase s higher case s uh and this i'll use a it's not a this is for everything you you get a lot of information when you put a uh for me i don't sometimes map can take a long time for scans so i'll put t5 um typically in a real um in a real engagement you don't want to do this because that can raise all kind of alarms for like firewalls and ids's you don't want to you know let everybody know i'm on your system going through stuff so but in this case it's just a game you know it's the platform so for practice purposes this is perfectly fine um and the last thing we want to do is put the actual ip address so i believe it's ten ten one six one eight eight let's go back and verify that one six one eight yeah that's it so let's go ahead and push enter yeah so typically this shouldn't take too long um just because i don't believe this box had too many ports open see look it already came back for us right so let's go ahead and make this a little bigger so this is the report from our nmap scan so you can see the command that we put in here at the top letting them know what we wanted to do uh so this says ports so this is port 22 is open port 80 is open those are the only ports so as you can see right here scan the machine how many ports open we have two ports correct answer right then it says what version of apache is running so let's go back and let's check this out so um let's find apache oh look so look under port 80 tcp open http we have apache and this is going to tell you the version right here let me highlight it for you so that's our version boom we put the version right here what service is running on port 22. it's typically always ssh but you know let's just confirm that port 22 service ssh right so that's three answers already done then it says find directories on the web server using the go buster tool so go buster is an awesome tool goalbuster you can go through like a http and find out what directories might be hidden so first let me just show you how this works you can go buster tact help or let's play right help look and this will show you some of the commands right so this is cool so it'll show you the usage like you type in go buster then the command it lets you know what the available commands are there's a quite a few and then the flags these are additions that you can add on to get more detailed information so for ours we need to um find the directories that may be on our attack or our target right so let's go ahead and type in go buster then we're trying to search for directories actually you know what because we're going to need a word list right so i always use the same word list so what we want to do is locate some some pretty good wordless for us to toss out there so go locate i like big dot txt and if you have kali linux this word list is already on your distribution it should already be there so this is the word list that we're going to be using to see what hidden directories may be on this um on this http or on the web server okay so let's go ahead and type in go buster there because we're doing directories right then we're going to type in u for url and then we'll type in http slash 10 10 1 6 1. eight so that's that's correct right that looks good to you guys and then look so for the word list string is tack w so put tac w and then we're gonna input the directory or the path to the directory okay so user share and then just push enter boom so look this this thing moves fast right so this is the command that we put in so we say go buster we need to look for directories at this url or this ip address and we want to use this word list to to see if these are the directories so what goalbuster did is it used like a huge word list and essentially threw these words on the end of the http at the end of the address so these are some of the files we were able to find are not files but directories so this is one this is one the one that we want that looks interesting is actually panel panel looks pretty cool so let's go ahead and go back and see what they needed us to do so we got that the hidden look it said what is it in the directory panel so let's go ahead and first let's open i'll show you guys let's go here let's launch firefox let's have in 10 10. look it's already right there right let's make this a little bigger i should scoot it over why is it still loading all right cool so look now what we're going to do is type in panel at the end of this oh look people what did they let us do now where are the places where we can actually upload a file this is cool this is super cool so i'm gonna show you guys how to do some stuff right so look let's go in to the next task getting a shell so it says find a form to upload so a form keyword right find a form to upload and get a reverse shell and find the flag so i already did this like i told you before so i think the file that i already have already modified and changed the name for it but um we'll still pull it up let's open up a new whatever you say let's go ahead and push enter one of the times boom boom boom and then so once again when you have kali linux your distribution comes with all these tools and all these files because the purpose of it is for penetration testing right so i know that there's already a file on here that are that that you can load for um reverse sales so let's go type and locate i do reverse shell enter so boom look this is what we get hey this is it so when we do this this is the form remember i said form that's that was important form and we can upload so we could upload this this file so what i'm gonna show you is two different things let's try to upload it first let's open it up so for you to open this up um because we're gonna have to make edits to it let's go ahead and put nano that's like a um like an editor too so type in share with php boom oh did i already change it to five let's go and see if this opens all right so look let's close this out i already changed the the format to five so unfortunately i can't actually i can't show you how to let me just do it this way put five at the end of it when i first got the file it didn't have the php php5 we had to do that so that it uploaded correctly into the um that it loaded correctly into this area right here and it was actually executable so i kind of skipped a step i apologize for that so once you open up your um your php file or form what you need to do is it'll say it on here it says change this right so if you notice this ip it says ip right here this is the ip address of my attack machine so you can see it right here right so root at ip 10 10 2 18 10. this is me this is me because when i upload this this is a reverse shell i want wherever i upload this form to i want them to communicate back to me so if i want them to communicate back to me i have to let them know what my ip address is then you have to do the same thing for port like it just says change this port so you can pick any port that you want but you have to make sure that you you know put something in here me i put nine nine nine nine so that's four nine so this is the port that i'm going to be communicating with my shell going back and forth okay so let me go and close this out because we don't need this right here so all right cool so we got that portion taken care of now we have that all set up now we can go here we'll go browse our files and as you can see i already have us pointed at the directory where we need to be at let's go ahead and push upload boom green we got we got business baby look we're in here so now that we have this this is important because now you have it here you got to figure out how are you going to actually get to that file to start this reverse shell so let's see if we answered the question or not so we didn't answer the question we have to do some more steps now that we got here let's go back to our go buster tool and see what other uh hidden hidden directories they may have had so we have js css server uploads look uploads we just uploaded this right so let's go ahead and check this out let's see if we push uploads what happens uploads hey so check it out so our file that we uploaded it made it into this directory so it's right here this is the one that we uploaded in order to get this shell the reverse um shell started we have to open up netcat so that we can set up our listener so we'll type in nc tag n lvp and then we'll put in that same port that we said we wanted to communicate over right so that what was that nine nine nine nine and then push enter and this is listening so that means it's waiting for communication it's saying hey look i'm here i'm here i'm here what do you wanna do um somebody talk to me so we're gonna go back here and let's activate this look oh we executed did you see what just happened that was fire that's when we get excited so look something happened we got our shell now now we got our shell that means that we're actually on this um [Music] we're on our target machine we got it so now we can go ahead and um see what exactly we needed to do for this question so it said we have to find the user txt so how do you do that so let's use find so we'll put find and then we'll put type f so we're looking for file so type f equals file then we'll put the name name user dot txt and then we also want to put two slash dev no and with the two um more than dev know what that does is essentially it makes that no error messages pop up when you're doing this so it keeps everything clean for you right so let's go ahead and push enter hey now look you see this right here it found the file for us so now that we found the file let's go ahead and open this thing up so we can get the answer so we'll put cat and then var hold on there we go far i got a little too excited w user dot txt boom hey now look we found the flag we got our flag so now we got our first accomplishment right so thm blah blah blah you got the rest so that's the same thing right here and look we got the right answer so that's cool so now we've already deployed the machine we did our recon with nmap we got the shell and now we're about to escalate our privileges okay so let's go ahead to task four let's see what they want us to do so now it says search for files with suet permissions so suet permissions that's what that's the key word here okay or the key terms it says which file is weird so let's hop back in here then in order for you to find suet files let's go ahead and type find again and then what we want to do is type type f perm 4000 and then we'll do the same thing so we don't get any error messages right let's see if this works cool and it works so now we have to let's look through these files because it said anything weird like which file is weird so let's see what it looks out of place you can just literally like just look through here if you're if you're familiar with um the file schemas and setups on linux then it'll be easier for you to actually go through here and see what stands out and this one does this is the python file right look like this is this is the one that stands out it shouldn't this isn't like usual so we're able to take that put it in here and look now we got our answer right so on this one i want to show you i'm gonna actually click on it so you can see it so it says uh find a form to escalate your privileges and they give you a hint so let's go ahead and type in so it says search for gt fobbins so this is something that's not on um it's not on try hack me you could literally open up a new web page so let's go ahead and do that right so we'll do here and then we'll type in gt fobbins boom we'll go here then let's scroll down so we're on our website and look we're we're that file set python right so let's go down to python we got to keep scrolling i know we love our alphabets let's keep it going so okay look so now we're on python right and we were looking for suet files it was suet when we did that so let's click on this boom you can read through this binary so this is this is what we need this is the purpose elevated privileges maintain privileges escalate maintain back door those are awesome words if you're ethical hacker so since on hack the box you're already running sudo what we want to do we don't need this one we just need to go ahead and take this file so let's go ahead and not this file but what it says here and i can't directly paste on here i don't know why not but what we're going to do is paste this at the top so that i can see what i need to type in okay so let's go ahead and type in python taxi import os boom os ex ecl [Music] then sh sh it's a lot you don't want to mess this up because when you're doing this stuff if you don't have the like the text like 100 accurate you get errors and if you think that you had it correct it could be forever before you figure this out so i hope i did this right let me see let's try this see something went wrong let me go ahead let's go back where did we go wrong we typed in python c when we got our import os os.exe boom see look right here this is where we messed up so let's see if we can do this again remember i am not a pro but i know what i'm talking about so honestly i think that there's an easier way for me to go back i don't remember that exact command right now but we're gonna rock with this way let's see if they let us do it this way and if it don't i'll just reactivate the shell because it's easy and like i type faster i see that this is like professional skill level right here i'm in the hall of fame for typing nah that's not gonna work so um let's do this so i'm gonna activate my listener again right once again if you got an easier way to do your listener or to go back when you make that error go ahead and do it in this case i don't remember mine so i'm going to go ahead and do this we got it activated again right so look we're already in here so all we have to do is type the command in correct this way so let's take our time it's python c import os space os e x e c l boom and then like this really messed up last time so now we gotta do quotes right quotes slash ben slash sh sh p all right and then let's just double check this because i don't want to do this again so python boom os and it looks good to y'all it looks good to me let's see oh okay look so now let's check this out let's see who we are so now that we it went blank like this right so who am i oh baby look so we got root so that means we escalated our privileges we're no longer just a regular user on this box now we have the same permissions as the owner of the box of the the files and everything so now we got free ring we could do whatever we want on this machine if we want to so let's go back because they had us doing something on here let's figure out what we needed to do so now we have to find this file right so look i showed you guys how to do this earlier so let's do fine i'm going to type f for file name would it say root dot txt let's double check and now we went and we at the finish line we about to we bout to go through it baby i'm talking about sorry look we got that set up then let's do this then we don't want any error messages coming back because that's not how we rock boom okay look so now we found that file for us so now let's go ahead and open it up remember what command we use what command we use y'all we use cat yeah good job good job so we got cat then we're just going to put in this directory path root root txt boom and then look this is the answer right here privilege escalation then this is how you have to set your passwords up for real y'all see all these funny letters and these characters this is how you actually set your password up on a real because that's how you stay secure so let's go back boom and look we're done we are done everybody we went through the whole box we've done everything from our recon so let's go real quick i showed you how to use nmap to see how many ports are open to look for the versions of services to see what services are running on particular ports and we use goalbuster um went over some of the commands and flags that you can use for that to find these hidden directories because that's what it's for we were able to get shell um and finally we're able to go ahead and actually escalate our privileges so that we can maintain remember so let's go back to this because this is important so when you when you're doing uh um engagement it's very important that you try to escalate your privileges remember because you don't want to be just the average user you don't want to you want to be the administrator you want to be the root if you're on a linux system you want to be the highest person with the most authority and permissions on that machine so this is why escalation is is important then maintain that privileged access because you don't want to take all that time to to get to the highest rank or highest level and then all of a sudden you lose some of your permissions for whatever reason then the final thing is the back door because now that you have this ability to do that you can go back into this machine whenever you want and still have that same access and this is how companies get breached and hacked and they don't know what's going on because people already had a stronghold in their systems so we just walked through this small ctf this is try hack me again you know so everybody go and get a try hack me i think they have a free subscription i'm pretty sure they do i use the paid model because i feel like there's a lot more benefits to it once again we did root me today and hey this is antoine matthews if you enjoyed this if you learned something new if you want to see me do more stuff like this so we can go through this process together and learn and you know teach each other let me know go ahead and like you know subscribe and tell me are you on try hack me you know have you done any boxes lately what's your goals you know in terms of getting your ethical hacking skills up but what are you currently working on let me know once again this is antoine matthews signing off thanks for tuning in

Info

Channel: Antoine Matthews

Views: 6,063

Rating: undefined out of 5

Keywords:

Id: GPuEtR076_4

Channel Id: undefined

Length: 27min 43sec (1663 seconds)

Published: Thu Jul 01 2021