TryHackMe! Sudo - CVE-2019-14287

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going everybody my name is John Hammond in this video I want to tackle the agent sudo room from try Hackney so let's jump on over to my screen I will go ahead and I am joined in the room here so let's go and deploy the machine let that spin up it says welcome to another THM exclusive CTF from your task is simple capture the flags just like any other CTF room have fun if you're stuck inside the black hole post in the forum rest and try acme discord okay we need to deploy the machine looks like we've done that I have the IP address here so I'm gonna go fire up my terminal here I'll get into my CTF try hack me directory and I will sudo Open VPN my account so I can connected to their network this is a free room so you should be able to access it without being subscribed I'm using my account that is not subscribed and I'll make a directory here for agent sudo up over there and I'll create a simple readme so we have a place to store our notes I'll also clear out some of all my other stuff from previous recordings we don't need those but let's go ahead and add this stuff in here and I'll export my IP address as what it has given us so we have that as a variable we can access within our shell great we have deployed the machine let's see if it's hit up already I guess still taking some time no matter numerate how many ports are open on the machine ok so it looks like we'll go ahead and run nmap once he's up and available I am still connected to him just fine all right yep all right I'll stand by until I can see pings okay it looks like he is up and running now so let's go ahead and make an nmap directory I will end that tack SC Tec SV that's fine I needed to do that anyway it's really hard to type with a microphone in the way tak o N and map initial and let's do my IP address let's make this verbose so I can see really what it's doing if it finds any ports 20 180 and 22 ok good to know so if 80 is open then we can go poke around with it on the website and I'll do our basic numeration here are those the only three reports that we have to work with it looks like it so let's say there are three open ports that is the correct answer how do you redirect yourself to a secret page well we have this IP address so let's go check it out in the web browser here it says your agents use your own code name as a user agent to access the site from agent R okay it looks like that's literally all that is in the page here let's go ahead and neek though this HTTP this guy get him spun up I guess I'll also run a little der Buster for good measure just because hey opt directory and the URL should be this guy let's go look for extensions PHP Sh HTML Javascript CSS Python CGI blah blah blah let's see if that gets me hits and while that's scanning we can kind of read up what we're used to really be doing here use your own code name as a user agent to access the site from agent R so I'm assuming the code name is referring to agent and then some letter I guess so did I do that wrong or no I guess it just didn't care whatever let's go ahead and try that technique then so let's curl that page yep use your own username or use your secret agent name so let's go ahead and supply a header with curl I'll say user agent can be agent like a write that returns nothing user agent B that returns nothing different username C code name as a user agent should it be like lowercase I wish it would tell me agent a without a space or something agent B these are only code name user access to the site are there any other links I'm supposed to be accessing I wish I knew agent lower case agent A to B let's see hmm maybe it's just the letters themselves this is taking some time to respond I feel like I'm just like hammering the box on accident she's her agent a like the letter itself why is it taking so long as the page still there is the site still up come on agent sudo all right I guess I'll pause until that returns okay I went ahead and stopped Neto because maybe that was beating it up and if I'm using user agent a user agent B user agents see all these I could write a script to brute-force these but that question is asking how do you redirect yourself through secret page oh oh if it's getting a redirect and I guess I should probably include the user agent tech oh like tack l and curl so it redirects things maybe I was wrong all along throughout all that user agent B and now for falling redirects user agency oh okay cool now we got a result attention Chris do you still remember our deal please tell agent J about our stuff ASAP also change your dang password it's a week from agent R so Chris looks like a potential username that is the redirect we've been using I guess that's how we redirect your secret page user agent is that what we need to submit here okay cool what is the agent name yes it is Chris theoretically that's good hash cracking and brute force done a new brainy machine time to brute your way out okay so it looks like it needs an ftp password so if we know our user name is Chris from this here it was kind of a strange way to figure that out but let's go ahead and start with Hydra so hydras great because it'll tell us kind of some syntax here but we just need a schema there so Hydra attack L Chris is our name will use op rocky to go ahead and Hammer stuff and let's put it at FTP on the IP address and let that guy go so I guess I'll pause until we get some hits I guess we could also actually just try and Hammer some of the other services too because that account might work just as well on SSH I should grab the IP address if I'm going to use that so let's set that up Hydra Chris Rock you and if that is on all FTP can we actually netcat to that can I poke around at that netcat interface so let's net cat or FTP I suppose just to run the client itself over to the IP address looks like it's connecting Chris I guess we could try like basic baby password no maybe gosh this machine is kind of frustrating to use because it's so slow I guess I should be on my subscribe to account let me not hammer it let's just focus on FTP and see if we get any results I guess I'll just pause until something comes back hopefully okay that finally came back looks like we have login credentials Chris and crystal so let's uh let's take note of that well it was paused I was going through and kind of adding in some of the notes that we have thus far so ftp password let's just include that as our note here grab the syntax just spit that guy in I'll call that C that's in bash and crystal is the password good I just like to kind of have our notes I'm gonna put together so we have our own reference if we ever go back to this we learn something from this machine now let's FTP to that let's go ahead an FTP Chris at the IP address or I guess we can just go to the IP address and supply Chris as a name and probably FTP probably has no idea what I'm doing when I say that okay man slow box interconnection timed out are you kidding me we know what the FTP we know the IP address variable is right that's still in the context of this please holy cow make sure you guys are running this from a subscribed account I don't know why this is taking so long there we go okay Chris crystal that's our password and everything great what do we have here ooh okay let's get all of these can I em get all this does that work yes thanks yes I'd always but what arguing to us apply to em get to download there's at least there's only three of them that's that's totally fine okay so now we have all of those downloaded let's actually make an FTP directory and let's move cutie cute alien and to Agent J into that FTP directory I probably should have all done that before I did that let's go check out what this to Agent J says all of these alien photos are fake agent are stored the real picture inside of your dictionary your directory what okay okay your login password is somehow stored in the fake picture it shouldn't be a problem for you which picture cute cutie alien let's go check out these what are they actually showing us cute alien jpg that's cute and QD dot PNG okay so if they're inside of the image can I like strings all of the JPEG ones blah blah nothing seemingly interesting there how about strings in that PNG image oh he has something inside to agent R we have a - agent J so there's clearly something in that PNG let's go ahead and bin walk tacky on the QD PNG he has a zip file in there yeah yeah okay so we extracted that out with bin walk tacky looks like QD PNG extract it has two agent our text in there what what is that empty that is empty that's weird zip file though let's unzip that 8702 zip file we need a password 7z ok we'll replace it yeah yeah replace that thing oh it doesn't get password okay so let's go ahead and run zip to John that should be in the opt john the ripper run zip to john run that on r8 702 zip file let's redirect that to hashes for John dot txt and now let's run hashes for John with John change that command to actually use John the Ripper not visit John script and will supply the word list to opt Rock U dot txt so let's see if we can crack that zip file password ok looks like the password is alien good enough so I use 7-zip to extract that because it didn't seem to behave when I used just regular unzip so 7-zip this guy yes go ahead and remove stuff or overwrite it I'll use alien as my password looks like that worked ok now to agent are actually has content in it so let's go see what that says agency we need you to send the picture to that as soon as possible that looks strangely like base64 just because of the random capitalization so let me go ahead and make sure ok that is base64 so that decodes to area 51 we need to send the picture to this as soon as possible so that must be the other alien the Cutie alien JPEG and that is a JPEG file so if we're doing stego technique so we have some of these things we should fill out and we kind of have this notion from the prompt it's probably a stag thing we can use stag hide yeah yeah so stick hide syntax is extract and then SF to specify the file that you want to extract out so that is the cute alien jpg and our password is area 51 capital a there we go wrote out the attracted it to message text so message text says hi James glad you found this message your login password is hacker rules don't ask me where the her password looks cheesy asking to know are set to pass before your buddy Chris okay so hacker rules looks to be a password for James area 51 is that answer the other agent in full name is James theoretically and the SSH password is hacker rules so we submitted all those alright now let's go ahead and log into that box right because we saw SSH was open from our nmap scan so James to that IP address taking its sweet time well that's going for us let's go ahead and zip file was alien area 51 the next one James and hacker rules now task 4 what is that asking for what is the user flag it should be easy once we go ahead and login if that ever loads for us what is that other prompt here what's the incident of the photo called what I don't know what that means I guess we'll see come on computer I guess I'll pause okay sorted and stopped it and now it seemed to go through so now let's enter the password hacker rules exclamation point come on did I not do I not have that copied please don't please don't not connect that is the right password right maybe it did authenticate this time and that's gonna take its sweet time to give me that connection lots of pausing in this video okay now he's in great so let's LS we've got our user flag text great go ahead and submit that for our user flag submit slap that guy in here what is the incident of the photo called okay so we have this alien autopsy JPEG I guess we could copy that down but we could very well just run some regular commands if the connection would work oh holy cow I'm applause okay okay looks like we're working now so strings on that guy we don't have that installed okay I guess we can try some EXIF tool do we have exif tool accessible to us no okay let's go ahead and try and download that thing then so let's actually make it a rectory floor SSH we'll hop over there let's SCP James at let's slap that IP address in SCP James at IP and we want a lien autopsy the JPEG and let's just put it here so it needs to know that password once it asks for it there we go and that should download hopefully I don't know if that syntax is gonna think I mean from the root directory yep okay let's go from home James destroy that paste that password in sweet sweet upload and download time sweet sweet networking what did I just spell it wrong home James PWD Wow PWD home James alien autopsy JPEG that's what that's a lien autos Tatas B I spelled their typo wrong cos P is that wrong I feel like that's wrong I feel like it should be autopsy I'm truly sorry for all of you watching this video I feel like I need to pause every time I interact with the Machine whatsoever there we go okay what do we got here alien autopsy Oh fringy I don't want to see that nevermind strings that guy what is all that at sign in there ad @ @ @ @ @ Atena that is the name of my Wi-Fi network when I go ahead and create mobile hotspot so if you ever see that out there in the world you'll know it's me alien autopsy what is this what is this asking for is there anything else that I didn't see in that let's go for long strings let's go 5/10 hey a there's some hidden information from like what Photoshop but put in there what is it actually referring to [Music] jyllian hospital I don't want to look at this imaging but I feel like I have to gosh gosh that's so bad let's see if it's a thing Google Image Search Google and ministers reverse reverse image search Google Image Search that gives me there we go Google Image let's just grab this file and directory let's drag it there let's see we have Roswell UFO incident oh gee goodness I don't like those pictures man Rossville your phone so that looks like army reveals flying disc that's not the amount of letters that it needs upholster we got Smithsonian Fox News Roswell alien footage oh oh oh oh oh god the freaking picture get out of my life Roswell alien footage does that work no did I spell it wrong I guess I'll just look at this picture more get out of here Fox News alien autopsy oh oh it's autopsy footage is just something that I read in the URL and got freaked out so alien autopsy autopsy spelled correctly there we go okay I hate those though that's not like it question enough with the extraordinary stuff let's get real CVE number for escalation Oh okay let's do some things now so we're on the Box let's go ahead and actually put Lynn peas in there so I'm gonna SCP my own op Lynn peas to James at the IP address do I have IP the thing yeah okay let's go ahead and put it in dev is hm just cuz that's good place to hide stuff a shared memory typically world writable typically world readable there he goes okay so back in the Box now let's go ahead and move into dev as HM its mark Lynn peas as executable and let's let him go okay my user Ken sudo things that's good good to know root is the one that we need but we are in the pseudo group often IDs sudo is in there blah blah blah some things are running okay trying to go from the top sudo versions kind of old good stuff in there CCC is installed we could do a kernel exploit throw some dirty cow maybe thought it was that path information nothing out of the ordinary I look for the set UID binaries cuz it seems to be pretty common lately and a lot of the Troy hack me rooms I've been going through what is this our sink what pseudo all no password all is that a thing could I do that because it has a lot of set UID but a lot of these look pretty normal let's let's let this run but let's ssh pass tech p hacker rules ssh james at IP dollar son IP so we are logged in ssh pass just quick syntax so i can go ahead and actually supply the password on the command line like as an argument I hope that IP here's an actual variable that's set in this case that will log in just fine but he's still going okay good let's see if that pseudo thing is like a thing sudo tech Oh Oh hacker rules exclamation point user James we run the following commands on agent sudo all not root and bin bash what oh whoa whoa oh that's uh that's the CVE that was a recent pseudo bug see this thing this thing I made a video on it Caleb and I talked about this when you specify the user ID account that doesn't exist it's a normal like a weird miss configuration but let's attack you is that right number one number one Ben bash what is it what is that what is that syntax Oh does it doesn't mean a space after it okay that's it that's that now that's that that's that Pervis so the bug is if you specify anything other than root it will be searching for the users and you could specify attack you with an account ID or a user ID that doesn't exist like negative 1 and that will fail and I guess some end overflow thing that will determine that Oh and it'll it'll select root and then you'll be able to do it the CVE information gets a lot more into it but this is the bug and I and I did a video on it some time ago you can see that on my channel John Hammond pseudo bug yeah this guy under 1.8 28 so that's cool get these stupid alien pictures out of my face now that we're root we own the box right so let's go into root let's cat root dot txt congratulations on where this box the box are designed for try hack me there is your flag desk L is his name and that must be the author of the Box must be the Box Creator does it say it doesn't well ok so that was that that was agent sudo it turns out I was an idiot and I was having a lot of connectivity issues because I had to open open VPN sessions going from when I recorded earlier and what I've been recording now so my fault I'm a failure thanks thanks for watching that was that that was um that's kind of cool it was good to get that exposure with the sudo vulnerability see that kind of out there in a little exercise and the hacking and the hash cracking and brute force was also kind of neat so I hope you guys enjoyed this video if you did please do press that like button the common thing to subscribe but whatever all of those YouTube offers and things love to see you guys on patreon PayPal discord there's a link in the description it's an awesome awesome community full of tons of smart people way smarter than me and that's that my face is really white with this light right gosh I'm an alien I'm area 51 thanks everybody why [Music] [Music] [Music]
Info
Channel: John Hammond
Views: 45,940
Rating: undefined out of 5
Keywords:
Id: Ikx6iOocYO0
Channel Id: undefined
Length: 26min 45sec (1605 seconds)
Published: Thu May 07 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.