 Hello everyone and welcome back to another John Hammond YouTube video. We're gonna have some fun today We've got a little stand-in desk going on so we can be a little bit more mobile. Have a good time here a few days ago My good friend fo was reached out to me on Twitter and he said look John I'm putting together the super cool extravagant little scavenger hunt try hack me room and Inside the try hack me room. They're gonna be some giveaways like sprinkled in you can win potentially an E-Learn security junior penetration tester exam voucher. You could win some try hack me vouchers Some throwback vouchers. I think there's you know what? Let's let's dive into this Let's just do the thing so I'll hop over to my little computer screen here and here we are at the great escape It says our devs have created an awesome new site. Can you break out of the sandbox here? It has a medium difficulty, so I'm probably gonna get my stuff pushed in But you know, let's tinker This is totally a raw video and that I have never seen this before so I'll try to pause the video when we do stuff That I'm like absolutely failing at but I'm literally going in cold as cold as I can right now So we'll see how this goes This room is linked to a community giveaway by the wonderful fo was that is totally true You know what? That's an absolute fact that he is in fact without a doubt Wonderful so go give this guy some love guys Any user who completes this room within three days of release as in the 17th of February 2021? So hopefully this video will be able to go live at that point We'll be entered into a raffle for the chance to win one of the following prizes one EJPT exam voucher one of two throwback network vouchers and one of seven one month subscription vouchers to a try hack I mean, so that's it man. That's that's what we're doing. We're gonna dive into this We get the IP address and everything ready. I've connected the VPN and spun up the machine join the room So let's bump around. I'll fire up my terminal here Let's make a directory for the great escape This is the first time that I'm recording on the upper monitor So I I'm gonna have to look down repeatedly to actually see my keyboard because I have not yet mastered the Typing while not looking at my keyboard is yet. Let's start with little n-map scan We'll do an n-map tack sc tack sv tack. Oh and N-map initial and slap in that IP address There we go. I Should have put that in verbose mode gosh darn it While that's doing its thing we can just kind of go see if there's anything worthwhile on port 80 on our own here Yeah, yeah, okay. We have a Docker escape and N-UXT title which is spooky-wookie photo classroom welcome to photo classroom check out our courses to get started Okie-dokie, I'm gonna hit control you just to view the source here a lot of Weird JavaScript files being included Some totally all in one line inline CSS that's disgusting. Oh My gosh, that's so hard to read. I'm not even going to not even gonna read it more JavaScript files Okay, these are all underscored NUXT. What is that? What is NUXT? The intuitive view framework. Oh, no No No cool modern hipster JavaScript frameworks. You're killing me dude All right, let's put that away For now, let's check out the courses. Oh, I need to log in. All right. Let's check out the admin panel Still probably need to log in Is there anything Nito Bonito on this page? Nope just more view Let's create an account sign-ups are currently disabled to prevent rogue accounts How did they know? How do they know I'd be here? And maps still cranking I really should have set that in verbose mode, okay Log in as admin and admin nope That was too easy how about password right? Nope still too easy. Okay. How about pass one two three? I'm just kidding. Let's try some sequel injection, you know, you know a good old one two a good old or one equals one Slap that in that's using kind of like a sequel light syntax there when we use the hyphen hyphen or the dash dash for a Comment that fails invalid using your password. Let's switch this to a double quote Yep, still no cool Dash dash again. Nope Great Let's do that. Let's do the go buster. How about that? Let's do a little go buster dur Tech you and we do want to go to that IP address. So we'll slap that in we'll do a little tack W Let's throw an opt directory word list lowercase and that died To force pros. Oh, no What The server returns a status code that matches the provided options for non-existing URLs as in that Thing just returned. No So if I were to go to like slash anything it would just be like, yeah, dude, totally cool It's still 200 response, right? Is there a little cheeky robots dot text? I mean, it's a view frame or it's a JS thing I really doubt it. Oh Okay We should have done that first ladies and gentlemen. All right, so we can't go to API Exif util as in maybe exfiltration utils is weirdly commented out I don't know. Can you have comments and robots dot text? Is that a thing and Anything dot back dot text That's pretty juicy Might have some good stuff and oh nothing to see here move along. Is that right? Is that right? Oh and maps can't finish Let's try to go buster dur that API endpoint there See if he gets any see if he gets any good love there Let's check out that and map scan We take a little subbell in our end map directory We got some good SSH here We have a strange generic lines output that I don't exactly know what that is Port 80 does see Engine X that's that is that an old engine X version or something that looks like a low number one Robo so text has those entries. Yep as we saw ex if you till it's weird that that is just kind of commented out so Let's go back to that thing ex if you till Exif utils upload file and from URL What is this gonna process it with though, it's not like I can do like a PHP upload What a what are the prompts here by the way What am I supposed to do start off with a simple web app? Can you find the hidden flag find the flag hidden in the web app? Mmm, what kind of is there a flag format? Is it a THM? Is it a flag curly braces? Is it? Should I be still digging through source code? THM, can I like actually see the contents of that Nux directory? Nope totally forbidden well just for safekeeping let's totally make a mirror directory and Hop over there and let's try and W get tack M that whole thing and Download literally everything that you see Because if there is a flag in that JavaScript in one of those JavaScript files I just kind of want to see I kind of want to know so I'll do a cheeky strings on Literally everything. Oh, yeah. Yeah, I know it's a directory use They're all gonna be a Nux though I can do a find right yeah, yeah, yeah And then Find to list out all the files in the current directory and then we'll just do like a wow read line Which you could totally do an XRs, but let's echo that or just like let's let excuse me Let's strings each line. We need to do there to actually you know do that Boof. All right. Now. We've got a lot of output. Let's see if we got a little THM curly brace Nope, how about a little flag curly brace? How about a little fawaz curly brace? Nope Okay Not exactly helpful. I'll be honest not not really not really handing me any favors here Let's go back to our good ol X if you till And If derbester isn't finding anything out of that API Which it still hasn't I might just be a crazy dude and go Puster the thing again out of that Xville endpoint. So let's do that opt Directory Because I want to see if there's like a slash uploads now that actually gets me to something. So that's not extremely helpful Maybe it does something weird with the API when I upload something though. So like let's make a directory uploads and Then let's Subtle a test .html I guess We'll throw a little like good Proper standard. Oh, okay. Thanks a blind text. Just crank that out. I appreciate that test This is a test and that's all we need. So Let's go ahead and upload this file. I think I'm going to be in CTF. I'm going to be in Try hack me great escape uploads test Yeah, yeah that cried Service temporarily unavailable Are you kidding me? The form data is totally fine a padding to disable MISC Microsoft Internet Explorer and Chrome friendly error page Is the API broke? Wait, there's an admin cookie. No Weird All token locally cause false. I feel like that's gonna be some view thing and I won't exactly know what to do with it From URL might be worth while though if that API just isn't Doing things Let's go to slash API again. It says nothing to see here move along Which is lying to me Because we know exif is in there, but that's just broke. Oh Exif utils must be Exif must be getting metadata. It must be like running exif tool. So is it just gonna like run a command with that? Is that gonna be? like will it download a file as an image and then like Run a command with it. Let's uh Let's keep bumping around. I'm gonna copy of my headshot in here. So Let's get that stupid mug stupid mug going on and Let's see if we can just spin up a little Python server to you know, whack this thing So I'm gonna move into that other directory or another terminal where I put this Gosh, so that's an uploads and then we'll use a little Python three tech mhgp.server Cool. Now we're up on 48,000 So my p address is that thing So if I were to simply go to HTTP that thing and go to headshot png On port 8,000 you stupid boy. That's it. You get my ugly mug So Let's go to from URL and get that exact same thing again. Let's move this terminal over here Just so I can see hopefully the request come through we'll do it something bad happened Please verify that the URL is valid. Excuse me. Oh Stupid port Now We got the request tab open. We have the server open And we have the thing so let's do it What is wrong? Please enter URL to an image that it that is it's that's literally a URL to an image. It should be IP address are you like sketched out about my port 8,000 is that what it is? Do I need a domain name? Let's uh, let's do this on port 80 then whack now going to that on port 80 will still give me my headshot and Bring me back to X if you till Get to a from URL include that in there Let's just do it from that page because I already had the thing up something bad happened. Please verify that the URL is valid What is the problem? Let's check out the request tab. There's a get X if a URL. Oh, that's another service temporarily unavailable. Is That intended I'll be honest, you know, is that a thing let me reach out to foo was like just for a sanity check I know because I'm not exactly positive if that is what it's supposed to do URL equals a Service temporarily unavailable API X if nothing to see her move along. Yeah, that's worth asking. I think I'll pause the video recording All right ladies and gentlemen, we're back I asked around And thanks to the community they told me that yeah, actually the 503s actually are intended because of rate limiting on the login so I While I was asking around I just kind of reverted the box and spun up a new one Just in case like, okay, if it wasn't intentional that I would need a new instance and if it was intentional Anyway, who cares we hadn't really gotten anywhere yet So now we have a new IP address and if it actually is in fact due to rate limiting then maybe my serious amount of Go buster wasn't exactly helping. So let's let's go check out the new IP address, which is up. Okay So we know from our robots dot text here We got these instances API and X if you till let's try and get to that API slash X if now and that still kind of dies So Maybe that's not actually what I need to go to However, that actually does end up returning something now. So get on its own in the Using an HTTP get method on its own on that API X if endpoint Seems to get that 503 but getting with the URL in there does actually return something So let's see if we can go ahead and get that Headshot one more time now that looks like it's actually getting a response from a URL thing I don't know how this is doing it. Maybe it's running curl or something But we should be able to just run a little headshot dot PNG and there we go X if Not positive what this is doing or how it's doing it But I don't know what information might be present here and Am I going to be doing command injection? Am I going to be doing? something So I can see the request come through server side, right? There's that but Can I include like an LS with a semicolon here? HTTP 404 file not found. I don't know exactly what is processed Assessing this it does however see the server and this is just a view source thing. So Can I run like that? Okay, okay, that dies great. How about a little back tick once? Did I just straight up kill it? Did I just break that yet again? I Okay, no, it's it's doing its thing but Those other strings don't want to work for me. Okay Can I request locally how about that file? Etc password File URL connection cannot be cast to a Java net HTTP URL connection Sun het protocol Why can it not be requested? What if I go back to upload in a file? Does it actually upload? Maybe does it store it anywhere? Let's go to X if you tells one more time X if you till Let's upload that file Let's do that headshot submit it and it Just displays that out Not helpful though Let's upload that test that HTML file format cannot be determined X if you tells photo classroom What am I missing here? Is there more in this API? I don't want to derb us I don't want to go buster it again because what if it just Kills the thing simple web app start off with a simple web app. Can you find the hidden flag? Oh There's a hint a well-known file may offer some help you mean Like that robots dot text that we were getting at is the oh no Is the backup thing some that I'm actually supposed to go to as they're like a flag dot back dot text No There's not literally a star dollar sign. That's not a real thing index dot back dot text What are these pages that I can go to you can see me completely lost here? So Fun fun fun video Everything disallow API disallow X if you tells and there's nothing else in this file obviously because it's a text file Is there a robots dot back dot text? No Is there a log in dot back dot text? No Those are the only pages though supposedly API nothing to see here move along Is that? That's HTML though isn't it API Index that HTML. I don't know how view and this nukes thing is gonna end up rendering. Oh, that's actually a thing though There's no way that that's gonna end up having its own backup file in it in like its own Subsequent directory it's dot back dot text right Or my misinterpreting. Oh resource not found a lull Exif is the only thing that actually returns something but that dies With an internal server error. Is there a flag in the internal server error? That would be fun Try to get our file things in here again files not allowed Sun dub dub dub protocol. I want to know what this thing is There's nothing in courses. Is there anything in courses? No, I can't get in there Is there a oh admin dot text dot admin dot back dot text? spinning Is that an actual request there? Or is that just gonna die? I don't know because like this isn't gonna return HTML That is just not loading Courses dot back dot text that I break the server again Anything dot back dot text is just hanging now supposedly Well, if we uploaded a real thing We get this exit data, and I don't know if that's being processed like by a command though So if we give it a 404 It returns a file not found as it should if I just do a little like net cat Connection To call back to me Can I like see what it does 8? Oh, oh, oh, I'm trying a type with my keyboard beneath me Java 11.0. It's looking for jpegs Yeah, and it dies makes sense It's not gonna render out the HTML which makes sense We can't access local files supposedly Never occurred We made the thing hang What? Well, let's go back to our goalbuster with the API didn't get anything though In fact, I broke the thing when I tried to Restart the machine Did we ever get any hits whatsoever? No Not at all. Can I use w fuzz or fuff fuff, right? Fuff is the thing that lets me like fuzz a thing. Do I have fuff fuff Fuff GitHub Fuff Not a thing Let's uh, you know, let's get it get clone CD fluff go go get I do have go Pretty sure Let's move it to my op directory just in case it throws anything in that Like current directory. I think go just puts it in goes like go path Or go binary thing. There we go. Now we go fuff And now I think I need to reset my path Fuff Where'd you put it? Dot go go. What it what is my what is my go path? Oh god Do I actually have go No, I mean I do All right, let's go build. You know what I'm saying Yeah, just download the thing clone it download it Get it and build it. I don't want to deal with that path stuff right now Fuff Incredible Okay, so we new word list which can be Directory list me and let's do that URL right HTTP this thing Dot back dot text. However, is it gonna take forever to load? No, okay. It's actually good Fuzz right dot back Dot text. Oh, I kind of wanted that output actually to see that help help info word list URL MC all FS 42 Fuzz math all responsive for those with content size 42 color verbose out. Oh, I want that color verbose output Okay, those are all going to return things with a status 200 of 141 words so That syntax said filter out content size 42 so FS 3834 right, I have no idea if that will actually return literally anything But let's do it Fingers crossed it probably won't get any hits Only 207,643 things to do that is the syntax according to robots dot text So like that is the file name Schema this is something that should have been a live stream Seemingly no flags here. Ultimately, we're still looking for a flag, but we need to get on the box too One of the machines. Oh as in there's multiple that's exciting a Well-known file may offer some help find the flag hidden in the web app We know through robots dot text That slash API and slash ex if you till our things and so is a dot back dot txt. We're fuzzing the dot back dot txt API is seemingly a dead end, but there's no way that's a dead end. We go back to this What? That gets a Number of surface in a bill If we go back to ourselves Was my p address again, oh no fuff don't do it don't display like that you're gonna hurt yourself I Killed the other Forward slash headshot that png something bad happened at that. Oh god. I broke it's dead Because I was straight fuzzing with fuff Should I just like let that go? I feel like it would have found something by now I'm running out of steam guys I'll be honest. How is that? Oh, is it everything is broken because of the rate limiting. I'm just looking at cached pages right now No This is dirty. I feel so bad. I have to like keep rebooting the box gosh All right, this is going real well everybody okay, I Have got a new machine Hopefully we won't have to deal with all the rate limiting Let's just get ourselves back in check If we're finding a back dot text and we can't fuzz with fuff because of the rate limiting Maybe it's got to be some things that we know already exist. We tried login. We try to index we We tried API, right? But I mean that's a directory What about that X if you till thing on its own? Oh Oh, okay So this is the source code for the X if you till functionality all the view stuff and Once we submit something it Has a URL and if you submit a URL it retrieves Something from HTTP API dev backup 8080 XF Okay, so That is new But that is probably something Like that's if it's a different thing because port 8080 isn't open on my it isn't accessible or visible to me Like when I end map scan it we didn't see 8080 But I wouldn't be able to reach that locally from my own attacker machine, but This thing Maybe can can I can I like reach? this API Through the other one So we want to go To this page and we were going to API slash X if and that gets our internal server error, but we need to supply link so URL can equal this paste that in and That gets the nothing to see here move along HTML I'm Repeatedly getting messages standby pause the video But if this is just the API is that one going to be rate-limited can we hit that thing? That just is the API so there's not going to be anything else there other than exit as far as we know But that gets the internal server error Can I request things if this is if this is the backup API is there more to this? Is there like a flag right there? No Seemingly Could not find resource for full path. I don't know what that means I don't want to fuzz this thing though because that's just gonna break again Can I? Request things through this but I'm gonna need to like URL and code this question mark, right? Or will that work? If I just try to like go to me This IP address, right? That's like tunnel tunnel through. I don't know if that will work Response timed out that thing probably can't reach me Or can it? No, it can't look at the time and that's not the latest thing so Can this thing read files Request contained bad words What what are the bad words there? password Or just file what are the bad words? File form I cannot be determined to retrieve content it got nothing because it's not a real thing file colon colon colon bad words Okay, so that is disabled is there Anything that this can reach locally Ogon on itself if we set the URL to Call itself We can go to 8080 again Nothing to see here move along, but then we're just getting like nested for literally no reason Exif slash exif there's no no reason to do that Unless there's like more functionality in this for some reason. I don't know I don't know Can this thing request a file? a That's just completely taking a guess at a URL parameter Probably nothing there. Is there a standard for like API's to have a What is rest easy that thing? Oh, that's probably the kind of API rest easy API Jax is that? Why is there no actual help for that or is there? Like I want to know a list of your endpoints that this API can offer If we use a file on this thing Do we get a like by default if we use a file? Let's ever password. Do we get a request contained a bad words? No, it just says That so that's different When we use file exif URL equals file Is there some weird? No, that won't work that one is using curl. Oh shoot Okay, that's how we get access Okay, okay, okay Do we use a little uh, you know if that is just straight running up commit that dies Taktak help slash LS. Come on. Come on. Yeah There's new info there. Let's do a little who am I you know, let's just see who we work Let's get a reverse shell right or Can we get a reverse shell? This thing can't reach us. Is this the only command application stuff that we have like command and No, no, let's just run the fine command dot slash application. That's literally it. Can I just cat the application? Oh god cat application What have I done? See how long this takes to come back Checking my phone for a moment. Okay that died read timed out. Mmm Can I LS tack LA slash home? Root root what is in this also? Where is this flag that I'm supposed to have? Oh Can I get those backups now Like what are we listening in slash home has nothing how about our home directory? Root has a dev note. All right. We need to stop running slash help at the very stop At the very top of this because that's kind of useless. We do have dev note though. So let's cat that out cat slash root slash dev hyphen note dot text oh Hey guys Apparently leaving the flag in docker access on the server is a bad idea or so the security guys tell me I've deleted this stuff Anyway, the password is that? Fluffy bunnies one two three password for what? Cheers hydro Well, that's new Let's uh Let's save this stuff Just to keep these things in mind. I guess we should start a little read me Read me slap that in Password for what is that something that I can SSH with is it gonna be SSH into that? so fluffy bunnies One two three is the password if I were to SSH into well. No, that's not gonna be seemingly that is a password for the backup right We know SSH is open, but that's gonna be quote-unquote the production server and I Is it is it slow? Why did that take so long? Why did that not return anything? Maybe that's for the backups Nothing opt how about var There is Backups var backups. That's nothing there SSH just straight doesn't come back wasn't SSH open In our stinking end map 22 He's totally open. I understand Let's keep looking around. I guess the file system. There isn't a var dub dub dub though, which is weird to me Um There is a dot get though Which is peculiar? We should be able to see our dot Docker ENV because we know we are in there. Oh, there is a slash work directory That's new work application and that's a file which is way too big Can I horrendously base 64 this application work application Because it I don't know what the file might be huge though. There's no way that's gonna come back in time That will not work. I don't think that's gonna work Nope Okie-dokie, so what else do we have? Oh? Oh, maybe we can cat out. It's a host to Get a better idea as to what? APIs are in here. Yeah. Yeah. Yeah. Okay, so 1962 192 192 dot 168 dot 112 dot 2 is going to be the API dev Backup so that could very well be useful. I wanted to copy that not open dev tools copy that Mm-hmm. Mm-hmm. Mm-hmm a little bit of new Intel What else do we got? You know a regular reversal would kind of be nice But I'm not positive that this thing can call back to me because it's kind of internal IP if I run IP no, I don't have that do I have I have config I Don't have that What do I have of anything do I have netcat? You are all contains bad words which netcat it doesn't like netcat Bin What's in slash bin? classic same old stuff What do I do? Do I have? Python also contains bad words. How about pi on Echo Python pipe to TR slash delete spaces. Oh God Do I have bash also contains bad words? There's some filter going on that's janky and annoying. What is my Shell right now. I probably just can't run bash whatsoever. Yeah, okay Quest contains bad word. What other things can I use? Pearl is also filtered out. Hmm. There was nothing in home. Oh God Did I break it? No, okay, don't you don't you put that evil on me Bobby Media mount opt proc the only maybe Docker is listening on Like do I have Docker in this? Because I am in a Docker container. Do I have netstat? No SSH has to come back at some point, right? All I have is a password Find the flag hidden in the web app Which we don't have Oh God Okay, that was weird Computers dying There is no like flag dot back dot text. We already we already saw that we can look for like a Fine tech name. Oh God, this is gonna kind of be horrendous though. I mean, it's a Docker container It shouldn't take too long, right? Flag name flag find Yeah, I mean, okay, there's stuff Nothing good though Apparently leaving the flag and Docker access on the server is a bad idea or so the security guys tell me I've deleted the stuff Anyway, the password is fluffy bunnies one two three cheers Hydra Can I log in with that Hydra? Fluffy bunnies one two three and Valid use name or password Hydra capital admin Let my wits end everybody Okay, so the flag format is seemingly THM, but Silly devs leaving their backups lying around. I don't think I'm that far anyway. Let's try to do a W get back to me Just to see you know don't even have W get frickin We definitely have curl, but that's gonna fail Like we know that's gonna fail I Really think SSH Should be up and like Functioning right? Oh, it has a question mark. It doesn't even know if it's SSH. It might not be What is that? Hello Do a little aggressive man on port 22 Tell me if that's SSH or not Because I don't think it is This is a struggle bus Y'all got any more hints for me We're root in a docker environment Question is how can we break out? without access Well, is there a docker service up and running Http y's that we could access things through that Through the original web page like We know that we are API dev backup on 8080 on One but if on dot-two, but if we were to go to 22 one is the thing that Should theoretically return the page? No, I didn't return. I don't know. Well, how else we could access the original box through this docker container All right took a quick break Let's keep trying curl isn't working We know we have This dev note with the password The git thing is weird in me out though Like the fact that that's there can I cat out That git config Hydra Grum at example.com name is Hydra and that's the user for git so Can I just simply run git? Yep, so we have git What do you a git log is there anything that's done? No, not a git repository or any of the parent directories dot git So I need to cd into root first but Can I can I have git log like work out of a specific directory? If I just move into git do I tell it a taxi is path? Is that right? If I do demand git Taxi run if run as if git were started in path instead of the current work directory. Yeah. Yeah. Yeah, okay. I See it right there so Let's do that. Let's do a git log a git taxi slash root with log Aha fix the dev note remove the flag and original dev note because security Added the flag and dev notes, okay Out of the flag and dev notes, let's do a git show On that commit. Oh Hey guys, I got tired of losing the SSH Gala time So I set up a way to open the docker for remote admin just knock on ports 42 1 3 3 7 all these things to open the docker TCP port and There's a flag. Oh the root flag Okay So I'm assuming that's going to be the one for this thing although I have been explicitly asked Please don't submit flags to a ruined statistics or whatever So I'm assuming that's going to be that one, but we still don't have a simple web app Dude, why didn't I do that earlier? If we saw git was here. I should have at least checked out All those versions stuff man. We spent so much time bumping around and now we at least have one flag Added the flag in dev notes. Now we know some port knocking technique Which is very slick Let's slap this into Our notes Because that's pretty handy dandy Let's get that in there set up a way To open up the docker for remote admin to open the docker TCP port Just knock on ports those things Um But that should be on the original port right what is the docker TCP port by default docker TCP port is 2376 2375 When it's using t-line. Yeah, or 2375 when communication is in plain text. Okay So Is there anything else that I should get out of this? Let me see If this does a git show on that that just removes it that's it the other one is replacing the dev note so git Show that one just for a good sanity check and we have the same password that we already knew so I hope that was readable. I don't know if my face is in the way git show Okay Okay Let's do this port knock And see if we can open up the docker gcp port So Let me end map tack the on The original host this guy right now Considering we've reverted it like 7,000 times On port 2375. It's a Yeah, 2375 That should tell me that it's closed, but it does know that that is the docker port. So if I were to knock on those ports Let's go 42 Let's go one Excuse me 1337 holy cow 10 420 6969. Oh, I see what you did here I see the sequence of numbers 630000 Good, and let's get back to our 2375 and see if that service is open still closed I Hate port knocking because I never get it right. I never understand How the thing is supposed to be done. There is like a port knock knocker tool port knocker GitHub Knock yeah, yeah, yeah simple Python port knocking client knock at that server on those IP addresses That's it. Okay Do I already have that is that in oh I do ha ha great Let's Move into knock That's there. We know the IP address Here that thing and then the ports that we want to knock In the sequence. We'll just spit these and remove commas and remove that word and So let's slap in those And it did it so Now let's see if that n-map tack v tack p 2375 should be open. Yes Script kitty coming back at you just use other people's tools I'm just kidding. I would never Now we got Docker I could just totally connect to that. Can I not? 2375 Page not found Is there a script? Docker TCP enumerate attacking Docker exposed API Let me let me read that real quick Today we're exploring some security risks associated with Docker Examining their consequences of exposing the native Docker API leaks in a world We could do it with portainer I've used portainer before Very simple lab good enough and then You could do it. So it gets it. It sees Docker and we can curl it with Jason Right, let's try that Let's do a little Curl here, let's do a curl HTTP that page not found. Oh, yeah version Aha, let's pipe that to jq and see what we got here ladies and gentlemen Docker engine community latest version Run see Docker in it good good good, okay Now test the exposed API using the Docker CLI Obviously, we need to have Docker exposed. Yep. Okay, so you need to have Docker installed. I have Docker installed so let's use that same command and Can I run info? There we go. I think four containers Is it is it running it on my machine though? It shouldn't be how many containers are running PS yeah, yeah Okay, so we got some stuff And less SH that must be the fake SSH thing What are the images pulled on the host machine? Are there some stopped containers? I guess that's a good thing to look through they are Just the same ones. What are the images pulled? Just want to run through this enumeration to kind of understand a little bit more Debbie and engine X unless SH Okie dokie Could be images with juicy info maybe you could run those Yes, can I access them spawning a shell inside a container is done by the exec command in this case? We want to spawn a bash shell so Checking out the running instances Frontend is a thing And that's running on front end one that process so if I were to just exec it bin bash and that will it work exec it Container name bin bash Mingers crossed Okay, okay, okay, I I see that now Obviously I'm rude because I'm in that container Nothing in that root directory lame LSEC LA. I'm still in home. Let's get to LSEC LA. We know this is a Docker environment, right? There might be some backups lying around if we're in the front end We're probably involved backups maybe No a good old find again, let's do a fine tag name on that fly Same stuff Let's check out the et cetera host one more time because Docker escape.thm. Oh, yeah, completely different subject completely different thing. Okay, but Those are only some this is only one of the containers exef API exef API dev That might be worthwhile Endless SSH. I think is the trap because we know SSH is not real supposedly Well, we were just there. We were accessing that thing Do I dub you get do I have curl? curl I do have curl. So Do I I can just like open nano though. Can't I? Vim Vi at the very least pico. I Got nothing. I got no text editors to work with Straight echo and that's it. Do we have said? Oh, we have said oh fantastic Docker entry point dot D Listen, I've had you six by default and be subset on templates. I'm just bumping around this file system so Forgive me What is running? I don't have Gosh PS. I don't have that fantastic. They just list off out of proc Be super gross, but we could do it Nothing in temp. We already know everything that's in var supposedly backups had nothing Cache Root had nothing Home had nothing and your next pit. Is there a cron jobs running? Well, let's check those images again Because some of those might still be useful and we should go explore the other ones I'm gonna throw that in my notes We just bumped around in front end which didn't seem to have anything worthwhile for us Endless SSH. Which one we were we just which one were we in XF API dev when we were running it like within the web browser. Oh Machine expiring soon Don't you dare? I've been doing this for way too long, but somehow still Not long enough She'll host name on that API dev backup. So XF API is prod Like the production one so if I were to grab This one and exec into that. I am not root in this. I am quarkus So, what do we got in here? Hello, hello, hello home. So Shalom cat, etc Password quarkus is a weird boy I Could run away my again over and over again, but that's not going to tell me anything Ellis Tech LA root. We're still in Docker container. Yes, we know Quarkus in Work. Oh now we have actual like command line access access though So we could probably like actually figure out what this application is Never mind We could just churn this out How wait this thing's like a freaking gig isn't it Ellis Tech LA each 50 max is it worth it? I Mean I always say, you know try everything. So let's do it Let's do a little base 64 W zero application and let that rip. Oh God, isn't it a beautiful sight ladies and gentlemen Isn't it so Marvelous seeing God's creation Spat out on your screen dope Let's Try and steal this. Let's get this one right here. Let's copy and paste all of this base 64 My terminal might have crashed. Okay. No, he's still here. He's still here. Okay. I was Let's get that Make a little sublime text window try and paste that all in dear God That's gonna crash my computer We'll let we'll let sublime text work, you know, we'll let it we'll let him deal with the Clipboard. Oh God has my terminal died Sublime text. What'd you do? Terminal died Freakin fantastic Is this thing still on my clipboard? Nope Terminator couldn't get it. All right. Well, you know what we still have some progress here. We still have our docker h to connect to this So I am still connected to the VPN. Am I right? Like open VPN is not gonna die. Yeah Okay Application D Quarkus Let's explore endless SSH here Exec attack it that container name bin bash It doesn't have that in SH Who am I root? Is there anything worthwhile in this? Probably not Ash history. No. No, sorry. I wanted a cat. It's that we're password not change my password nobody Cyrus who the heck are you Cyrus? Looks like a system account for some weird reason This feels like a dud because it's it's just fake SSH What is What is endless SSH? Gosh dang it. Stop giving me these do I have strings? Oh, thank God. I've strings. Okay Just in case this is a binary file, which it is it's just an SSH client or HSH server that's a vortex. I'm gonna assume Is that like a known thing and less SSH? Yeah That is incredible. I have learned something new All right, cool. I have fun with that, you know at the very least. I don't think there's anything in this Is there a way to see the privileges of a docker container because if we could try some like hey Docker escapes or is there more to do with this docker API? exploiting exposed Docker deep CE Hmm, honestly, I haven't done all this all that much so I'm not paused One run C was mentioned in the docker info. Oh, hey, it's your day Can I use this I mean, I don't want to install packages primarily because I can't oh you can use no network Okay This looks possible But I still don't know if like any of these are privileged containers docker check for Docker check privileged, how to know if a docker container Docker inspect format that thing Okay Can I do that? And then it needs the container ID so I'm assuming That front-end is not going to be privileged, right? Is the dev API going to be privileged are Any of these going to be privileged? Endless SSH, I don't have a whole lot of hope for you my friend Nope Okie-dokie, how do the machine get terminated? I added an hour Track me is just bugging out. That's fine simple web app I mean the front end I should still be able to actually go find that flag on I need to go do that because I don't think I ever did Let's go ahead and exec it bin bash No, it's container first There should be a flag dub-dub-dub is not a thing var dub-dub-dub was not a thing so it's not like a normal web server However 80 is running so like engine x is happening somewhere engine x engine x doc configuration file Where are you working include mime types? Yeah, but where? But where? Us it's is it the wsgi thing is it in comp.d? Yeah, okay So it's in user share engine x HTML Gotcha, okay, and I get into admin Is there a flag anywhere I have strings so let's do a little strings everything I Don't have strings You what? Do I have a grep for the love of God? Yeah, okay grep tack I let's do a recursive. I and let's look for the thm That's not helpful E Where on the web server am I supposed to find this flag? There's a read me This is rough ladies and gentlemen Browser config courses is a thing Is there anything else more an exit futile? No same horrendous View that's another login Unless is it like in nuxed? Robots that text should still be the same. I don't know where the heck I'm supposed to find that flag in the Initial But I still need to get to the original machine. I'm still just looking in Docker containers right now Ken can you exploit Exposed Docker API. Oh, can I just like can I build a new image? That's a thing, isn't it? gtf open so just has like a quick one-liner for it, and I know I made a video on it, and I like overexposed the thing Let's see if I can just make that alpine container. Well, that just work I Be pretty dang happy if it would You have alpine Do you not you're not gonna be able to pull it down? I? don't think You have images though. You have alpine in your images Alpine three point nine The tag is three point nine looking back here so oh Root in the container. I have a slash mount We put it in a mount. Did we not? Wait, I Am in the current one Because it it CH rooted that into that with that syntax So if I were to check out it's that word I Am Hydra. I have a Hydra user. That's it. Yeah. Yeah Whoo-hoo type that stupid cat syntax damn it. Oh my gosh That was fun And I still don't even have the web flag That took way too long And we're still not done Okay, um So that would be the great escape We already have root root unless that's the simple web app one There's a flag hidden by root on one of the machines. Can you find it? Maybe um? Maybe the web app one is that so let's do a little Docker ps one more time and Just try like a fine command for the things that are owned. I have some Docker ones So my own local Docker stuff Docker ps to Get into one of these machines front end 8080 was the one that Has the port exposed exec it port bin bash Bask, so That will let me into that and I need to find a name flag text one more time and it's Owned by root. I don't have a freaking can I like privest can this I don't have pseudo the only other one that I'm Did we do it in front end? Did we did we run that in front end? Like did we hunt for a flag within front end using find? Because we were root on that. I don't care. I don't care Reptac RITHM Good luck Let's Put that in one Let's put that in one pane and then let's look again in The API dev backup one Docker connected to that. I am supposedly root Let's do a fine tack name Does this have find for the love of gosh Does but it doesn't find anything Let's do a grep. Let's get into root grep tack RITHM We'll set that to a different color Do the same thing for the? Original production API It was a fail copy pasta copy paste there we go We don't have find though Let's tack R. Let's look for a flag dot text Can I do a little grep for that? I probably can't get into root though, but I didn't have pseudo sorry Got a notification. Um, I think I'm going down the wrong road here Not gonna lie I'm gonna go back to the thought that the root flag is the one that I got while I was root looking in the Git logs and the simple web app a well-known file may offer some help That is a dot well-known file There is that did I just not see that when I was looking in the web root? Forbidden flag dot text Whatever this is this is front end In a good old blue. I know you guys don't like that color. So we'll go back to the hardcore Black stuff. It's it's an user share share share engine X HTML and There is a dot well-known. Oh my gosh security dot text excuse me ping API fl That's totally flag with a little leapspeak upside-down G But you know, let's just hop on over there because we literally already own this thing. Can we get into the API? You know what let's just stinking do it from curl curl tack X. Give me a head HTTP Get this URL gosh darn it slap that bad boy in there. We have double HTTP schemas now a Good does it work? You may not work the way you want use tack tack head Oh Great holy cow that was way too long. That was way too much agony That was a horrendous video for you to have to sit through and watch but We finally did it. We finally got all of the flags. This was a trial by fire cold case of me trying to jump in and Figured this thing out Truth be told I did like asked for some sandy checks I'm like I reached out to foie gras and the the creator here like hey Is this 503 server error like supposed to be happening is is this thing supposed to actually be accessible in the API? What am I going through the right order of the flags because I'm not able to submit them I don't know what's what so I did Ask for a little lifeline and phone a friend on this one But I mean look I hope that goes to show like there's no shame in doing that I hope that goes to show like the whole whole point is to learn right and if you're banging your head against the wall for way too long don't like kill yourself like you don't don't don't beat yourself up, you know, so That's that I don't know if anyone would like to see a more formal actually procedural like packaged and bundled education video on this thing, but I just kind of just Went in for it and stumbled and failed the entire time, but I Hope we had fun. I hope you had fun We got the web app flag by finding that dot well known It took us to the very very it's me to the very very end to realize Oh, that's actually indicating the dot well known and I know that directory like I've seen and used that for a Capture the flag event like that was in a game that we've hosted Getting the root one was going through some SSRF or server-side request forgery to reach the internal Docker API dev backup thing And then we were able to read the messages in the git log in the git directory within slash root and that gave us that flag and also led us to the eventual port knocking that opened up the Docker API and then through the Docker API, we're able to just run a Run a new container sort of new instance with the alpine image. It's there mounted the original file system So we had root on the core actual machine 10 dot 10 dot five six dot one nine five. So That broke us out of the that that helped us do our Docker escape and got us on the actual machine Holy cow. I am Burning out from this one. That was a lot of fun though Fawaz, I hope this was the exciting and extravagant release that you wanted, but this was my solution agonizingly and painfully slow, but hey, you know what that goes to show there There's so much fail in hacking and so much fail and learning this stuff But you just kind of power through and reach out when you need it. So All right, that's the end of the video I'm done That's the end of the video. Thanks so much for hanging out with me everybody If you enjoyed this video, if you'd like this kind of cool casual hangout session style me just goofing off and Going in without any notion of what WTF I'm doing. That was this So let me know if you want to see more like this and we'll do it and we'll jam We'll hang out and we'll keep having fun, but please do all those YouTube algorithm things I'd love to see you hit that like button. I'd love to see you maybe leave a comment You know type whatever you want and Smash subscribe hit that bell All those things that uh over-excited youtubers put put together and say so Thanks for watching everybody. I love y'all. See you in the next video. Take care. Good. Bye