TryHackMe! Skynet - Wildcard Injection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

next tuesday guidepoint security is hosting yet another capture the flag event all online totally free anyone can access the game and play and you absolutely should be there i want to see you on the scoreboard so the game starts february 16th next tuesday at 8 00 a.m eastern time and it runs a whole week it'll close on monday february 22nd at 5 p.m eastern time the first person to solve all the challenges or to whoever gets the most points will win and take home a 100 gift card there is one thing that i would like to emphasize though and that this capture the flag event is different than the previous ones that guidepoint security has put on yes the challenges will range from beginner to advanced in difficulty but this time there will not be any walkthroughs for the challenges so you'll have to do some critical thinking and problem solving the way that you always do as a real hacker you can register online with the link in the description and once you're set you'll be emailed your secret passphrase to be able to log into the game access to the vpn and you'll be off the races once next tuesday february 16th comes along so i'm super excited for the game guidepoint security has put out an incredible set of capture the flag events recently and i'm really looking forward to this one i hope to see you on the scoreboard in this video i want to take a look at the skynet room from tryhackme i am logged in on their website connected to the vpn and i have the room open up in my web browser here you can see the description is a vulnerable terminator themed linux machine so i have joined the room and deployed the machine i have the ip address ready here for us and we can go ahead and start to poke at this machine i will hop over to my terminal where all the good stuff happens and i'll make a directory for skynet youtube and inside of that directory i'll also make an nmap folder so we can kind of store our nmap scans and that logging in its own kind of custom designated location so i will go ahead and run nmap to scan the box i'll use tac v for verbose so that way i can see all the discovered ports as nmap finds them i'll use tack sc for default scripts attack sv to enumerate versions tac o capital n to output in an nmap format i'll throw it in that nmap directory that i just created with the initial file name and i'll slap in the ip address or just paste that there now when we go ahead and run this we should see this nmap running off to the races looks like it discovered port 445 port 139 110 80 143 and port 22. okay so we already have a lot of good stuff to work with i'll wait for this nmap scan to finish which it just did so i will go ahead and open up that nmap scan results we do of course see that port 22 for ssh it is in fact an ubuntu linux machine that we are up against looks like it's running apache for the web server on that port 80 here and i can see references to skynet repeatedly looks like that is the host name or the computer name of this box and it has seemingly a mail service up and running that pop3 dovecot on port 110 there of course there is smb open on port 445 so that might have some interesting shares we could look through but at this point i think we have enough to go off if we could go ahead and enumerate those web services as well as the smb or samba share because we won't have credentials off the bat to log in via ssh but we can go ahead and explore so i will go ahead and start a nekto scan along with a go buster scan to kind of have some enumeration going on in the background for us and i'll get started with a go buster scan in dir or dur mode with a url specified to attack you i'll paste in that ip address and i'll use the tac w argument to specify a word list i will use the directory list lowercase 2.3 medium which is the default that comes with durbuster so if i let that spin i should be able to go explore this manually on my own i'll hop over to that ip address in my web browser and it looks like i'm greeted with sort of like a skynet search engine looks a little bit like google um but i don't seem to go anywhere when i search anything or click any of the buttons i'll hit control u to view the source in my web browser you could have right clicked and selected view source but there's nothing really interesting here looks like this is just kind of flat html uh i see just a css style sheet but of course that's going to be static nothing particularly useful or interesting there so i don't know where more we could go off of with just that it looks like we did have some interesting results from our go buster scan i see slash admin css js config and ai um we can explore some of those i'll go to slash admin but that looked like it got a 301 so it looks like it won't be able to access those things css same thing js same thing ai same thing so not a lot of headway in that direction we should keep in mind though that we focus specifically on the http service right now on port 80. there was however another port open and that was smb so we could explore that a little bit let me move down and explore with a new for linux so enum for linux is going to end up working like a great job to scan for smb services you could use something like or smb shares sorry you could use smb map you could use plenty of other tools i like to use enum for linux as just kind of habit i'll specify tac a to look for all tests or as many as it could that's kind of just boilerplate habit at this point but i will slap in that ip address and i will also tee that out to an enum for linux log and i will let that cruise through and see if it can find anything interesting looks like it does see this skynet target and it is a unix server here running with samba looks like it did find some shares okay it found print dollar sign and ipc dollar sign those are kind of boilerplate you'll see those commonly however this anonymous one and miles dyson are totally out of left field those are new and unexpected so it looks like that is a sky net anonymous share and a miles dyson personal share okay so that gives us some headway and it looks like now it's going to try and enumerate users but we can start to poke at and explore these smb shares so you could do this kind of with uh your file browser if you're using nautilus or thunder or whatever you could control l to get into the location bar and then type in like smb colon slash to represent that smb protocol and then you can access shares like just through your graphical user interface in your file browser that would be fun that would be cool i won't do that i will showcase the other rendition where we're just using smb client oh actually looking back at our go buster scan i see that it it found squirrel mail which is a new location that might be worthwhile for us to check out before we go look at those smb shares looks like it is squirtle mail version 1.4.23 by the squirrel mail project team okay i am just going to open up another terminal and try and run search split on squirrel mail to see if it actually gets anything interesting or worthwhile from that version number um okay looks like less than 1.4.22 there's remote code execution but we are on 1.4.23 so that probably won't get us a lot further um so we don't know a username and password here but we know miles dyson potentially might be a user that's kind of a weird like share drive name but let's go ahead and just enumerate those shares right i'll go ahead and use smb client that anonymous share is very likely going to be something that we can access anonymously without credentials miles dyson if that's a personal share maybe that would require miles tyson's password but we can kind of go verify that and try that so i will use smb client with the ip address here and i'll specify the anonymous share that doesn't seemingly have enough backslash characters it's probably going to be interpreted as escape sequences so i will wrap that in those single quotes there we go now bash should interpret it properly right it's going to ask for my like work group slash john john being my username and password that's totally fine we're going to try and log in anonymously so i'll just hit enter here and it looks like it did connect so if i were to ls or kind of like look around just list stuff in the current directory looks like i have an attention.txt and a logs directory so i will get that attention.text there we go that pulled that down and i'll move into that logs directory and also see what we have here log one two three okay looks like log one is the only thing with actual contents looks like everything else has a size of zero so i'm just gonna get log one dot text and that pulled that down great so now i can seemingly exit because there's nothing else in this share for me to look at these periods and parent directory two periods just kind of refer to other folders but there's nothing else that i could really explore there so let's go ahead and exit out of that and now let's cat that attention.text that we pulled down it says a recent systemml function has caused various passwords to be changed all skynet employees are required to change their password after seeing this roger what about that log1.txt oh what the heck is this that looks like potential passwords or like a password list right random numbers at the end here all with kind of a terminator skynet theme okay um are these going to be passwords we could maybe use to get into squirrel mill oh thank you lastpass no i you don't need to save that password let's go back to the login page and we could try like a username miles or miles dyson uh let's try just grab this top one here miles and spit that in loading okay squirrel mail takes forever which is surprising considering the name okay nope that failed lastpass is off the races again let me try that miles dyson spit that in oh okay that that got it um so we kind of got lucky and that it was just the very very first password truthfully i would have written something to like brute force this um i will just mentally run through that if that's okay with you because i think it will just go to show really what's happening here so uh whenever you have a form like this that you kind of want to brute force yeah you could do it with hydra i know a lot of people will probably give me hate because i don't like to deal with hydra the syntax makes my head hurt um i would just kind of whip this out in python and that's maybe a fault of mine but i can see that okay it takes a password as the input type obviously it takes a name and login name kind of as a password here or excuse me as another input field and it submits it all to a form with redirect.php so what i would do honestly rather than looking at that html code is i would just open up the developer tools so i'll hit f12 and then i'll type in like name and password for these fields there we go and then this page here after chrome goes crazy yeah i know that's a bad password chrome okay this redirect.php like post request that's sent you could go ahead and right click on that and just say hey copy as curl and then check this out there is a curl to python requests utility that does a really good job of just okay grabbing that syntax and then making it the python code that you might want to use grabbing the cookie grabbing the session information grabbing the same header as the content type user agent etc etc etc so that is kind of handy for what you're up against i'll go ahead and mess with that now uh now that we have this log1.txt file we can try like a squirrelmail router or with a u dot pi and i will just crank out user bin environment python3 we'll have a url actually we'll just go ahead and slap in all this we'll import requests and we will create a response object after we post to that page with the headers the cookies the data etc etc um we will need to however tweak the data because we're not just going to want to send it this static password every time we're going to end up wanting to change the name and password as to what we're looking with so i'll go ahead and import uh i'll grab it from print so i have pretty print from print import pprint and let's go ahead and open that log one dot text and i'll read everything out of it this is super duper dirty but i would just kind of do like a oh passwords is going to equal uh the contents of that split on new lines and then i'll like make it a list comprehension so i can do like x dot strip for every x in that thing if there is an x there so that way i split on new lines and absolutely make sure there are not going to be any new line characters in the contents because i've stripped them all out and if it's an empty string if it wasn't properly able to get a line or there was no line there it will just go ahead and remove it with that if x so at that point if i were to p print passwords we should see all that spit out with all of our lines there we just created a simple list grabbing everything from that and now we can work through that so we know our username should be miles dyson and we could have finagled that with like miles or dyson or m dyson or however you wanted to but then we'll go ahead and loop for password in passwords we can indent all this go ahead and grab the response object but we'll need to change our name to our username and our password to be the variable password as that changes every time uh so at that point i'd probably want to check like hey the return code is this actually going to give me a response status code that tells me i like redirected or successfully logged in we can try to see how that looks but i think we'll come to find out that squirrel mail is doing kind of weird things and that okay it's going to give us a 200 every time whether or not we have the right password or not so that's not all that helpful again admittedly this is also very very slow so if we wanted to really weaponize this we could probably make it threaded and uh maybe not have to deal with all the the time it takes for squirrel ml to get through each of those responses anyway let's go ahead and just grab the response dot text and we knew when we failed to log in earlier it gives us this unknown user or password incorrect error so i'll just go ahead and look for that string i'll just do a simple like if unknown user or password incorrect in response.txt then we know okay it's a bad password so we can actually test if it's not in there and then if that's the case we'll go ahead and print out the password that we found and like hey we found it or something potential password found and like that's all we need to do now obviously because we know oh it's the first password because we sort of went through that manually and we just got lucky sure that would uh really not be that helpful for us because it spits it out immediately but if we were doing something else and it was furthered along in that word list you could have a display out oh we're trying this password and then okay we finally found this one eventually so you could run that in the background if you wanted to but that was it sorry for that fire hose tangent but that was how i would spitball just slapping that together in python so anyway let's get back to our good friend squirrel mail we will grab that correct password to log in and we'll hop over to miles dyson pasting in that password there okay now let's be creepy and read his emails so he has a from skynet at skynet looks like it's a samba password reset ooh we've changed your smb password after the system malfunction and now we have this password that you could use okay so we want to use that maybe for his smb share password um and then there's binary in this other thing um i'm just going to be cheap and go to like ask you to hex.com to try and see what that decodes out to this is this is when you know you're legit this is when you know you're a real hacker when you're using ascii to hacks.com balls have zero to me to me to meet what i have no idea what that is or what that's referring to i don't know what i can i everything else is this like the system malfunction is this some terminator reference that i don't know that's probably it i actually haven't seen the terminator movies don't hate me i'm not a real nerd uh okay now that we have the miles dyson's smb password we can go try and connect to that smb share we could have tried to log in anonymously earlier and maybe that would have got us somewhere i'll use that smb client to this ip address i'll slap that in oh you've got your stinking http schema i don't want that uh miles dyson was the name but if i just try and hit enter here okay yeah so that's we would have needed a password for that so let's grab that and if i try to connect with this obviously it's thinking that i'm the work group john user but no i want to go ahead and be miles dyson so we'll specify that as a user with tac capital u now trying that i don't know if that'll let me in without specifying oh the host name okay looks like it just did uh you could very well have just entered like skynet forward slash and that will specify the hostname or a domain name if you're using like a domain user at some point so then just slapping in that password pasting it in now we are connected and looks like we have some stuff to look at oh there's a lot here um can i make that relatively visible without obscuring what's actually happening now i see a lot of pdf files and i don't know if those will be all that useful it's like improving deep neural networks so good luck natural language processing building sequence neural networks etc that doesn't seem all that useful there is a directory notes though um let's hop into notes oh and now there's more markdown files these all look like like a genu literally a person's notes like when they're studying for a test or something or for some course foundations non-linear dynamics just a bunch of markdown files oh there's an important dot text ah okay um let's let's let's get that important.text if that is seemingly important and we could try can i em get all these things yes yes oh do i have to enter y the entire time i genuinely don't need all these things i'm gonna remove all those markdown files okay now we have important.text so let's see what's in that add features to beta cms 45kra24z7 blah blah blah that might very well be a web location or like part of the url i can kind of i think so by that forward slash work on t80 model 101 blueprints and spend more time with my wife yeah that makes sense that math checks out um let's see if we can access that as like a location we can okay miles dyson personal page dr miles bennett dyson was the original inventor of the neural net processor um let me let me is there any links on this page no okay let's try and go buster that um i already have many many terminals open so let's run that same go buster with that location there just slapping in that path and let's run that one more time we'll see if it gets anything interesting and then i'll keep poking around um miles.jpg is just the picture i don't think there'll be any like wacky steganography in that but there's nothing else on this page we could try like slash admin no any css no um backups no is there like a dot git directory or a robots.txt for some weird reason no and go buster hasn't found anything so what is that just a dead end did i just like find this for no reason what do i do with this hidden page ooh ooh administrator okay um let's get to administrator kappa cms use a valid username and password to gain access to the administrator i don't want to print that sorry um can i use the same credentials i had earlier i don't think i had that saved what was that password oh i mean we could use the one from the squirrel mail email no whatever is this thing just like inherently vulnerable to anything what is kappa cms we could google that but i'll just check search split super quickly so search sploit kappa oh cup of cms alert config field dot php local remote file inclusion oh remote file inclusion and it looks like it's just that thing so let's search sploittacm to get that in our current directory good and now let's go ahead and sublime that to see what this thing is cup of cms file inclusion back on 2013 this is php code injection what php include request url config an attacker might include local or remote php files to read non-php files or read non-php files with this vulnerability oh wait php code in this file will be evaluated non-php code will be embedded to the output so it can just run php code well that will get a server side like code execution right so all you need to do is seemingly do some like climbing the file system tree and then we end up reading etc password or like a location that we want oh and you could do some php streams to get like a base64 encoder representation oh that's slick okay so let's grab this and i'm going to throw it in another directory here because i know that we're going to need to grab the actual location of this thing this administrator that should go to alerts alert config field so this is the string that we want right with our appropriate ip address our location for kappa and trying to read etcetera password is a little proof of concept so let's curl that and let's see if we get anything juicy ooh we do okay so we just flat out red etcetera password dope um we could read the configuration file or we could see if it actually will run php code um if we're using remote file inclusion then we could just like change this to call back to us so if i were to what is if i were to like try and set up my own web server and connect back to it i could see if that will work what is my ip address ap i stone zero it's this thing 10.6.56.85 so we'll slap that in uh i'll listen on port like 8 000 and then i guess we'll just go for like a poc uh and i should actually make that a php script so let's make directory dub dub dub and now let's subble like apoc.php we'll just include php tags here and then run like a system function so i can see if i can run command execution on that target i'll run who am i and i'll use python techm http.server to spin that up and now that that is running over there on the side oh goodness we have a lot of terminals open and we really don't need them we'll host that over there and let's see if i would run that curl command to go back to my location will it download that oh i need to actually include the curl command that would help so it's going to call back to my machine where i'm using python to host http.server so on port 8000 i'm hosting a little web service and it can grab poc.php and then theoretically oh it will hit it which it did and it would run the who am i command and we can see the output of dub-dub-dub data so we do in fact have code execution okay awesome so let's now try to get a reverse shell because if we have server side code execution we can kind of control that machine so let me i'll just do like a simple netcat on quad 8 and i will copy over the php reverse shell code um if you don't happen to have that lying around the php reverse shell code is something you can find on pentesmonkey.net i've heard complaints that like pentest monkey was down earlier oh goodness uh can i just go to the site please oh no okay that's being weird php reverse shell okay they have it here on github there you go php reverse shell.php and this is the exact same code all you need to do is change the ip address and port to your ip address so i will grab again my ip address slap that in there and quad 8 is where i'm going to have my netcat listener running good so at that point i should be able to just have it request rather than the poc.php we'll go ahead and grab that php reverse shell.php and then back in my terminal i should be able to curl that location and it will invoke the php on the target that will call back to me theoretically oh oh i didn't even have the server running that would be why um python3 techmhttp.server it didn't call back and i was like weirded out because i didn't actually start the http service that was hosting that php reverse shell so let's run that now make sure our listener is up and running and we will go ahead and curl that there we go saw the request in our http server and have our shell callback okay um let me go ahead and stabilize this shell so i'll use do i have python actually let me watch python i do all right python taxi import pty pty dot spawn bash i should be using pwncat for this in all honesty um stty raw minus echo gosh i haven't typed these commands in so long because i just you've been using bonecat uh we'll export term to xterm there we go okay now we have a full shell uh phonecad is in a little bit of a development phase we're testing new things so i'm not using that for the moment because people are gonna be angry like how come it works on your computer and not online so let's go into the home directory and see what we got here we got miles dyson uh we did land as the www data user though which isn't extremely helpful because we probably need to privilege escalate to do something better but we want to see if we can grab this user.txt flag or prove that we have like local command access so let's change directory into that miles dyson friend here and he does have a user.txt in here can i read that it is world readable okay so let's just simply cut out that user.txt and there we go we have that flag to submit now we sort of need to be able to privilege escalate and see what we can do to become root or this miles dyson user can i sudo as hack l no i need a password which i don't have um let's just try and run lin peace so i will hop over to my shared memory directory or dev shm and i am going to actually use this python web server a little bit more but i'm just going to copy over lin p's and put it in the same directory so that way it's still currently being served that way i can go ahead and w get a http colon slash that ip address and port number for my machine and uh we'll go ahead and grab that lin pease dot sh take some time to download that good now it's on the target i can go ahead and run it and let's see if that gets any good stuff lin pease is cruising we'll take a break i'll take a quick drink break to let that finish and we can start to kind of look through some of this output lindp's is super good though because it will give us that legend or color key as the things that are very likely a privilege escalation vector and we can start to cruise through here kernel version ubuntu 1604 old version of sudo oh cve2021-3156 am i right processor information and things a lot of useful software there we have gcc also have lxc that's kind of weird for containers a lot of processes running nothing extremely interesting with that for the moment um cron jobs oh there is a root cron job hourly crown monthly cron weekly oh and there's an entry in here oh every minute root runs home miles dyson backups backup.sh oh that that was in the directory and i like didn't even pay attention to it i didn't even see the thing well that's got to be useful right all right let's stop lin p's and let's just go look at that um home miles dyson backups ls la i didn't even look in share mail and backups i was just cruising right through it oh yeah backups is owned by root that's kind of weird it is world readable and executable though so we can go ahead in there um it also has a backup.sage script which we just saw from that cron job running every minute root is going to run this script and a backup.tgz i cannot modify that file because it's owned by root and it doesn't have right permission for me but we can read that backup.sh script uh lin p's go away so we'll cat that out looks like it just starts a bash script right that's all it is and it changes directory into var www.html so the web service and it tars it creates a tar archive outputting to oh this backup.tgz every minute we saw from that cron job and it uses an asterisk here ooh that backup backup.tg was created just today so that time is different than all the others right so we know that that's like actively being used that cron job is working so with that syntax of this cat with this backup.sage script here that we cut it out var www.html has all the files that are being included in this backup.tgz and it's touring it all with a wildcard so maybe this comes from like the familiarity and just i don't know the exposure to some of the stuff because i play a lot of these silly games and try to get internet points that aren't real but the asterisk and the wild card using the command line can be abused so in var www.html it's going to be globbing all those files because of that asterisk but we might be able to make that messy because we could inject quote-unquote or put in place some command line arguments for the tar program and tar can be used as a gtfo bin or some like living off the land native binary to unix and linux that will escalate our privileges or do something interesting so uh that's a that's a known thing in a known technique and i'll google that and show you that if you do uh tar wild card exploit yeah yeah exploding wild card for a privilege escalation right here and i'll show you a little bit of kind of what this discusses we'll cover wild card injection talking a little bit about it here wild cards asterisk question mark brackets can be used as well so here they show this example right they create some directories we create a file here file one and file two and we also name a file tactac help it's weird but we're naming a file that file has the file name tactac help so when you try and cat those out you're the same way you would as if the wild card was being interpreted you're gonna cat out file one we're gonna cat out file two and you're also gonna cat out tactac help but that tact help will be evaluated and interpreted and understood as parameters to the cat command so you can use this with other programs that are obviously going to end up being much more dangerous than simply cat or the tact help argument but he goes through an example where he showcases oh hey i have all these files in my current directory but i'm going to make them be owned by someone else because we know the tone or c-h-o-w-n command is going to be used they use tac-tac reference to indicate hey that's actually going to change some all the other files you suggested back to a different file that is already specified so they're using that my.php example here and that way all of those files previously owned by raj or rha are now going to be owned by ignite because of that tactac reference file it used that my php which was owned by ignite and that just got sprayed to all the other files very cool very neat that's the idea but they do showcase a similar example here using tar running every minute in the crowd job running backups with an asterisk file so that's kind of exactly what's happening they showcased this example they're using msf venom we don't need to use msf venom because that's going to take a lot more time and be more clunky than we need to but what they do is that they create a other shell script can this thing stop there we go i think it was really annoying that it just kept and that won't even expand this is stupid i don't like this thing just popping up and down here's what we'll do can i copy all this maybe copy what there we go okay now we can actually explain this without fighting over stupid things um our code we have bad malicious code or whatever we want to run put into our own shell.sh script and then these arguments or these new files we're creating checkpoint action exec sh shell.sh it's going to run this script that we've specified and these checkpoint action arguments are arguments to that tar program and that's going to actually run them with this checkpoint equals 1 set up so then when this tar command is actually executed and we aren't going to run this manually we don't want to run this ourselves because that's going to end up like running with the same privileges as our current user of www data we want to let root run this because root is running it every minute because we've set up these files and they're in place in the current directory that wild card will expand them and it'll interpret them and tar will execute this stuff and that way our malicious shell.sh or whatever file name or code we want to run it will be executed as root and that is how we can escalate our privileges so what i will do and you guys know this this kind of technique that i that i love um i'm gonna check out bin bash bin bash is currently owned by root and it's just a regular binary but i love i love and this is way too common for me i do this all the time because it's so quick and easy don't need to get another reverse shell don't need to spin up msf venom i'm going to have root make bin bash be a set uid binary so that way i can just invoke it and become root as needed so if i were to run bin bash right now it puts me in a sub shell like it doesn't look like anything change but if i were to try and exit that's because i was in a subshell when bin bash is a set uid binary if i invoke it with tac p i could run who am i and i would have the privileges of the user that this file is owned by right that's what the set uid privilege will allow us to do right now it isn't set uid so i'm not root but since we can weaponize and use this tar exploit or this tar wild card expansion to do that that's what we'll do so all right so let's simply use printf to get a shebang line in here and i'm going to use single quotes because i know that this hashtag octothorpe is going to be a problem for bash so i'll specify my shebang line and i'll use a new line here and that's why i'm using printf because i don't like to deal with it in bash or sorry in echo and then we'll go ahead and chmod plus s on bin bash there we go and once that is executed every minute we should see that bin bash is going to be marked as set uid so that way it will uh be executable for us and we can run as root then we'll go ahead and create all this all these files that are necessary for tar and we will not run this tar command on our own but we'll wait until the clock strikes a new minute and that way we should be able to run bash as needed and do our privilege escalation so let me check this out in a linear fashion i'll run lst la bin bash i'll check the current date and time looks like we have 46 seconds into the minute so i have eight seconds left we gotta be quick we'll spit that in oh actually i was wrong we can't write currently in this backups directory don't forget that backup.sh is running out of cvar www.html all these files it's pulling are in that current directory so we're going to hop over to that directory good now this directory is going to be owned by www.data because it's the website directory so if i were to check the date one last time let's check our bash setuid it's not set uid we got 30 seconds so let's slap in the shell dot sh let's create that checkpoint action and let's create this checkpoint file now if i were to ls we can see all those exist i'll check the date we've got 15 seconds left let's run another ls tac la on bin bash to see if we've changed to a set uid binary we haven't yet we're still waiting for the minute to come through so i'll use date one more time now we're totally past the minute in just a hot second ls tak la bin bash now we should be able to see that that is a set uid binary perfect okay we've done our privilege escalation at this point and we can just invoke bash as root bin slash bash tag p it's a set uid binary now so i am in fact root very cool very fun that was that was a blast i i like seeing that uh tar wild card expansion so let's move into that root directory and uh let's grab that root dot text there we go we can go ahead and submit that and at that point we have everything that we needed for this room we found miles password we did that with a little bit of brute force sort of with that squirrel mail we found the hidden directory by exploring those smb shares we saw the remote file inclusion that we could use with that kappa cms and that's how we got our php injection in we landed as www data to get kind of low privilege access and command like remote code execution a shell that gave us our user flag and we just prevest with that tar wild card expansion to find the root flag and that was that oh boy this turned into a super long video holy crap but i hope you had fun i hope that you had just as much fun as i did uh i've been screaming and recording and doing this for a little bit way too long so my voice is kind of falling apart here but thanks so much for watching everybody hey uh please do tune in to that guidepoint security ctf you can see the promo for that at the beginning of this video but i hope you enjoyed this video i hope you're excited for more because we're gonna do a little bit more we're gonna keep them coming and uh please do all those youtube algorithm things i'd love to see you subscribe maybe leave me a comment maybe like the video i'm super duper thankful thanks so much everybody that is the end of the video i'll see in the next one i love you take [Music] care [Music] [Music] with you

Info

Channel: John Hammond

Views: 100,082

Rating: undefined out of 5

Keywords:

Id: HXikLrFVIXc

Channel Id: undefined

Length: 47min 17sec (2837 seconds)

Published: Tue Feb 09 2021