TryHackMe! SweetRice Exploit & Stabilizing Shells

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is John Hammond and welcome back from the try hack me video today I'm going to be showcasing the lazy admin room it is a free room so you do not need to be subscribed to access it I'm joining the room here and I've spun up a machine uh the prompts here are what is the user flag and what is the root flag so it's not a guided sort of hand holding procedure that triach me does in some of its other walk-through rooms this is more of a challenge oriented room so I've gotten started create a directory for ourselves I'm connecting the VPN I've also gone ahead and made a simple readme where I've got my IP address set up as a variable that I can reuse and the tasks and stuff so we can take take our notes and I've also gone ahead and started the nmap scan with nmap tech SC Tech SV attack on and map initial so it looks like we have SSH open on Port 22. we also have Port 80 open so it seems to be hosting a web server so what we can do is we can go ahead and go access that server I will grab that IP address one last time go fire it up in a web browser if Google Chrome will let me go go to that address bar and we're really with just the simple Apache to default page so it doesn't seem to be anything here we could scroll through the source but nothing particular jumps out at me so we'll start our regular enumeration techniques I'm going to go ahead and end map uh HTTP colon slash rip address I think it needs Tac H I don't know why I'm floating on that idea looks like it does so let's go ahead and tee that out to niketo.log I'll also get started with some Go Buster so we can go ahead and enumerate okay what does this web page actually have for us so we need our URL uh let me grab that IP address just nice quick and easy great now let's go Buster attack you HTTP that IP address go ahead and use the word list and I'm going to be using the directory list that durbuster typically ships with so okay that immediately found a slash content and we can go view that oh misspelled content there and it says welcome to sweet rice thank you for your install of sweet rice as your website management system the site is building now please come late Roger if you're the webmaster or go to dashboard General website settings and uncheck the Box site close open your website looks like this will link us to uh the documentation or some things to do when sweet rice is installed sounds like sweet rice is a Content management system or CMS so I'm going to view the source here it's kind of messy I want to get an idea on what version number that the sweet right page is looks like there's some JavaScript dashboard course in 0.54 not sure if that's the current version of the sweet rice package nothing else seemingly in there any other links no no okay so no real version number as to what this Suite writes installation actually is no other pages that go Buster found anyway let's go ahead and do our research on sweet rice I'll go ahead and start up a Search Blade so I can look for sweet rice okay looks like there are a couple options here remote file inclusion multiple vulnerabilities looks like those are just text files they might be explaining what the process actually is arbitrary file download an arbitrary file upload again not sure the version number 0.53 um 0.54 which we saw in the JavaScript might tell us that okay we know that's at least a potentially real version number not just something arbitrary we saw in the JavaScript cross site request forgery Quest site request for drain PHP code execution that does sound peculiar okay let's take a look at what that is Search Blade Tech X on that path looks like what we will do reading through this in the sweet right CMS panel adding an ad section will allow an admin to add PHP code it can take advantage of the csrf vulnerability or cross-site request forgery and allow the attacker to execute PHP code on the server and this exploit I just added an echo hacked PHP info and you can customize this for yourself okay so it gives us some HTML code and allows us to go ahead and inject it we might need to modify where this is actually showcasing it though localhost is obviously not going to be our Target we need to change it to the IP address and sweet rice might need to be changed to content we can certainly try that let's let's go ahead and copy this and work with it I will kind of check in our other scans seemingly nothing let's go ahead and move into exploit and then search Beloit attack M so we can copy that and let's move that over to our own like exploit.html or something let's go ahead and check out what we can do with this we don't need all these comments here but we should go ahead and change this specific IP address so that should be what we're looking at oh and content as well so let's actually just completely change that as type equals add hidden moved ads hacked and it would put it in what location where would it put this okay after HTML execute you can access the page on that location Inc adds a hacked let's Tinker with it um because it has the correct URL in there now we should just be able to open up this HTML document and add it in to our specific page Why does the text area HTML just muffed with Echo hacked and showcase PHP info let's see if that will actually work for us just tinkering just exploring let's Firefox over to exploit and oh boy okay did it already do it do I need authentication do I need to access it admin admin login failed that did not seem to work maybe it automatically ran it because it said onload document exploit submit so exploit yeah is the name of this so go it went ahead and submitted it and I don't know if it's actually going to be accessible or not without having actually no without having any credentials it didn't seem to work for us okay so what could we do if we have arbitrary file read and some of those other Search Blade options check this out one last time remote file inclusion multiple vulnerabilities arbitrary file download Backup disclosure maybe that has some potential credentials in some of the backups so let's try that search Beloit attack X proof of concept you can access all my SQL backup and include and download them from this directory localhost Inc MySQL backup is that a thing oh we saw earlier Inc actually just can't comes off of the content page in our case because it's not sweet rice on this site it's content so let's go ahead and try that Inc my SQL backup is that a directory oh no it needs it needs the ink right back to that it needs ink to include right there we go oh MySQL backup let's try and copy this link address um let's move back and make a directory for backups backups backups back up and let's W get this see we have here SQL file it is a PHP script weird oh boy okay attachment as a table category as a table I don't care about those I want users do we have some users don't going down what is that global settings looks like a serialized object here author title keywords that's a long string oh admin user is manager and his password password is this that looks like a hash that looks like so I'm seeing how many characters is that 32 so 32 hexadecimal characters may very well be a hash let's go over to crackstation and try to see if we can crack that hash so I'll just slap that in here yep not a robot password one two three classic super cool okay so now with that we might be able to go ahead and use that upload vulnerability so manager was his username and password123 was his account what is the user flag what is the root flag those are just the tasks we need to finish let's go back to access our exploit Firefox exploit that's going to go ahead and submit it but we need to log in so it's manager and password one two three fired off that succeeded did that work um I don't know let's go find out put it in content and where did that exploits I would put in ads hacked.php let's try that Inc ads.hack.php no uh let's try and run that again now that we have that session created within our browser uh and I killed Firefox when I did that so that was lame um let's go ahead and do that exploit one more time [Music] log in okay now that I've back on Firefox I should be able to Firefox exploit one more time and go ahead and submitted it and now I've created that page okay awesome now let's go see if we can go ahead and access it just for a simple proof of concept right we want to do see if it would load that PHP info page and it does okay awesome so we could potentially leverage this to remote code execution um let's go ahead and copy our PHP reverse shell over in here so let's just call it like rev shell.php what I'm going to do is I'm going to modify that to include my IP address as the attacker which is 108038 currently so that should be the correct IP address and let's listen on Port quad nine and now let's include all of this inside of that exploit rather than running their little PHP info proof of concept let's include this whole thing okay so now we have that whole reversal in there um let's change this to rev shell and that's all that it needs seemingly so it's not no longer going to be put in the Hacked page but the Rev shell.php page let's go ahead and try that we still have Firefox open and running so I can go ahead and use that Firefox exploit one more time and that has submitted and created rev shell.php okay great so now let's start up our listener oh that Port is already in use why is that Port already in use what am I doing something else what are you doing how does uh SS show me processes is it supposed to pseudo P kill net cat maybe I already have something up when I was just testing things orange is already in your well dang it I already made that as a prompt I don't have net set installed and I don't know the Syntax for SS off the top of my head let's go learn it let's go figure it out SSC process name maybe it is techie tlnp probably the same syntax tlnp oh pre-p to show processes right prep 999. e what is that that's totally not what I'm referring to that's totally not what I need all right let's just friggin change the port quad eight who cares so now we can go use that and let's change it to just shell rather than rev shell because I'm apparently just making mistakes in this video great now let's Firefox our exploit and because he's logged in still has that session now we have a shell great can I please listen on quad 8 plea pretty please okay awesome that's good so now that that's created let's go over to our ads and go to shell.php and that will execute and give me a Shell over here okay awesome so uh I wanted to use this video as kind of a vessel to Showcase some of the PTY upgrade elevation techniques so you've probably seen me before use Python taxi import PTY pty.spawn bin bash Etc et cetera I found this resource netsec and I want to showcase it to you because it has kind of need some some neat tricks not just doing this within python but also doing it with other commands so Perl some syntax here to execute bin sh same thing in Ruby and Lua you can also do this okay if you're in Vim or VI and nmap those will be able to break out and get you a shell the PTY is super duper helpful one cool trick that I learned just recently is actually using the script command so uh does that not like that I guess he's just still spawning sessions okay user bin script should allow me to use QC and start bin Dash and save all that output to devno so now you can see www data THM gel I've spawned apty without using python so in the cases that you don't have python available or you don't know if it's using python 2 or Python 3 this user bin script tag QC spawning bin bash and writing out to devno will give you that this technique does still let you use that foreground or background the netcat connection and then run your SCT raw minus Echo so you can foreground the session again and then gain your auto completion tap it to autocomplete and command history and left and right arrow keys so that is very very nice as well and again you're not using python so that's a good help okay now that we're here we could go ahead and look around the file system or start to do some enumeration because we have our initial access so let's go ahead and try and upload Lin peas again I'm going to use my poor man's pen test framework so I can just simply upload that guy nice and easy good good I'm already in that directory let's make Lin P's executable and let him run a lot of stuff rolling through oh boy okay pseudo entry I should have just ran pseudo attack Elders to see user dub dub dub data may run the following commands here no password to run Perl with a specific script okay peculiar uh can I see what that script does home that was in IT guy can I see his files I can oh there's a user.txt file can I read that yes nice nice so that's going to be the first flag that we need go ahead and keep note of that and submit it on the page there we go and let's see this backup.perl file so cutting that out it's running Pearl can I write to that can I write to parole no I cannot but it seems to run sh on its Setra copy.sh okay uh what is that guy whoa someone else someone else was someone else here already what is it why is it creating over a shell can I write to that I can write to that and it's running as root owned by root so maybe it's running oh I mean I'm going to run it as when I use sudo so let's go ahead and modify this Nano Etc copy dot sh and let's Nerf that guys uh the reverse shell and let's put ours in penta's Monkey reverse shell cheat sheet let's slap in the Syntax for simple netcat I mean I guess we kind of had it already from this guys we didn't need to do that but hey I am eye attacker 10.8 38 and let's put it on Port 777 cool okay so now let's get another shell ready and waiting for me Tech Ellen VP can't see because of my microphone I shouldn't be looking at the keyboard anyway so cutting that file out now we have our reverse shell in place and if I run it as a root thanks to our pseudo attack L we should be able to go ahead and sudo user bin Pearl call a pearl script which in turn calls A bash script whack enter and now I have that shell here I'll go ahead and stabilize python taxi do I have python 2 or just regular python my prompt I do okay so let's stabilize that shell quick and easy for us we could do the same thing with that uh script technique that I just showed but now that we are in root let's go ahead and grab that root.txt file okay all done nice and easy that was kind of cool I hope you uh hope you like those techniques um abusing the sweet right CMS uh finding out some of those credentials because of their backups that we were able to look through and then using that PHP code execution to add an advertisement into the page so very very cool and search Beloit totally uh really really sped up our research for us because we're able to go ahead and find that vulnerability and it's already well known so that's that um I also wanted to kind of use this video to Showcase those spawning a PTY or TTY techniques um because I was able to open Nano with that setup that I had I was able to potentially run Su if I needed to I know if you're just a regular kind of reverse shell without stabilizing anything then it's going to ask you hey you need to be in a full PTY you can do that just as easily with these commands that you see me run often that new trick that I learned the bin script user bin script tacqc bin Dash devnil and exporting the terminal variable and using stty raw minus Echo to get your foreground lots and lots of good stuff so okay that's all that I wanted to cover a good quick and easy Linux room to Showcase some of that stuff thank you guys so much for watching if you did like this video please do do the YouTube algorithm things press that like button comment uh subscribe hit the Bell that's so weird to me hit a bell a real a real life Bell that you're just like whacking repeatedly whatever thank you guys I hope to see you on the patreon if you were willing to support PayPal donations I'm so so grateful loves you guys on Discord server Link in the description Twitter Facebook Instagram LinkedIn all the others thanks for watching [Music] [Music] [Music]
Info
Channel: John Hammond
Views: 52,445
Rating: undefined out of 5
Keywords:
Id: qDLtEP58bao
Channel Id: undefined
Length: 20min 25sec (1225 seconds)
Published: Thu May 21 2020
Related Videos
TryHackMe! Abusing SETUID Binaries - Vulnversity
John Hammond
138K
How Hackers Exploit Vulnerable Drivers
John Hammond
35K
TryHackMe! DOGCAT - PHP Filters for Local File Inclusion
John Hammond
75K
TryHackMe! Ghostcat CVE-2020-1938
John Hammond
43K
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
261K
how hackers hack any websites in minutes?!
Loi Liang Yang
179K
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
John Hammond
61K
Lazy Admin Walkthrough - TryHackMe
shenetworks
7.9K
TryHackMe! KENOBI - Linux Pentest: Samba Shares
John Hammond
89K
TryHackMe! Skynet - Wildcard Injection
John Hammond
104K
How TCP really works // Three-way handshake // TCP/IP Deep Dive
David Bombal
567K
TryHackMe! EternalBlue/MS17-010 in Metasploit
John Hammond
256K
Google CTF - Authentication Bypass
John Hammond
115K
How To Protect Your Linux Server From Hackers!
LiveOverflow
283K
TryHackMe! Basic Penetration Testing
John Hammond
2.3M
fiber optic cables (what you NEED to know) // FREE CCNA // EP 13
NetworkChuck
530K
TryHackMe! [Web Vulnerabilities] Local File Inclusion
John Hammond
78K
Windows Pentest Tutorial (Active Directory Game Over!)
David Bombal
201K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.