VOD - TryHackMe! Steel Mountain with Metasploit

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

to record yeah okay i want to make sure that i am going to be recording because i'd like to potentially reuse this sort of thing as content if it ever makes anything good if anything good ever comes of this thing maybe we could uh repurpose some of this for youtube videos and youtube content because that would be ideal right with that said i guess let's over let's go over to the computer screen and have some fun so what do you guys want to do what do you guys want to do today i was thinking i was hoping maybe i had in mind we could do some try hack me because i haven't done try hack me in forever forever uh so i'm connected to their vpn and i'm logged in and i don't exactly know what to do or where to go or how should we bid but like look at this zero day streak because i've done nothing for like a year but um we'll bump around we'll just goof off i don't know what kind of a room we want to jump into what we should do i'd like to kind of start small start slow um i will add the disclaimer like if we are trying hard against anything for a long long time and i suck like i fail like i'm not getting anywhere uh i'll be honest i'll look at the write-up so don't get angry at me if uh if i goof off for a bit um a couple of these paths right because try hacking is fantastic if you guys aren't familiar with it for some reason i'm sure pretty much all of you are you can go into like their practice segment or go into search or just look at any of the rooms that you would like to join um and here's a question hey john hammond have you ever done owass juice shop on stream before would be great for beginners there is a try hacking room for it as well um i have not done that on a stream i don't think i've ever done that in a video honestly i've never showcased owasp juice shop although it would be good to do a lot of people are familiar with that it's a good training tool uh i will add it to the list i don't know if i want to take it with it right now does the os juiced one like walk through everything that they showcase here or how many how many things does it offer you oh yeah exploration okay they'll give you like some of the challenges but not all of them they'll let you walk you through some of the easier challenges but the harder challenges they don't do that might be kind of fun yeah uh white cyberduck is asking hey owasp zap versus burp neither man just do it in python use your request module use curl i'm kidding um i like burp honestly i'm not i'm not too huge on the zap zed attack proxy but uh let's do something i thought we're looking at these paths i know i think i got started on the offensive pen testing thing and like seriously haven't touched it again forever uh in eons so it would be good yeah i don't live that zap life do you live that zap life white cyberduck let's get this certificate oh you got to earn it you got to press the buttons zap gang i didn't realize it was a i didn't realize there was a squad it was a zap gang squad you guys are having too much fun already uh so the getting started section is walking through the tutorial of how to use try hack me vulnerability which i've done and created a video on not all that interesting blue eternal blue also done and created a video kenobi numerating samba shares also have a youtube video on so let's explore something else steel mountain which i theoretically have started but have not finished so let's do that i guess again sort and small can i click on that please yeah thank you okay so i have to start the machine i have already joined the room uh i am in the vpn i'm pretty sure i'm connected i've got the terminal thing going up there so [Music] what did i leave off on if i ever so i'm in my thm github repo um where i try to take notes or i attempt to take notes um i don't think i have a steel mountain directory so and create one of those and yeah that's fine can i i am connected oh know it's going i was making sure that i was like creating the room or starting the machine so let's get a let's get a stupid read me going i would like to realistically be taking notes in uh obsidian i don't know if you guys use obsidian for your note taking or if you use one note or whatever you'd like to use but yeah go ahead and create a readme at least just to start i probably won't stick with this because you guys know i'm awful at that but it is still september 2nd for at least four more minutes for me so let's uh poke around uh let me verify i'm actually connected to the vpn it really doesn't think that i am uh so maybe this thing that i'm connected to is just kind of wrong let me disconnect and reconnect let me uh re-download my vpn key i'm going to not show that by the magic of hiding things with my face uh so now what's the open vpn hello i guess there's literally nothing sensitive that shows that i don't think it i'm connected now okay cool it now it now believes me and trusts that i am in fact connected so let's ping this guy yeah cool he's doing better now um let's export the ip address as that and save that as something that we could really use more while that ping is going sweet now i can reference the ip address because i'm going to forget it all the time but 10 10 185 133 i should keep that in mind so deploy the machine who is the employee of the month what did i solve in this originally how did it think that i had progress on this if i literally solved nothing um well i'm going to assume that the employee of the month is going to be displayed up here oh yeah the month is right there it doesn't show me his name and i don't remember his name from the from the show mr robot but let's go and get started with nmap scan i'll do nmap initial uh on the ip address so we start to scan this thing um let me bring that way up so i can still actually use my terminal the source of this web page will obviously tell us or probably very likely have the name in the file which it totally does it looks like bill harper done okay i don't need a language i don't like the sublime text now auto tries tries to auto complete um please let me select this please computer okay now tries to auto complete me defining code blocks it's a little annoying but i should have read the instructions here i should have actually made a deal and this room you'll enumerate a windows machine get initial access by a metasploit use powershell for further enumeration on the machine and escalate your privileges to administrator if you don't have the right security tools environment you can use kali linux you control it within your browser okay okay the machine does not respond to ping i literally just pinged it yeah blades are saying hey can you please record these so we can watch them later yes uh that i am recording right now this will be a twitch vod etc uh and it should be accessible for you if you're busy but thanks for coming to hang out regardless i appreciate you coming to say hi now that you've deployed the machine let's get started with an initial shell scan the machine with nmap what is the other port running a web server well we have our results here uh let's get started with an all port scan tech o n and map all ports on my ip and while we're doing that let's go ahead and take a look at what was present in the initial uh 80 of course is httpd windows ports oh it has smb so we could do some stuff has rdp and has port 8080 running another http server so that would be worthwhile checking out and there's a ton of other msrpc ports um can we get to 8080 please we can and this looks like it has http file server and this is totally thing this is definitely something that's vulnerable i've seen that before uh but 8080 is the answer there oh my god why can't i select text what is life [Music] i should probably take notes as to how i solve this uh view web page and ctrl u or view source to actually see that guy's name what is the hardest exam you've taken do you mean like uh i see a white cyberduck's question hey john hammond what is the hardest exam you've taken do you mean like a cyber security like certification exam is that what you're asking take a look at the other web server what file server is running so it it's http file server but with jedo what there's a longer word in here is are you looking for regetto yes you apparently are okay um certification tests you're you're telling me yes what is the hardest certification exam you've taken um osed the exploit developer one was really tough for me because i'm not all that good at exploitation and binary exploitation and reverse engineering and all of those spooky scary things with that said oswe or the web exploitation one i put an ex a horrific time crunch on myself i was flying back from christmas like christmas vacation spending time with my family's my girlfriend's family her house and i had to fly back to where i live during the exam time uh and it ate however many hours because i was traveling and then i was like oh shoot we have to go see like family at the house uh hello snipe sec thanks for coming to hang out what is the cve number to exploit this file server well we could use search block to uh examine this regetto http file server or see what vulnerabilities might be up and at them so is search exploit in my path yes it is okay so if you haven't used search split before search split is a utility that lets you kind of look through the exploit db or exploit database that is normally held online all locally or kind of through the command line and you don't need to open up your web browser you can just search whatever you want with this search floyd utility um so it looks like it found a couple things here there is a remote command execution vulnerability uh looks like that has a metasploit module that attack m there i'm going to assume is trying to tell me yep that's my display multiple vulnerabilities in a python script arbitrary file upload um one is a python script yeah there's a python script etc etc uh what version are we up against version 2.3 okay that's good to know so any 2.3 x 2.3 x will be vulnerable to remote code execution but we need to know what the cve is um so let's take a look at one of these exploits like information in the in the documentation that they would provide here in the file that's provided so you can examine um a given path that search point might offer you with tacx and then you'll paste in the path that you can use for whatever entry you want to look at so if i run that it gives me a lot of information and it looks like cve is displayed right there so i'm going to assume if i read through this yeah it looks like you can execute things pretty easily so that is likely the cve that we're looking at what is the cve number to exploit this file server do you mean like that how many how many things did you need in there one two three uh what are you asking for [Music] um tell me what you mean yeah i get that but i would expect it to be hyphens there one how many letters i got a point count my fingers one two nine no dashes is that what you're saying yeah i think it's got to be the other one rce2 you have in mind thank you chat for coming to help me out so let's take a look at the one with the python script um we can again use that examine and this has the same cve number so that might not be it we should probably be looking at the one the meta split module uses because realistically this said hey it's going to come from a meta split module so that's this guy we can examine that meta split module you think the second text file to arbitrary file upload we can try to each of these that's the fun part here so the netsword module should show this all but this is the exact same cve number this has a dash and that's what they wanted so just the meta swipe module listing without the cbe prefix but a dash between 2014 and 6287. that's kind of annoying but we got it and now we know now we know the answers what is the cve number to exploit this file server let's just grab that um someone has shown me before a really nice utility that would help you download and like pre-stage all of this documentation you might do like with the question and with the prompt for try hack me rooms i don't remember the name of that i gotta be honest if anyone in the chat happens to know it that would be incredible uh please do say the word if you know what utility i'm thinking of it's like you give it like a try hack me room and it would uh be able to okay luke look at the thing and like pull down all these questions and fill up like offer the placeholders for you to put in the answers this wants us to use metasploit to get an initial shell what is the user flag do you guys want to use metasploit or should we try some of the python things oh here they offer access and escalation without mess blade so i guess we're going to end up doing both realistically if we try to go through this let's let's use the metasploit module first and then see how they're going gamercat hello thanks for coming hangout um i use metasploit installed in opt because i'm running ubuntu and i do need to run it with sudo if i want to be able to listen on ports that are like things that i need pseudo privileges to be able to host on to listen on so i've just gotten the habit now of running meta split with sudo if you're in cali obviously you may or may not or whatever you need to let's go ahead and search that http file server yeah this is the regetto one you can see it right there so you could simply use xero if you wanted to specify the number that's returned from that uh no payload configured defaulting to interpreter that's totally fine let's see what our options are here we'll listen on time zero which that'll be the interface that i'm being that i'm using for the try hack me connection uh if you aren't familiar with that let me show you ipas ton zero that's gonna end up being the device that you're connecting to for your tunnel and try acme um with that said l port is fine i don't exactly care the serve port is actually 8080 which we know that it is because we verify that and tested it um but the r port is the target port that we want to target so server port we should listen on a different port on our side um let's modify that let's go ahead and set our port it's 80 80 and let's set our serve port to like 90 90 because we know that's going to listen locally and our hosts of course needs to be what we're up against which is 10 10 180 133 was that it 185 oh it was so close congratula hello thanks so much for jumping in every oh i'm so used to i was working an empire previously so i was so used to running execute when i normally run run i guess either of them will really work nope never mind i think it's xsplit yeah so using it to stage on our host 9090 was what we set um and then we would call back to the target which we did and then get an interpreter session nice whoopty do kind of point and click right interpreter and metasploit makes it pretty easy but let's check out what we have in the current directory looks like we are all the way in startup but we want to get this user flag it's asking for the try hacking prompt says hey what is the user flag so we need to hop over into that user's directory or their desktop directory and then we should be able to see what flag they might have hidden for us i'm doing a bad job of taking notes um materpater uses ruby to do a lot of its processing and parsing and stuff so if you were to use backslashes to navigate in directories you have to specify two of them to be able to actually escape out the escape character because the escape character is a backslash snipesec is asking hey what time is it for you it is 12 13 in the morning as in it is midnight let's get into the desktop and then user.txt is the flag that we want here uh hydridgrum i think was very angry at me for showing flags and i feel bad but i do need to submit this so i saw that that had some weird non-printable characters there and i just totally ignored them because i was expecting hex to be the answer um so i grabbed that and that looks like that's what it was so we could use this and now the next part is a privilege escalation so let's use a task three privilege escalation now that you have initial shell on this windows machine is built we can further enumerate the machine escalator privileges to root cool to enumerate this machine we'll use a powershell script called powerup its purpose is to evaluate a windows machine and determine any abnormalities powerup aims to be a clearinghouse of common windows perler discoloration vectors that rely on those configurations you can download the script here and you can upload the command messplate to upload the target and then using interpreter you could load in the powershell plugin with load powershell and then you can get into powershell by using powershell shell okay uh let's mess with that so i do already have uh powerup listed here i have powerup in my opt utility for tools that i use uh so inside of the target let's change directory into cu windows tasks which is a directory that i know is going to be world readable and writeable for just about everyone so now with meterpreter we can go ahead and upload that powerup.ps1 file and then we'll put it right there fantastic you can see it's present now let's load powershell the plugin and then use powershell shell to work with it interact with it uh danny urzua says hey drake dropping by today are you excited i have no idea what that means like drake who who drake drake the singer drake the rapper is it does he rap i have no idea october is like hey john hammond live on twitch am i dreaming oh thanks so much man yeah i'm trying to get into this i'm trying to do better about just making stuff so twitch is a good outlet for me to do that absolutely love your videos and your way of teaching man thank you so so much i super appreciate that um with that said we are inside a powershell through interpreter and we have power up here uh so we could what do we need we need a dot slash that don't we yeah yeah so we source it you could like import module i think that or dot source power up are you planning on making new cough videos eventually everyone always asks everyone always loves to see the cough i would like to yes we might do that here on stream in all reality um because a lot of people are asking for that sort of thing and i think it's i know it's been forever since i've done it since i've since i've done cough but um yeah i'd like to taking closer attention to the can restart option that is set to true what is the name of the service which shows up as an unquoted service path vulnerability excuse me so there are a lot of potential things we could abuse and take advantage of it looks like from our invocal checks output looks like we have a a couple services that also are in this unquoted service path uh category and the check here but when can restart is true that means that we would have the ability to abuse that and like maybe modify it and restart that service so a lot of these look pretty worthwhile in fact this looks like it's the same service name being displayed over and over again uh camera start is true for all of these advanced system care service nine uh but it is false on all these other ones that i'm seeing io bit unserver uh aws thing why is this being displayed so many times that's kind of weird i just started cyber oh excuse me i'm reading octoman's a comment here it says i just started university in cyber security this week love it so far you've been sprayed for me to go down this path hey thank you man i really appreciate that that's super sweet i'm sure you will crush it at university if you've already been doing this sort of stuff you know it's totally going to be a totally going to be something that you'll be able to cruise through out here it displays all the things that we could eventually abuse an advanced system care 9 is definitely one with the can restart functionality so that looks like our best candidate to try and take advantage of let's take note of that copy that super quick you guys jam into the music i don't know if you can hear it the can restart option being true allows us to restart the service on the system the directory to the application is also writable that means we can replace the legitimate application with our own malicious one restart the service which will run our infected program use msf venom to generate a reverse shell as a windows executable upload your binary and replace the legitimate one then restart the program to get a shell as a root that works but why don't you just use the invocal checks abuse function or like the yeah the install service binary one does that not work um install service binary can i no [Music] uh i guess i can get help on install service binary can i specify the binary that i want it to abuse uh name string username password local group credential command okay so command is what we would want it to have it do um and we'll want to execute it we totally don't have i don't i really don't think that we're gonna end up having antivirus on considering it just told us use a meterpreter payload to call back to it um so maybe that would just be a little we're definitely not gonna run into windows defender can i invoke the service binary and see what it does i think it goes ahead and creates a new user net user john uh and was he created no seemingly that's kind of annoying do i need to restart the service or would it do that automatically for me we don't have this user john created yet so we should totally mess with that on our own we could do that manually if needed let's go ahead and create that go ahead and create this does my i don't know if i have defender not um so i'm using windows on my host and i want to make sure that i'm hosting uh if i go if i go ahead and add an interpreter payload just on my nfs share i want to make sure that that is in their exceptions list because i don't want them to be actually able to yeah yeah i need to add an exclusion for at a ctf straining there we go apply okay so that should be okay now sorry didn't mean for the quick distraction uh looks like there are questions in the chat hey next ejp ejpt certificate what would you recommend me optimizing oscp that's a great great way to go the pnpt from tcm academy will also be a really great certification do you have any advice so truthfully i haven't taken heath's um practical network penetration tester certification yet i really really want to um in fact i literally just got his osint course the other day so i could try and run through it and see hey what am i going to need for the taking this test because i would really like to to use it let's get a interpreter payload reverse tcp we'll do an l host equals time zero l port can equal six six six i guess um f uh let's do an o well f f for the format tree exe and then o can be like matt uh six six six exe i think that works right yeah okay generates it creates it totally fine can i in the interpreter or powershell shell break out of this okay background command did weird things interpreter is still doing its thing uh let's upload what what is in my current directory let's upload that met 666. so that should be present if it will let me what directory am i in right now did my meterpreter die i feel like my interpreter died hello can i re-exploit it because it makes it too easy yeah give me real materpr please cool moving to tasks let's upload um matt 666.80 cool and we totally aren't gonna have defender on because that will persist that will remain on disk that's fine let's background this um and let's use multihandler uh set payload windows meterpreter we we need to make our meterpreter or multihandler settings match exactly what we had set when we were running the msf venom command because those need to be in sync for this to work i'm going to use runtac j so this starts as a job and then i'll go back to the sessions that i have open and i'll do sessions tack i too um because i'm in a new interpreter session i will probably have to reload that powershell session again and it looks like i will so when i previously ran the uh i do a lot of scrolling super sorry when i previously ran the invocal checks we had this result here for the the binary that we were going to end up overwriting let's try and dir that oh goodness make sure it exists it does so what we can do is we can copy our met666.exe and put it over where that other binary is going to be let enter on that and it won't let me okay so i do need to stop the service then uh let's try and stop service of the advanced system care service nine and see if that will let that turn off or not okay it looks like it is stopped good uh and i see alia in the chat says hey good morning john i didn't know you streamed on twitch big fan thank you so much um yeah i'm trying to do this just get into the habit just do this more uh yte mask says hey you started streaming a few days ago yes yes thank you i appreciate you uh coming to hang out and watching if you haven't do all those twitch things and follow and all that crap i don't know i don't know how twitch works uh now let's go ahead and dir that again let's make sure if i try and copy my met666.exe here paste oh crap another then i'll paste in the the new path that i want to overwrite which is the path of that service looks like it allowed me to because i had stopped the service and it's not running anymore you can see that that error was previously now if i were to dir that again we should see the file size has changed yes and it should match what we have in our own met 666.exe perfect so if i were to start service of that previous service name because i have the interpreter and metasweight listener waiting when i execute this we can see it does receive the callback and we have a session open perfect now i am going to have to get out of my powershell sessions i'll hit control z to do that and i'll type in background again or control z and interpreter because now if i check out sessions i have a session two which are our original bill user but i now have an anti-authority system on that same machine oh and it died which is a little frustrating okay that's stupid and annoying uh can i start up another listener and then interact with number two did this shell die yet again because that would be very frustrating looks like it did fantastic okay oh yep definitely dead let's use the regetto uh one previously just as we had earlier ton zero 999 that all works okay perfect that gets me an original shell again interpreter session 4 still has a low privilege user bob once this is open let's load powershell and run a powershell command cool um is the restart service a thing and let's get that service name again i don't know if that's a thing or not nope looks like it is perfect now let's immediately background all of these and please let me get into session five as quickly as you can holy crap holy crap yes yes terminate the channel i don't care i just want to i just want to get switched to my session yes leave no uh background do i still have no i don't even have session five anymore what are you doing that's super annoying what do they do um is that happening because oh they're just getting a regular shell they're not even using meterpreter let's let's do that so let's just generate a staged reverse shell and let's listen on like five five five five and let's call that shell five five five five yeah i think that will work okay is session four still okay or did that thing die because these shells repeatedly keep dying and interpreter looks like that's dead annoying let's just run this again again keep exploiting this thing i know you guys are loving all this troubleshooting that we're doing right keeping it real yeah you just want to just regular michelle you think that will work i don't know if you already did but i uploaded another interpreter show which will allow me to do much more it seems like the first one that loads is a little janky maybe that's it maybe it's because i'm just running in that service um realistically i'm not all that worried at this point we should just be able to upload our shell555.exe and then copy that to the original path that we're trying to clobber i have to do a lot of scrolling to go find that again but i will deal let's copy shell quad 5 to that oh gosh yeah let's just use the copy okay uh yeah overwrite it is totally fine cool um what is it to first of all let's start listening so we have a you can use a net service restart right it's net start service name or sc you could use but i want to i don't know if that's the correct service name looks like it is okay i am anti-authority system let's get to c users administrator desktop as quickly as we can oh my god dir administrator why was that wrong did i have a typo bring me the desktop please cool there's root.text i'm just in just regular window shell so i need to use the type command and that will display it out perfect did this shell just die no okay it lived but that submits that flag so that is our root flag cool oh shoot sorry that is basically done realistically um let's see what now let's complete the room without the use of metasploit okay first we'll utilize powershell and win ps to enumerate the system and collect the relevant information escalate to nothing to begin we should be using the same cve however let's let's use this exploit you'll need a web server and neck outlets are active at the same time for this to work to begin you'll need a netcast static binary on your web server if you don't have one you can download it from github why can't you just host aren't you doing this from linux you need to run the exploit twice the first time we'll pull our netcap binder into the system and second we'll execute our payload to gain a callback which exploit are you guys using why are you doing all this janky stuff i mean i mean [Music] okay i get that and then you want to put wind peas on it but then you'll find the same thing we just did this i mean we do oh that's the thing that i apparently had answered earlier powershell taxi get service i literally yeah i'd done that before generally payload using msn venom pull it on the system using power shell use the unquoted service path to restart it and they sc restart it i don't feel like i need to do that i'll be completely honest with you we did it all right so i probably bantered a little bit too much and maybe that's not worthy of uploading that onto youtube but if anyone wants to you know watch this watch this vod they can do that uh oh hey zeon frost and octo money are hanging out saying hey the troubleshooting is the best part shows how we approached it but thanks so much i super appreciate that sweet i think we burned like 40 minutes doing that let me stop recording

Info

Channel: John Hammond

Views: 21,521

Rating: undefined out of 5

Keywords:

Id: GYm8LNn-524

Channel Id: undefined

Length: 43min 39sec (2619 seconds)

Published: Wed Sep 08 2021