TryHackMe! Tartarus - Website Password Bruteforcing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is John Hammond and welcome back from the YouTube video we're still looking at some try hack me rooms and this video was super duper requested by dark or D4 rckh so shout out to you my friend this video is for you we're finally taking a look at the Tartarus room this is a beginner friendly room it's titled a beginner box based on simple enumeration of services and basic privilege escalation techniques so I've spun the machine up here and I already have some of these user flags and root Flags submitted here so please forgive me on that but I'll showcase how we can get each of those so I will hop on over to my terminal where all the good stuff happens and I will CD into CTF try hack me and I believe I already have a directory for this recording yep so let's start off with the readme if we want to do to take good notes we can start off with an nmap scan what I'm going to do is I'm going to use rust scan because everyone is all about that lately I'll set a batch size of 500 and I will slap in that IP address and we'll see what we get looks like we have Port 21 open or FTP Port 22 open for SSH and Port 80 open for HTTP or a website with that said we have a few things we can go explore I'll fire up that IP address and we have a default Apache page so we could do our usual test to check out robots.txt see if that's a thing looks like we do have that and there's Dark Again great so we have an admin directory that is not supposed to be admittedly found right at the start so let's check that out and there we go we have admin dir and this is directory listing for credentials.txt okay these look like potential passwords let's store this I will W get this guy just to download that and what is that user ID okay these might just be names for users so maybe credentials is a list of passwords while user ID is a list of user names that is worthwhile I don't know where we're going to end up using this maybe we can try Hydra because we have SSH open but we should do some other enumeration other than just kind of our manual robots.txt so I will start a little nekto session I'll nectoad this guy T him to necto.log nickto just a simple web scanner attack gauge to specify the host and I'll Supply in the HTTP prefix for this URL I'll spin him off I'll move my rust scan because I'm sure he'll pass that to nmap and do some good stuff with it but let's also start to run some Go Buster so let's go Buster attack URL so that you there to specify that and I'll use the word list from my directory list medium that typically ships with durbuster I could let that run and we could also specify some extensions if we really really wanted to but well that is enumerating let's go ahead and take a look at some of those other services because we know we have SSH open if I were to try and netcat to that guy just to grab a simple server Banner looks like we do have openssh on Ubuntu so we have a good idea this is Linux and we kind of had that same thought when we're looking at an Apache Ubuntu default page there's nothing else in this source code here I hit control U just to view the source on the web page and I don't see any hidden comments or any other gimmicks that they might be trying to trick us or fool us with so let's take a look at that FTP URL or that FTP Port we could access I'm just going to connect with my simple command line client FTP here and we'll see if that ever comes back there we go or not connection timed out uh is the Box still up or did I hose the thing box is still up we do have FTB on there don't we yeah we go okay okay looks like I'm running vsftpd that is a later version of vsftpd so sir there are some pretty well known vulnerabilities for vs ftpd or the very secure file transfer protocol Daemon um but a lot of them are very very old if you see dot like one 1.3.5 that's normally a big one to check Anonymous it might have Anonymous access enabled and we might already be able to see that if we've kicked off nmap which we have so Ruskin found these three ports very very quickly and now he's going to give that to nmap to do some actual enumeration with the aggressive flag and very very verbose and those specific ports so I really really like Ruskin it looks like he's already finished cool and there is anonymous access enabled and everything that we already found neetdo found our robots.txt here sorry that's humongous robots.txt contains one entry which should be manually viewed anyway let's get back to our FTP enumeration uh if we're logged in as Anonymous we don't need to specify a password so I can just slap enter there and now I am connected and I can run LS to see the commands I have here or the files on the file system I do see this test.text we can go ahead and get that as we would and simply looking it here at that test.txt file that's the classic vs fdpd test file gur okay annoying uh I did that also in Peak Hill which is my room on try hack me where I just left that file there also shout and call back to Peak Hill don't forget when you're working in an FTP client to check for the hidden directory so you can do that with ls Tac LA or that a to note all files and we see an interesting one that has three periods rather than one or two so that symbol for one period or a DOT means the current directory two periods will refer to the Parent Directory but a three period is not normal that's not actually a thing in usual computer speak so they might be trying to hide something interesting there note that that is a directory you can see that D prefix there to specify hey that's going to actually be a folder so let's try and change directory or the CD command into that location you can run LS again there's nothing there don't forget LS tack LA and now we see more interesting things like another dot dot dot so very very clever very very tricky let's go ahead and CD into that again we can see that as a directory so let's hop over there and now LS now we've got you've got good eyes dot text and just for our safety LS Tech LA and there's no other XS files so looks like you got good eyes is what we want to work with so let's get that now that we've downloaded that file we have this you got good eyes dot text file on my local system so let's cat that out and this looks interesting because that forward slash might be indicating that that is a web directory or a location we can access on the website so I see super secret in some lead speak let's go check that out and this looks like a login page okay very very cool we know we have credentials previously from when we found that robots.txt entry so maybe we could try some of the credentials here but it gave us a username list and a password list so maybe we have to try and Brute Force some of these here so you could do this with Hydra if you wanted to I really don't like doing that primarily because I dislike the Syntax for Hydra and because trying to determine and figure out whether or not it properly got a new page or successfully authenticated or not is really frustrating and annoying so what I'm going to do is I'm going to look at the source code and see how this actually works and then I'm going to write the script to log into all this and Brute Force this web login page with python so stick with me I hope you don't mind let me open up my terminal and I'll start a like Webroot dot Pi file and I'll bring that down I don't need to have some of my CTF challenges visible there so let's go ahead and start with a shebang line user bin environment python3 I'm going to be working with online web stuff so I will import the requests module I'll go ahead and create a session I'll use an S object or a variable able to capture that session and for good practice I'll go ahead and close it and leave that at the very end of my script here so we know that we're working with this URL and I'll specify that as a string variable but this post request this actual form submission is going to a very specific page that's going to the action attribute in this form HTML element that's going to authenticate.php and it's going to post to that location so rather than using super secret as the URL we actually want to make sure that we're using based out of that current directory going to that authenticate.php page let's go ahead then and now take the names of each of these variables that this form is waiting to accept so I see username and I see password and it's also good practice just kind of include the submit value as well so let's go ahead and try that maybe we could just simply Define a login function and maybe you know what I I changed my mind maybe we won't need to use a session because if that's going to be logging in potentially one of these will actually get a hit we don't need to capture that and keep it so forgive me that I guess we don't need that we'll just use the regular requests module and let's continue our function though let's get a username and password that we could simply Supply here and then let's do an R for request object to do a requests dot post to that URL which I will move up so we can actually have that variable defined already and I'll include the data here that we're going to post that'll just be a dictionary object so username is simply what we will pass the string variable is going to be the key here because that's the data variable that that form or that web page is actually going to expect this without quotes username is going to be the variable that we pass in to this login function I'll do the same thing for password password that will again be what we pass in and I'll grab that submit value as well just for good practice that will be a constant or static string there okay now we have an R object so we can print that or just return that I suppose actually and we can print it later outside of that login page but now let's just try to print log in with John and please subscribe or please sub cool let me fire that off we'll hit Ctrl B and we got a response 200. let's actually grab the text of that page and see what it's going to return to us because that might tell me oh incorrect username oh that's actually some good info because we could go ahead and actually check what the username is before the password if it's going to tell me just that first detail that my username is right or wrong then I don't have to like test every single one of them I can just start enumerating all the usernames and then I can start enumerating passwords after I've found the correct username so let's go ahead and open up these files I'm going to kind of collapse that page and let's get a little open function here user ID is the name of that file that has all of the usernames in it and R to read it as a string I'll use a little context manager here so I'll use width with open user ID read in with just a regular reading without bytes I don't need to use that b prefix here because I just want to pass in a string I'll use H and then I'll use H dot read lines or I'll just use H dot read because that way I can do some simple list comprehension to remove all the new lines and properly read that as a list so what I'll do is I'll just say usernames equals H dot read H dot read will return a big long string of all of the content in that file so I'm actually going to end up splitting that on new lines and I will actually go ahead and strip each of those so I'll do a line for line in this this is some list comprehension so some inline python H dot read it'll be the data that we're looking through we'll split it to get it into a list format then we'll iterate through each of those for line in and then we'll create a new list with that variable line being our iterator but we will strip out maybe any access new lines or stuff that just happens to be in there so after that I should be able to print out usernames and now I have a big long list of all of these here it looks like I do have an XS so that empty string can also be kind of easily removed if I just do if line in the list comprehension so that line if that line actually exists if it's not an empty string it'll go ahead and include it my if line at the very end there will make that go away okay we have all the usernames now let's grab all of the passwords so with what is that credentials.txt is that right yeah I think so LS yep credentials.txt cool let's grab passwords okay so because we know from our little test earlier just with our simple login function we can determine if it is the correct username or not so let's start by hammering usernames first and just passing in a bogus password so let me do a for username in usernames we can go ahead and try and log in let's actually get a response variable I know let's print out with a simple F string so I can say username with the username variable passed in we'll get this response there we go and let's try to run this and I have a printf accidental okay let's uh do this in the terminal so you have a better look on it actually let's do Python 3 web brute username dark incorrect incorrect 32 Diablo all those Enochs Incorrect and correct all of those are seemingly incorrect hmm why is that oh because I forgot to change the variable that we passed in it is not going to be John anymore it is going to be our username classic good sanity check you guys should have told me you guys should have yelled at me like why why didn't you let me know that I was wrong there you probably did running this again I see an oddball I see this enox user gets an incorrect password so we know he is probably the correct username because all these others are returning incorrect username and that one got past that layer of logic so Enochs must be the right username now let's try that with the correct password or try and brute force a password so for password in passwords plural we can specify enox and then the password that we're looking for so username Enoch's password [Music] can be passed in I can type I promise and let's see how that goes let me try and connect to that incorrect password incorrect password and correct password etc etc uh that's going to change the screen so let me go ahead and clear that for you good brute forcing I know Hydra probably could have done this just as well but oh okay we actually got a hit it was able to log in seemingly with the credential enox and password one two three four good to know let's take a note of this let's just actually if we were to have our readme.md we would go ahead and keep track of those credentials so let's get that done save that and now let's go ahead and log in now that we know that Enochs and password1234 okay now we have an upload page where we can upload a file I don't know what kind of file we might be able to upload but we could certainly try anything the most fun thing to try would be some PHP code to get code execution right so let's go ahead and copy over our opt PHP reverse shell and let's get that into this current directory I'll actually move that to I guess rev shell.php let me check out what my IP address is ton zero and I am 1411 so let's modify this rev shell and use that IP address so it will call back to me with my reverse shell and I'll listen on quad 9999 or quad nine I don't need to say all those nines if I've already said quad that's the whole point of saying quad so that is now something that I could upload and let's start to listen on things let me close out of some of these shells that we don't need anymore and gobuster doesn't need to keep working let's go ahead and I guess start poem cat that'd be fun Punk cat um Source environment bin activate Punk cat does weird things with the um with the PHP reverse shell though let me try it I'll show you I'll show you what I mean python attack m LP and I used quad nine right python attack and pawn cat sorry now that he will be listening attack LP now that he will be listening we're really doing well for this video guys let's upload our reverse shell that should be in CTF try hack me Tartarus slap in a REV shell upload that rev shell has been uploaded now where is that going to actually upload to doesn't exactly tell me where so I guess I can kind of start guessing is that in simply rev shell.php no is there an uploads directory no is there an upload directory where did you go where did you put this thing Rev shell.php super secret all right let's try some dirt Buster on this location because apparently we need to Go Buster HTTP you word opt directory word list please crank on that I found images okay what is in images there is an uploads directory in images and that has my rev shell what is this podcast thank you try hack me thank you you're the best rev shell.php click on that we should have our callback coming through ideally no failed to demonize did I have the right port in there did I do something wrong did I do something wrong again and you guys didn't tell me oh no no no no no I use the bad IP address I am listening on ton one right now I'm a Fool so you know what the problem is guys to be honest the problem is I've been trying to do more videos for you and I put in my hack the Box address don't tell anybody don't tell don't tell try hack me don't can I stink and log back in please what is it your home.php yeah okay cool rev shell do it uh are we still listening no we aren't now let's get back to listening let's change these preferences or this profile to be black so it looks like I'm on the attacker machine and it's super cool and stuff images uploads rev shell whack that and there we go now our connection's coming through okay it's gonna take a little bit of time with phone cat uh we are working on poincat by the way uh we are trying to make it a little bit better because obviously some of the stuff is a little bit slow and funky and weird also it's not very extensible if you want to pass in more Arguments for a specific thing that you're trying to do like running a module with real specific I don't know variables and parameters and options that you want to specify um like maybe doing enumeration or privilege escalation with cront tab stuff because we're trying to make it better we're trying to improve it so we thought well originally we didn't want to go with like a Metasploit like methodology and retrieving information or supplying information so we didn't and now we're reconsidering that um what is this database doing guys did I not special oh I didn't specify a config file so it's also probably whining about that okay okay okay let's no Pawn cat sorry gosh I hate doing that in videos and then everyone's like uh Didn't Do It Let's uh try and stabilize our shell so let me verify do I have python on here I do do I have python three I also do so it doesn't matter which stabilized shell I really use uh two or three um that script that I just ran comes from my poor man's pen test framework so if you're interested in that sort of thing I have a talk on that on my channel um but let's see what's going on I am www data the Apache or engine or HTTP Daemon service or the user that's going to run the web server and that's a low privilege user there's not going to be a lot going on right now uh so I need to do some privilege escalation and try and move into a better looking account I could do manual enumeration I could do stuff with phone cat to do enumeration I could run Lin Peas I could do plenty of things let's take a look at what we have and it set up a password first it's a good idea for these users so I see a 32 user and there's Dark Again fantastic is this your room buddy I don't know what's going on yeah so what can this account do it's always a good idea to check sudo attack l it would be very very weird for www data or a web account user to be able to run commands with sudo in this case we can so good for us right our attacker point of view that's great I will take code execution when I can get it especially as another user um but maybe that's not normal on a web server or it shouldn't be right so 32 this other user that we saw in a cetera password can be used we can access www data and use his account to run VAR www.gdb or specifically this command without a password as the 32 user so GDB has gtf opens or has code that we could simply run to uh execute commands or do malicious things or read files or write files or upload files or peculiar stuff so if you go to gtfobins.github.io there's a great resource for all these Linux local binaries and common utilities that can be used with certain privileges or permissions to do other things like escalate potentially so this can spawn a shell and it will run with this syntax GDB I think it's I don't know what the NX is no execute or X or some command it can specify yeah ex looks like it's specifying a command but let's go ahead and try and slap that in with our sudo syntax I'll use sudo to specify a user with tacu 32 will be the user that we're going to use and we will have to use this specific Command right VAR www GDB get that exact location in and I'll paste in GDB with that syntax now if I whack enter you can see GDB has started for me but down below I have a dollar sign prompt which is not what GDB usually does so if I run ID I'm running as that 32 user so we've executed sh or started a Shell let's actually start up bash so I have a better prompt here I can check out who am I and I am still 32 so that works just fine we could go into 32's home directory looks like he has a note dot text hey 32 the other day you were unable to clone my GitHub repository now you can use git took a while to fix it but now it's good incredible where's my user.txt am I supposed to have a user.txt user flag should that have been dubbed up to data or is that going to be dark that might be dark um let's check out what we can do as this user once again simple pseudo attack L just to verify looks like he can run as dark this user bin git so once again git is a GTFO bins that can be used and abused Pawn cat can do this um punkcat does weird things because the privilege escalation and enumerator enumeration technique that it uses actually finds the set uid bit first on that binary rather than running it as sudo so it uh tries that and then it doesn't properly get it we're still working the bugs out right that's the whole point of it we want to release it kind of in development so showcasing what it's growing and what it's learning to do anyway you don't care about that stuff sorry for my tangents dark as the user that we want to run user bin git and we'll slap in this syntax uh let's try this one you could use this one because this one is actually setting a variable it doesn't really work and initially especially if we're trying to use sudo with this but git help config will launch the default pager which is usually less just like kind of that explains it is less and you can tell because of our page-nated input or output I can use up and down arrow keys to actually get stuff so I can use the dollar sign to try and run a command and I will simply run bash there we go and now my prompt has changed and I am dark I'm the new user I've once again done our horizontal privilege escalation if that's the proper word for it whatever dork let's go into his home directory do we have user.txt we do have user.txt all right let's slap that in get those points and win try hack me just in general let's just win try hack me what does this cleanup.pi script looks like it's a python script right so let's cat it out see what we got here user been environment python import OS import system um how is this ran or is this ran looks like it pseudo attack L can I invoke that oh I need to know his password and I don't know dark's password so that's annoying okay so maybe that cleanup is ran by KRON or something all right we could check this out if we were just looking in ETC cron tab let's see what we have here I do see a weird entry it kind of slid under the radar because it's not at the very very bottom it's kind of at the top so it is minute hour date of the month month day of the week user and it looks like we have every day every minute of every hour but every minute divided by two so every two minutes it will go ahead and run cleanup.pi now cleanup.pi is in our home directory it's in this dark users home directory that we have access to so since this cleanup script that is ran by root is in our home directory oh and we can actually write to it and control it right then we could make it do whatever we want right we could very very well change this OS dot system command to actually run another command like get a reverse shell or copy the root file to a file location that we can access or what I really like to do is Mark bin bash as a set uid binary so that way it will able it'll be able to be invoked by us and we can keep the permissions of root and that root user that actually owns that binary and we could actually use that to do some privilege escalation so if I actually monitor the sticky bit or the permission set on bin bash you can see right now it's currently just regular rwx but after our half a minute hits after we get to minute 54 or the a multiple of two and even number every two minutes right that should trigger and because it's running as the root user root has a permission to add that bit to this binary and then we'll be able to use bin bash tacp and keep our privileges as root so we got five seconds four seconds we got a little countdown let's see if it does it fingers crossed and there it is okay awesome now we can go ahead and run bin bash Tac p and you can see my prompt has changed with the middle hashtag pound symbol octothorpe and I am root so I can hop on over to the root directory here grab that root dot text and that box is done so very very cool very fun um a couple of gimmicks that I think we've seen before in previous videos so forgive me hey we're just I don't like to be doing uh the same thing over and over and over again on different videos but uh dark had really really asked for this so hey I hope you enjoyed I hope this video is everything that you wanted maybe you learned some tricks with that python gimmick maybe that uh Bin bash tack P or send the set uid bit on uh bash is always a fun trick to do but just some good stuff and fun doing some manual enumeration uh as we need to thanks so much for watching everybody I hope you enjoyed this video if you did please do press that like button maybe leave me a comment please do subscribe you know I'm super duper grateful thanks for watching Everybody I'll see you in the next video I love you take care [Music] [Music] [Music] what's up
Info
Channel: John Hammond
Views: 90,451
Rating: undefined out of 5
Keywords:
Id: muyWa_XbjN4
Channel Id: undefined
Length: 31min 58sec (1918 seconds)
Published: Mon Aug 24 2020
Related Videos
CTF Walkthrough with John Hammond
David Bombal
134K
Google Cloud Platform Full Course | Google Cloud Platform Tutorial | Cloud Computing | Simplilearn
Simplilearn
383K
Google Cloud Platform Full Course | Google Cloud Platform Tutorial | Cloud Computing | Simplilearn
Simplilearn
435K
🔥Google Cloud InDepth Tutorial | Google Cloud Platform Tutorial 2023 | Cloud Computing | Simplilearn
Simplilearn
115K
Swift Programming Tutorial for Beginners (Full Tutorial)
CodeWithChris
5.9M
KOVTER Malware Analysis - Fileless Persistence in Registry
John Hammond
298K
Creating a TryHackMe Room - Developing Peak Hill
John Hammond
28K
🔥Google Cloud InDepth Tutorial | Google Cloud Platform Tutorial 2022 | Cloud Computing | Simplilearn
Simplilearn
274K
HackTheBox - "Remote" - Umbraco & Windows
John Hammond
77K
🔴 Let's build Uber 2.0 with REACT NATIVE! (Navigation, Redux, Tailwind CSS & Google Autocomplete)
Sonny Sangha
1.5M
TryHackMe! Basic Penetration Testing
John Hammond
2.2M
Mastering Python - Everything You Need To Know To Become a Python Master
Tech With Tim
1.2M
TryHackMe! KENOBI - Linux Pentest: Samba Shares
John Hammond
87K
TryHackMe! Looking Glass... with PWNCAT
John Hammond
63K
🔴 Let's build a Modern Portfolio with NEXT.JS (Framer Motion, Tailwind CSS, Sanity.io, React) | 2023
Sonny Sangha
889K
🔴 Let's Build the Netflix App in React Native & AWS Amplify (Tutorial for Beginners)
notJust․dev
365K
ShellShock & Kernel Exploits - TryHackMe! 0day
John Hammond
74K
TryHackMe! Buffer Overflow & Penetration Testing
John Hammond
75K
Bruteforcing MFA & Fail2ban Manipulation - TryHackMe! (Biteme)
John Hammond
85K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.