1
00:00:00,540 --> 00:00:04,710
In this video, we are going to solve the simple challenge from Tryhackme.

2
00:00:06,060 --> 00:00:09,570
The challenge is very good to learn practical pen testing for beginners.

3
00:00:10,320 --> 00:00:15,030
So on try hack me open simple city of Rome and start your machine.

4
00:00:17,420 --> 00:00:20,150
Once you get the IP address, copy it.

5
00:00:23,170 --> 00:00:24,640
And move to your Kali machine.

6
00:00:26,540 --> 00:00:27,710
Looping your machine.

7
00:00:29,750 --> 00:00:31,250
And we do have the connectivity.

8
00:00:31,880 --> 00:00:34,640
Now let's just scan the target with Nmap.

9
00:00:36,830 --> 00:00:38,660
This s is for stealth scan.

10
00:00:39,240 --> 00:00:43,400
S is for version enumeration and dash o is for OS enumeration.

11
00:00:49,990 --> 00:00:55,840
So we have three ports open on the target for 2180 and port data to.

12
00:00:58,330 --> 00:00:59,520
So try hack me.

13
00:00:59,530 --> 00:01:02,470
The first question is how many services are running under port?

14
00:01:02,470 --> 00:01:04,000
1000, Which are two.

15
00:01:05,420 --> 00:01:09,590
The second question is the service running on higher port, which is ssh.

16
00:01:12,330 --> 00:01:15,000
Now we need to find the vulnerability on the target.

17
00:01:15,030 --> 00:01:18,390
Let's repeat the Nmap scan with the script.

18
00:01:19,480 --> 00:01:20,950
Just use the parameters.

19
00:01:20,950 --> 00:01:21,810
Dash Dash script.

20
00:01:21,820 --> 00:01:22,180
Well.

21
00:01:23,890 --> 00:01:24,930
Repeat the scan.

22
00:01:28,870 --> 00:01:31,690
Now open your web browser and browse to the website.

23
00:01:32,900 --> 00:01:35,510
And we can see that there is default Apache page.

24
00:01:36,380 --> 00:01:38,210
Let's try to visit the reports file.

25
00:01:41,330 --> 00:01:42,920
There is nothing important here.

26
00:01:47,250 --> 00:01:50,670
Now let's try to brute force the directories and files with puff.

27
00:01:51,420 --> 00:01:53,520
Let's use the command as shown on the screen.

28
00:01:54,550 --> 00:01:57,070
We are using cycles to boot for the directories.

29
00:02:02,270 --> 00:02:05,870
So F has found one additional page called Simple.

30
00:02:06,380 --> 00:02:07,910
Let's just visit it.

31
00:02:11,560 --> 00:02:14,130
So it is made on CMS made simple.

32
00:02:14,140 --> 00:02:17,920
And if you check the version, which is 2.2.8.

33
00:02:22,000 --> 00:02:26,920
Let's just search for the vulnerabilities in CMS made simple its exploit.

34
00:02:31,570 --> 00:02:33,460
So there are a number of vulnerabilities.

35
00:02:34,140 --> 00:02:40,920
But we are particularly interested in SQL injection vulnerability that is applicable on versions or

36
00:02:40,920 --> 00:02:42,630
less than 2.2. ten.

37
00:02:46,830 --> 00:02:47,150
Sir.

38
00:02:47,160 --> 00:02:52,350
Nmap scan is also back and there are a number of exploits and vulnerabilities in the target.

39
00:02:55,290 --> 00:02:58,230
Let's just leave these vulnerabilities for another day.

40
00:02:59,520 --> 00:03:03,510
Now let's just download the SQL injection exploit with such exploit.

41
00:03:06,990 --> 00:03:08,760
So our exploit has been downloaded.

42
00:03:08,790 --> 00:03:10,350
Now let's just open it.

43
00:03:11,910 --> 00:03:14,490
Well, you can see the number as well.

44
00:03:16,240 --> 00:03:19,470
To copy the number and paste it into Hackney.

45
00:03:22,870 --> 00:03:24,940
Now we need to exploit this vulnerability.

46
00:03:29,890 --> 00:03:31,030
He tried to run it.

47
00:03:33,630 --> 00:03:35,700
And we have some libraries missing.

48
00:03:36,090 --> 00:03:39,330
And the script is also written in Python two.

49
00:03:42,060 --> 00:03:42,750
On GitHub.

50
00:03:42,750 --> 00:03:46,170
I found Python three script for the same vulnerability.

51
00:03:48,150 --> 00:03:49,620
Just copy the code from there.

52
00:03:50,710 --> 00:03:53,140
Open a new file and paste the code.

53
00:03:58,710 --> 00:03:59,060
No.

54
00:03:59,070 --> 00:04:00,240
Make it executable.

55
00:04:04,420 --> 00:04:05,440
Is on the script.

56
00:04:12,670 --> 00:04:16,720
So the exploit requires a URL and the word list as parameter.

57
00:04:18,690 --> 00:04:19,380
Just provide the.

58
00:04:21,190 --> 00:04:24,040
And use the John list as a word list.

59
00:04:27,540 --> 00:04:28,470
And press enter.

60
00:04:29,510 --> 00:04:31,880
Now it will try to brute force the password.

61
00:04:31,880 --> 00:04:37,190
So the exploit has found a username which is Mitch and password as well, which is secret.

62
00:04:41,090 --> 00:04:42,860
Now let's log in with SSH.

63
00:04:55,190 --> 00:04:56,120
And we get a shell.

64
00:05:00,130 --> 00:05:02,170
So let's answer the question on Tryhackme.

65
00:05:06,220 --> 00:05:07,480
What's the password?

66
00:05:07,510 --> 00:05:09,970
We have already found the password, which is secret.

67
00:05:12,190 --> 00:05:14,320
So where can you log in with details obtained?

68
00:05:14,350 --> 00:05:16,150
We use SSH to log in.

69
00:05:17,040 --> 00:05:20,430
No, let's just get out the user flag on the target machine.

70
00:05:20,560 --> 00:05:21,540
The cat command.

71
00:05:22,550 --> 00:05:23,780
And paste the flag on.

72
00:05:23,780 --> 00:05:24,500
Try hack me.

73
00:05:35,690 --> 00:05:38,840
Now let's check other users that are available on the machine.

74
00:05:40,160 --> 00:05:41,720
We move to the home directory?

75
00:05:42,630 --> 00:05:46,890
And we see that there is another user with the name of Sunbath on the Machine.

76
00:05:46,920 --> 00:05:49,260
Just answer the question on Tryhackme.

77
00:05:52,990 --> 00:05:55,360
Now let's try to escalate our privileges.

78
00:05:56,750 --> 00:06:04,070
Please use the command sudo dash l to list or sudo privileges and you can see that we can run vim as

79
00:06:04,070 --> 00:06:04,520
sudo.

80
00:06:08,530 --> 00:06:11,020
So we can use them to escalate our privileges.

81
00:06:13,950 --> 00:06:16,590
So let's just check the GTFO bins.

82
00:06:17,010 --> 00:06:19,410
How we can escalate privileges with vim.

83
00:06:19,410 --> 00:06:20,640
Search for vim.

84
00:06:21,670 --> 00:06:24,820
So it provides different methods to escalate our privileges.

85
00:06:25,540 --> 00:06:26,980
Let's copy the first line.

86
00:06:28,160 --> 00:06:30,050
And it on a target machine.

87
00:06:33,530 --> 00:06:35,810
And you are automatically escalated to root.

88
00:06:39,060 --> 00:06:40,050
Now, let's just.

89
00:06:40,970 --> 00:06:43,970
Go to the root directory and get out the root flag.

90
00:06:47,260 --> 00:06:49,750
You copy the flag and paste it on Tryhackme.

91
00:06:55,310 --> 00:06:59,060
And we have successfully completed the simple from Tryhackme.