 Hello, everyone, my name is John Hammond. Welcome back to another YouTube video. And I am very flattered to be able to bring to you a video walkthrough of day 16 of TriHackMe's Advent of Cyber event. So I have connected to the OpenVPN. I'm logged in to TriHackMe. I have deployed the machine for today's task and I'm ready to dive in. I'm excited about this one. I had fun with this and I hope you do too. So without further ado, let's get started. This is created by Bee. So special shout out in kudos and thank you to Bee. It says, oh no, Santa has taken off leaving you the faithful elves behind. Can you help find Santa's location? I'll use my little tablet over here so we can get some fun little interactive stuff. Luckily, the elves are oscent masters and remember a thing or two. Specifically, they remember Santa has a webpage at 10104842 slash static slash index.html. Now that's my IP address specific to the virtual machine that I deployed for my room or my task here. That IP address might be different than yours. So you wanna be sure to be using your IP address as you work through this exercise. Problem here is that Santa never told the elves what port number the web server is on. Can you find out? So normally, when we're working with a web server or a website, we'll often see that on port 80 for HTTP or the hypertext transfer protocol. Oftentimes you might also see it on port 443 when we're using HTTPS or there's that extra S that could mean secure because it's being passed through the secure sockets layer and the communication is encrypted. In this case, we don't know if it's on port 80 or port 443 or anything else. So we're gonna have to go find out. The next message here is that the webpage has a link somewhere on it hidden away so that anyone that isn't an elf can't find it. So we're gonna have to track that down. Santa's sled has an API we can talk to. The key for the API is between zero and 100 and it's an odd number, but be careful. After an unknown number of attempts, Santa's sled will ban your IP address and you'll be blocked. I really disliked that. I went through this initially and was trying to think of some clever ways to get around that, to circumvent that and normally what you would like to do in an ideal situation is be able to come from a different IP address. So it looks like your source location is different each time. You might use a proxy and I thought I could get clever. I thought like, oh, I could just use a proxy. Yeah, I can just grab some free ones offline and then be able to try and connect to it. Problem is that we are connected through TriHackMe's VPN and that's gonna end up being something that only our local machine has access to because only our local machine is through the VPN. I also tried to get super clever and I dug myself into a rabbit hole that was fruitless. I thought like, oh, I could use Ngrock to be able to like bring out the TriHackMe VPN access into the public space so I could use a proxy to access Ngrock and then get forwarded to the TriHackMe victim target machine. That was an accident and mistake and I dug myself into that and tried to record this earlier not realizing that, hey, it's still going to end up being a local connection because I've just port forwarded my local host to the TriHackMe machine and going through the proxy and going through Ngrock is just adding extra unnecessary steps because at the end of the day it's still my machine through the VPN. So I would not advise other people to do that but I thought I could get clever and maybe in a different situation where we're not connected to the VPN that could be possible, I also thought, oh, I'll fire up the TriHackMe Calde box or the attack box and then because that's not connected through the VPN but it and it's still accessible through the internet, oh, I could maybe get around it. I thought let's try and add some other IP addresses to the interface and that would make me lose my connection to the TriHackMe attack box or Calde box. So that didn't work either. So those are different thoughts or different ideas that you might be able to get around. Okay, if some machine is set up with a little band situation where it'll block you after a certain number of brute force attempts but that's anyway a tangent inside note. We should get down to what we're really doing here but if you are ever in that situation again, maybe we can explore a different video showcasing that. Let's deploy the machine that's running Santa's sled and allow a couple of minutes for the target to spin up. I've already deployed the machine and this is my IP address but note that will be different than yours. So we will be using our Python skills that we learned from day 15 to find out the correct key for the API and we'll also be doing that throughout this little activity here. The first question is what is the port number for the web server? So let's go ahead and dive in. I am gonna clean this up here and I'll hop over to my terminal where I already have a folder created for today's task. Now, if we want to go ahead and scan and try and find what ports might be open or that web service might be listening on, well, we could use a tool like we've kind of seen before in previous tasks. We could use Nmap or we could use Rust scan or we could use any other kind of scanning utility you might like. I'm gonna go for Nmap because it's, I don't know, old and trusty Nmap, right? So that syntax is going to be Nmap and then the IP address of the host. So I will grab that here and copy and paste that in. Now, when you're using Nmap, you might in a different situation wanna throw in other parameters or other arguments like let's use tack SC to run default scripts, tack SV to enumerate versions. If you wanted to do some operating system fingerprinting like with tack capital O, you would need to be running as root with that. So you need to prefix your command with sudo. We don't need to do any of that. In this case, we just kind of wanna scan a bare bone basics and at least to get us started, right? But wouldn't it be nice if in case there were other ports or it were taking a long time to scan if Nmap could tell us what it found immediately as it found it, right? So we want Nmap in verbose mode. So I'll throw in that tack V here and I'll let that run, it might take a little bit but you can see, okay, we're kickstarting Nmap, we're starting the scan, we've got the ping scan going, that worked nice and easily and now we'll try and scan all these 1,000 ports and that's the default operation of Nmap when you haven't supplied any of their arguments. It'll look for the most 1,000 common ports. And there we go. Looks like we were able to discover one open port, port 8,000 over on the host here and let's see if there's anything else present. We'll let Nmap finish here but that one sticks out to me because you might often see 8,000 is a port that could be used as an alternative for hosting an HTTP service. Now we don't know for sure, right? We didn't have any other scripts to scan or to look at it so we'll have to do our own manual investigation but that looks like a worthy candidate. So port 8,000. Now let's hop over to our web browser and take a look. We could use curl from the command line if you wanted a quick test or you could start to write your Python script if you're kinda going at it, going crazy already but we know now that 8,000 is what we wanna look at and investigate. So I will create a new tab here and I'll go to that IP address on port 8,000. There we go, the page loads for me. Ooh, and I see Santa's tracking system. I don't know if this is missing some CSS or images or some flashy animated JavaScript or anything but the page looks kinda bare bones for me it says Santa's tracking system. Are you an elf that Santa has forgotten? Use this system to track Santa. Note due to how many humans are trying to find out where Santa is the link is hidden on this webpage. You're gonna have to manually click every single link or perhaps there's a way to find all the links as fast as a Python. Ooh, I like that kinda subtle nod and a hint to using Python here, that's good. Now obviously looking at this there are a lot of links just scattered throughout this text and this information here. We wanna see which of those could give us a little bit more information as to what this website can do. So let's just kinda start with the basics. Let's right click on the page and hit view page source or you could hit control you on your keyboard if you're a hotkey guy or like a keyboard junkie, right? I'll do that. And now we're gonna be looking at the HTML source code that might build and create this website. You can see a lot of references to some CSS. I guess that should be in here or some images. Maybe they just aren't being passed through or whatever the case may be. But scrolling down looking at all those links in this paragraph we were just reading. The links are the anchor tags, right? That A element in HTML. The href attribute for that element or tag will indicate what that link might very well be. And I'm reading through here once again. I wanna see if there's anything else other than a reference to tryhackme.com because well we know tryhackme.com but I wanna see if there's anything else interesting about this website. And we could again just as the page mentioned we could manually be looking through all this. We could just kinda look at it with our eyeballs but in the case that this is a ginormous application in the theoretical world if we were doing this for real, right? We would want to automate it. We would want to script it. So sure, I'm scrolling down. I'm looking through all these hrefs and these link or list elements in this little unordered list here. And I do see, okay there's a reference to machine IP slash API slash API key. Now it can't fill in the machine IP just cause I don't know if it has that contextual awareness but we know that's a reference, okay that must be the API we could access. Again, we just did that using our eyes looking at the source code but we should do that with Python. And we think that would be some good practice. So I'm gonna hit back and go back to the tryhackme task here and start to fill some of this in. The port number for the web server is in fact 8,000 and we have now, excuse me, we have now seen the directory for the API is slash API when we aren't specifying the API key. You could see here in the hint, it's telling us, hey, tryhackme Advent of Cyber, everything that we've already done in these previous day tasks, you've already learned a little bit of using the Python scripting language and using the requests library or the beautiful soup library in the previous day, day 15, to try and extract data from these web pages. So forgive me, I'm gonna cheat a little bit but hopefully echo and call back to what we've learned about in the previous day. I'll scroll up back to our day 15 here and down at the very, very bottom after all this incredible awesome great learning of the Python language, we do see some usage of libraries. We do see using beautiful soup and the requests module. And the example that they gave was literally finding links on a web page. So we can tinker with that. Looks like we were installing requests in beautiful soup. Let me verify that I do have that set up and installed. Do I have B Python on here? Let's find out. I do, okay, cool. So I like B Python because it's good for like presentations and color coding and stuff. Okay, and I do have BS4 or beautiful soup for that import did not error out. So I know that I can just quickly grab some of this and work with it. I will, again, just kind of cheat here. I'll grab this code that they suggested and let's subble a link grabber.py just to open up a text editor. I'm gonna be using some blind text. So that's that subble entry there. Now, if I were to make that a little bit larger so we could see it, I'll paste all this in and I'll add a shebang line for user bin environment Python three because I think it's good practice to have the shebang line and these comments are explaining, hey, we'll import the libraries and then let's create a object to store the response from our requests, get request. Now we need to change this URL, obviously. We're gonna end up going to the IP address on that specific port here. So I will grab that, paste that in instead of that test page that it had referenced there. And now that HTML is the response object. When we try and create a soup object or we pass that to beautiful soup so we could parse and grab everything within that document, I'm not positive if this is going to error out or read well. I think it needs the whole string. I'm not exactly a thousand percent positive but let's try it. Then we end up finding all of the anchor tags and their href items within that beautiful soup object. We create that as a list of links and then we loop through every single link and try to print them out. So let's give that code a go. Well, let's see if we can do that. Hopefully there are no errors. You could mark it as executable. You could just run it with the interpreter itself but okay, I am getting bumped with an error here. Response object has no len so we do need to convert that to kind of the string or the text and get the actual response of the webpage rather than just reference the response object. So I will use that HTML dot text there. That's how we could access what the response actually returned in the content within that request response. Let's try and run that code. Okay, that did not seem to display anything out to the screen but we got a little bit closer, right? Because we didn't have any errors. So let me print out the links just to see if we have anything or I can print out the soup just as well. Let's print out the soup first as some quick candlelight debugging and troubleshooting here. So if I were to run that script again have I actually got everything? I have, okay. So all the HTML has now been sort of pushed to the side and it's all stuff like noodles that the soup can process. So let's see if we got any links when we tried to find all in that way. Hopping back, now that we have the print statement on the links and that's an empty list. Okay, so let's narrow this down. Let's try and grab the attribute kind of on our own. Let's just search for all the A tags or the anchor tags. How about that? Now let's print out the links and see if we got any. Actually, we don't need to do this print links because our for loop will do that for us automatically. So with that for loop set to display them all out if I go ahead and run that script now, there we go. Okay, I see all the AHRF anchor tags and that displays the AHRF part of it, right? So we should be able to see that machine IP pretty easily. If we wanted to narrow that down a little bit more and ignored this boilerplate AHRF we could try and just carve out the attribute. What we could do is we could try and actually print the link, that link object that beautiful soup has parsed out and just kind of reference or index it with the key of the AHRF attribute tag. Now when I go ahead and run this, it will, I think grab one link but then fail because the next link or the next A tag might not even have that attribute. That's the key error that we're getting. So some quick insight, right? So our own intuition and critical thinking we could just simply check if that AHRF key is in the link attributes or ATTRs and then we could go ahead and print it if it does exist. Just adding a simple condition there. I think I have a little misconfiguration between a tab and some spaces here for indentation. So Python will probably yell at me because I'm using Python three now. So let me make sure I can convert all these indentations to a tab and I'll do that in sublime text in the view tab up there. Good enough. Hopefully you don't have to run into that issue but now if I run this script, there we go. Okay, now I can see all of the inputs and if I wanted to get even more smart I could pipe this to like unique and I could now see all of the unique links that we've seen on that page and there it sticks out like a sore thumb, the API API key. Awesome, okay. That's how we could simply solve that task with Python. So now let's get right back and see what else we should be doing. Let's get to day 16 where Santa and it says find out the correct API key. Now remember, this is an odd number between zero and 100 and after too many wrong attempts Santa's sled will block you. Now you've already heard my quibble about that so let's check the hint and see what kind of they recommend. Ooh, if you get blocked, you can always terminate and redeploy the target machine in today's task to try again. I am like struggling to press the I believe button on that, right? Because obviously this is a training environment, right? It's not for realsies but I would like to be able to showcase and build out some solution where we are pivoting through different proxies as needed and maybe I could do that some time again in the future but having to have to redeploy the machine, well that's gonna take two minutes and that's gonna slow down our theoretical brute force. Obviously we're going through zero to 100 so it's not a huge brute force range and we're even just looking at odd numbers so it's not a huge brute force range but if it were, we wanna make that as stealthy as we can and we wanna make that as fast and en masse as we can. So anyway, let's do it. Now we need to find out the correct API key and it's an odd number between zero and 100. Let's just take a stab at it and hope we don't get blocked. We know all this information though that it's between zero and 100 and that it's an odd number so we can use that to our advantage and maybe sharpen our script here to be able to find that API key. I will save a copy of the script to API Brooder or something and I will remove all of the beautiful soup stuff that might be coming through because we don't exactly need all that if we're just gonna start to hammer the service. Now a lot of you might already be aware we could loop this in Python, right? The link that we're gonna end up working on is slash API and then the API key would be the number that we pass at the very, very side here. So if I were to specify maybe an F for a format string in Python 3, API key is a variable that we could create and send along, right? That'll be included inside of the string because we're using that format string and that API key name there will reference that variable. Now I could try to print out the HTML.text or the response.text, right? And let's see what it returns for us if I just specify one as the API key. I just kinda wanna get a good idea as to what the response will be. It says, oh, item ID is one, but error key not valid. Okay, so now we need to start to figure out what that API key might be. We should try and brute force this number. We can do that super easily with Python. Rather than setting a static single one time value for this variable, let's make it our iterator in a loop. So let's do four API key in the range of one to 100, but we know we only care about those odd numbers. So we can make the step variable or that third kind of argument here inside of this range two, because that way we'll count from one to three to five to seven to nine to 11 and just be looking at the odd numbers rather than the even numbers. Now we can make that request and try and print that out inside of our loop. It's probably also a good idea to print out what API key we're looking at. So I will reference that with another format string here. And just a simple script, just a simple loop should hammer it and give us enough information that will be helpful for us. API key one, three, five, seven, and you can see it's being reflected in that item ID. So that's nice and good for us, but the key is not valid for each and every single one of these so far. Hopefully and thankfully we haven't been banned or blocked just yet. So hopefully we can find the key before it happens. And there we go. Okay, we got some new information. Let me pause that. Let me control C and stop that. Scroll and past all this big error message here. I do see API key 57 is set to a response here. Winter Wonderland Hyde Park, London. So let's copy that and let's see if I can submit that as the answer knowing that 57 was the correct API key. Yep, that was solid. And where is Santa right now? Well, it's Winter Wonderland in Hyde Park, London. Submit, nice. All right, we got that and we got that done. Whew, that was a fun one. That was kind of a quick and cool one, I think. I hope you had fun with it just as much as me. Again, I will footstomp and emphasize my stumbling block points in wanting to deal with the machine blocking you. It was an interesting problem that I kind of wanted to solve in circumvent, but being within the restraints of the TriHackMe VPN, it's tough to do. There's no way, as far as I know, to request from the VPN server itself like, hey, can you give me a new IP address? I want to impersonate someone else. Just kidding, we don't include that last part of the message. We just ask, can you please give me a new IP address? It won't do that. And if you were to have a different IP address, the VPN connection, as we see in our terminal when we try and connect to it with OpenVPN, you'll see some of those error messages that are like, hey, this communication is coming from a bad client, not the right client, and it won't respond. You won't have the connectivity. So that gets in the way. We could automate some way for TriHackMe to generate a new OpenVPN certificate for us, because that connectivity is of course tied to the certificate, but that's gonna be kind of big and wonky. And for such a small, tiny task like this, I don't think we needed to do that. But note, if I were to keep brute forcing after we've made so many requests from our IP address, it'll activate the Santa protection mechanism, and then we will be banned and blocked. There we go. Now, none of our requests will actually be, and we won't be able to determine if we have the correct IP address. Oh, interesting, Leo. That we wouldn't, I thought we wouldn't be able to determine the correct API key, but it looked like even with the Santa protection mechanism activated, it just told us the correct one. Maybe that was the interesting gimmick. We wouldn't have known, right? That's kind of fun. I don't know if that's intentional or not. Oh, that's awesome. 57, and there it gets the answer for us. Okay, goodness. Well, hey, that was a lot of fun, tiny task, right? There wasn't a whole lot of questions in here, but it was still good and kind of fun to stretch and flex some Python muscle, but I hope you enjoyed that one. And that is a solution. That is the correct set of answers for day 16 of TriHackMe's advent of cyber, where's Santa? So kudos to UB, kudos to you, TriHackMe, kudos to everyone on the team. Thanks again and again. Thank you again and again. This is a lot of fun and I'm really enjoying it and I hope everyone else is too. So thanks for watching everybody. That's the end of the video. If you liked this video, please go check out the John Hammond YouTube channel. I don't know how to end this stuff without being a shill. Thanks so much for watching everybody. I'll see you in the next video. I love you. Take care.