 Hello everybody, my name is John Hammond and welcome back from the YouTube video. We're looking at some more tri-hack me and this is a new room. It's out for a few days now. I'm bummed because there are some write-ups out already. I didn't make it right to the punch, but this is going to be showcasing gaming server, which was a super fun room. Sure, its difficulty is rated easy, but I think there were some really cool nuggets in here, so I want to work through this with you. I have the IP address and the room already started. So let's go ahead and jump in. I'll start off like I always do by making a room for a folder and a directory to work for work in in this room. Wow, we're already doing really, really well getting words and speech to happen. So I'm going to create a simple read me file where I will just kind of keep track of my notes and things. And let's start off with a simple rust scan to kind of see what open ports we're working with. Looks like we have port 22 open and port 80 open. So that is good to know. I will go ahead and get started with some simple Nikto and Durbuster or Go Buster scans. So we do some automatic enumeration kicking off in the background. While we are going to also do our own manual enumeration. So I'll start off with Nikto in that one window and I will start off with Go Buster in this window. I'll use Dur as the notion to make it OK, work in directory mode. Pass intact you to specify the URL and the word list that I'll use. So I'll use the directory list medium that typically ships with Durbuster. OK, now we can go to some manual enumeration and poke around ourselves. This is the IP address. Open it up in a web browser and I'm greeted with this dragon website. Lorm Ipsum. OK. So there's not a whole lot of actual content here other than I guess some pages to access. Just more lower Mipsum text nonsense. Is there a read more page that links with me to archive? This links me to about I can see down the bottom left of my screen here myths. And that takes me nowhere. OK, I will hit control you just to kind of view the source here. Kind of see if there's anything interesting in the HTML. I think that's always good practice. Same thing with always checking out static files like the CSS and JavaScript, maybe sure you don't see anything like crazy cool in there or it's boring in that it's a static file. It's not going to do anything dynamic in the case of CSS specifically. But it's always I think good practice just to check in case they hide anything in there. Oh, and actually it's a good thing that we did. There's an HTML comment here. John, please add some actual content to the site. Lorm Ipsum is horrible to look at. Great. This is awfully meta. They're talking to me, John. So maybe that's worthwhile. Maybe that's going to be a username we could work with. Checking out those other pages, I'll zoom out here. I see the index page that brings us to this archives page that's apparently just not a thing. What about that about HTML? There's a video here that is not a video. Incredible and an uploads page. Oh, OK. So sorry, I don't know if that was visible with my face in the way. There's an uploads page that I can just click on. And it took me to this location slash uploads and that had some interesting files in there. I wonder if there's like an upload functionality that we could get into. There's a meme.jpg, which would obviously be the first thing that we look at. Thanks. That's great. Manifesto.txt. Oh, and this is just a hacker manifesto. Very, very cool. It's a plain text file. So if I were to view the source, there's nothing else in here. If you really, really wanted to, sure, you could slap it in to a text editor and see if they're doing any tricks like hiding whitespace, dignography or anything, nothing there. So that's nothing we need to worry about. But kind of a nice little Easter egg if you're in the hacker manifesto. I like that. I dig that. And there's this dict dot list, which seemingly looks like a word list or dictionary list for potential passwords. I like this like season and then year. That's kind of known now as a pretty common technique for passwords that you might be using because you just look out the window and say, oh, it's snowing outside. It's winter 2020 or whatever. So this would be worthwhile. Let's go ahead and save this. I'm going to go back to my directory here and I'll W get this down. So that's downloaded. There we go. I have a dict dot list and all of those files there. We have Nikto's results here that found a robots.txt location. So let's hop over to robots.txt. I typed in Ribbit and OK. And that just tells me to look at this uploads directory that we were already in and pilfering out of. Cool. Seemingly nothing else in that there. Durbuster or GoBuster found uploads and also found secret. Oh, what is that? Slash secret. There we go. OK. And that's in the directory listing with the secret key. And that is a private key. OK. Awesome. So let's totally W get that down as well. W get. Grab that guy. And we knew that there was SSH open, right? Yeah, we saw that our Nmap scan or Rust scan, which will funnel to Nmap. And we have a potential username. And we also have a potential password list and we have this potential secret key. So I guess it's worth a try seeing if we can SSH into this machine. Let me grab that IP address. There we go. With the secret key and specifying the host and John as the username. My username is John on my machine, so I don't really need to supply that. But it's a good thing that I do to be explicit, you know? Oh, oh, oh, oh, and I need to mark that as a like our specific key. So CHmod 600, so it has the permissions of just my user to be able to do that. There we go. Now I can run that one more time and that private key needs a password. OK, so that's not a big deal. We know that we have a word list we could use. So let's run John the Ripper. I have John the Ripper downloaded and installed in my op directory. That's where I tend to put all of my tools. So in their run folder, there is an SSH to John Python script that will allow you to take a private key and put into a format that John the Ripper can handle and then you could throw a word list at it and hopefully it could crack a password or figure something out. So let me run SSH to John on that secret key and I get this big, big, big, big amount of output. But that's going to put it in a format that John the Ripper can work with. So I will take that exact same command and I'll redirect it out to a file like for John dot text. OK, then I can just simply run John the Ripper on that for John dot text file that I just created and I'll specify the word list we want to use as that dictionary dot LST. Is that the name of it? I'm just going to control C to check. Yes, dict dot LST. So run that guy and we'll see if he gets a password and he does. OK, so the password for that private key is let me in. Great. So let's SSH tack I with our secret key to John at that IP address. So my clipboard. Thank you. Enter passphrase. We know that is now let me in. Great. I should be taking notes on all this. I literally didn't. I created that read me dot text file or read me dot empty and didn't do anything with it. So since we have initial access, since we are logged in as this John user, we're able to SSH in. We are now on the box and we can look at his home directory and we have this user dot text. So cutting that out, we can go submit that as the user flag. Great. OK, now we'll want to do some usual manual or automatic automated enumeration. I'll start with the immediate low hanging fruit just to see can I run pseudo and he needs a password and we don't know his password. We only know the password for that private key. So that doesn't work. I could type in something like please subscribe. But unfortunately, that's not his password, but it is my password. So if you want to subscribe, that might help. Shameless plug. Now let's go actually do some automated enumeration. So I will go ahead and upload a Lynn P's or an automatic enumeration script like Lynn P's or Lynn Enum. Lynn P's is great and fantastic. So I will do that. I'll do that with my poor man's pentest style. All that's really doing is going to create one protocol or one kind of communication transfer setup. I could be using Netcat to just listen on my attacker machine and send or listen on excuse me, listen on the host on the victim and then maybe like send along the file just cat it out to another network or Netcat connection and then it'll save it or pull it onto that file. I can redirect it out or you could do the same thing with W get just a download a file, you could do the same thing with FTP or HTTP do W get, right? Or SMB, etc. Enough background, let's actually run the command. Again, I store Lynn P's in my op directory. So let's slap that in and he's going to throw it in devshm. Great. Let me just check. Wake is good. So that's sent. I'm going to move into devshm and I might still have some files in there from when I did this momentarily moments ago. So let me just run that one more time. Super sorry. Ruin the ruin the illusion there. But now we've got Lynn P's. Let me mark that as executable. CHmod plus X and I'll go ahead and run it and save that output. I'll just pipe it to T so I can see the standard output and it'll be funneled into a file. So there we go. I do not have the entire Lynn P's script apparently. When this happens, I just like to check with MD5 some on the original file that's on the host and on my attacker machine. Yeah, those are different. So let me upload that one more time. Slap that along. That's sent now. Now does the MD5 some command give me the same hash? It does. OK, great. So let's actually run our Lynn P's script. Now there we go. The beautiful P that shows up and we're cranking through. I'll let this run for a little bit, but I will scroll up to the top and see what we can work with. I know reading Lynn P's output might be like weird and intimidating. And there's a lot to look through, obviously, if you kind of aren't familiar with it, especially knowing what's normal and what's not. So thankfully, Lynn P's does a really good job of like giving you a legend or like a color coding as to what might be potentially useful. In this case, it looks like we are running our operating system of Linux, that kernel version and it's Ubuntu 1804. I'm running as that John user and I'm in the pseudo group, but I don't know his password, so I wasn't able to run pseudo commands. I'm also in LXD or LXD, which is a kind of technology used for creating containers and Docker is like a similar tool. Maybe that's going to be an outlet. Looks like that is notified as, hey, this is a huge PE vector. You could potentially do some stuff with LXD. Let me tune into that later, but first let's continue scrolling through Lynn P's. Pseudo version is seemingly old. Maybe we could abuse that CPU information. Nothing sticks out. Same thing in the environment. These are all just regular normal environment variables. We can see here that we are a SLR enabled or address space layout randomization. That might get in the way of her to do some like nifty, crazy binary exploitation stuff, but I don't think we need to do that in this case. All the processes that are running dub dub dub data is the one that's actually running Apache right now. So that's the web server. Cron jobs. Oftentimes, we might see like interesting backups or things that get in the way. Looks like there's nothing out of the ordinary there. Same thing with services, nothing highlighted or enumerated. Same thing in et cetera. Hosts, nothing out of the ordinary. Lots of running things. My user, again, Pseudo is present and so is LXD. PK exec policy. Maybe that's going to be something interesting. Looks like these are the only users here. So John, this user that I'm running as in root are the only ones that have been bash and the output of it, it's that repassword. That's it. So OK, OK, OK, nothing immediately stands out. Yes, we know we have our private SSH key. We already got that. Nothing, nothing, nothing set UID binaries. See if there's anything interesting, easy low hanging fruit there. Nothing immediately stands out again. All this stuff is kind of normal. Same thing with set group ID. Oh, interesting that we have VIM information. LXCE cookies. OK, so maybe a little bit more pointing towards LXC and LXD. That's a lot of output and a lot of stuff and we can move on. OK, so now that that illusion is over, let's talk a little bit more about that LXC or LXD prevask. This is a thing, right? This is kind of well known and well documented. There is a lot of stuff on this. If I go check out this exploit DB entry, there's immediately kind of some option that we have here. This is a bash script, but it tells you like you have to do a little bit of stuff on your own attacker machine to be able to prep this. This will actually have you go download some tool and utility that will allow you to actually build Alpine, like build an image or the framework for a container to run in an LXC, right? That technology and software that will be able to run containers. The same thing that you might do when you're performing like a docker prevask is it because that is kind of a tight security thing. You have a lot of functionality when you're creating those and running those containers, you could potentially end up mapping the entire file system into the container. So you essentially could have root privileges because you can modify things as root inside your container and that's going to still take effect of the actual file system that you've mounted, or you could just peruse the file system, which is something that we could do to actually find that root flag or become that root user. So that's going to be kind of interesting and kind of fun. We could do that. Looks like they're using this build Alpine script. So this is out of an original GitHub repository. So let me actually go to that and check it out. I'll go to github.com, slap in that location here, this will build an Alpine Linux image for us. OK, so let's clone this and work with it. I am... Oh, Nikto found secret, nice. Go Buster and Nikto both found secret. I don't think we need to do anything more with those because we already are on the box. So let's go ahead and get clone this guy. And looks like we just have this dot slash build Alpine. Can I run this? Build Alpine, you must be run as root. OK, let's do a little pseudo here. Actually, before I do that, I want to at least present this good practice to you is if you know you're running a shell script as root, you should probably at least take a gander as to what it's doing. Make sure it's not going to fork bomb or RMRF or destroy things or completely, I don't know, clobber your machine with ransomware. Looking through this and considering it's on GitHub and it's kind of a trusted thing, it looks like it's got a decent amount of stars and forks, these amount of contributors, you shouldn't sure practice, you shouldn't blindly pseudo a shell script, especially like curling something or like downloading an install script and just pipe it to bash. That's also sometimes a bad idea. OK, this looks totally fine. Nothing, no RM, tack RF on my forward slash my removing my entire file system. Anyway, let's go ahead and pseudo this guy. I'll type in my password now that I trust this and it'll go do its thing. This failed. So I don't know if you're going to have this exact same predicament, but when the script would run for me, it would automatically select a mirror that wasn't a good mirror. It would either just hang or it would just kind of fail. So what this ends up doing is if you kind of follow through that code and you'll notice it created a new root FS folder in here. So I'm going to go into that and it just looks like a file system, right? It's the root file system. That script, though, that we opened up when I look at the mirrors. Let me control that for mirror here. It's pulling it out of the root file system. User share Alpine mirrors and mirrors dot text. So let me go ahead and cat that out. I don't need the forward slash in this case, because I'm going to be talking relative, not my absolute path. I have a lot of stuff in here. Let me sublime that out and I actually use the real forward slash that time. So I'm just going to open this up in a text editor and I'm going to remove a lot of the mirrors until I know maybe one that will work and one that will actually download things. I'll just leave the top one in this case. Now I'll go ahead and run that script one more time. Getting back to that parent directory. Let's see if this will be able to download it properly. OK, looks like it's moving. It's cruising along and it's going to prepare this Alpine image for me. Awesome. Now in my current directory, I have this big Alpine tar dot GZ file. Now we could go ahead and put this on the victim or target machine. Normally, sure, you could go ahead and create a container or an image with LXC or Docker and it'll just pull it down from the Internet. But keep in mind, these don't actually have Internet being inside of the tri-hack me network inside of that VPN. I had a thought and I was like poking around with this when I was going through it live or previously on my own, right? I thought like, well, this would be kind of cool and fun to just go ahead and create a SOX proxy or like funnel my internet through my attacker into the victim and the target machine so that it would be able to download things. You can set like HTTP proxy and HTTPS proxy and that might work. You can do that with like then run commands with curl or W get and be able to interact with it natively, but I don't think LXC was able to pull down an image through that. Anyway, if you guys have any interest in that, I could showcase a video where I'm putting together that SOX proxy and then using that on the victim so that the target and the reversal that you're working with, even if it doesn't have internet, you can basically run primitive commands like curl or W get and be able to access the internet. You can apt update or install chaos or whatever the heck you want. Terminal parrot, if you'd like to mean and troll, that's a thing and maybe we could do a video on that if you guys have an interest in that. Anyway, let's continue to do what we were doing. We've got this image created and we have created this so that we don't need to use the internet when LXC tries to create a container or an image from this. It can just take it locally from this file. So let's go ahead and throw that on the box. What I'll do is I'll go ahead and set up a Python HTTP server, my IP address so that I know and so that, like you know, in your case, you'll grab your attacker's machine. Now that that's serving, this is going to end up being like another thing to download or get a file here. I'll use W get on the victim and actually let me mark this as a black so you know that that's the victim. Hopefully that's not too confusing. Grab on that port that we're serving this little tiny, tiny web server. Let's go ahead and grab that Alpine image here that we've downloaded. OK, so that's going to pull that all down. Looks like my web server saw the request. My face is in the way and you can see the victim is downloading that right now. While that's going, let's go ahead and kind of take another look at what we can do to perform this privilege escalation. This script might do some peculiar things where it's going to import the file name that's applied with an alias and try to initialize it. It'll try to create that Alpine image with a container name of privsk. And it's going to set that security privilege equals true and try to add the victim and like the real target here file system mounted inside of that container and mount root so that it would be able to access it from inside the container, kind of cool. Then we'll go ahead and start that and they'll go and execute a command there so we get access into it. What we could do is we could go ahead and try this. Let me, I guess, grab this code and let's on our attacker machine. Let's subble like, oh, I'm in the Alpine server there. Let's call this like LLXC privsk or something, .sh. Slap that in and let's move up a directory and run that exact same server. So now I can download this LXC privsk on the victim. LXC privsk.ch. Great, he's pulled that down and let's try and mark that as executable. And now let's go ahead and try and run that script. Looks like we need to supply the file name and we have this big, big Alpine image file now, so let's Alpine that. Supply that with that tack F argument, see if it created it. Looks like it did. It listed all the images that we have here. We've just imported that one successfully and we added that forward slash, note the victim file system inside the container. And then we jumped into the context of the container because we executed privsk and privsk is our container name in SH to give us a simple shell here. So now that we kind of read through and understood what that script was doing, we are in the container and we can now go ahead and move around. So nothing in my current directory. I'm root, right? But I am root inside of this container. Remember, if I were to move up in the other directory, I can move into home and you won't see that john user. If I were to cat out, etc. password, you won't see anything else because we are inside this container and not the actual target original machine that we were in. But we had mounted the root file system and slash mount root. So I could move in there and now I'm in the actual file system of the original target of the real victim and I could move into their root home directory because I have permission to do that now and I could just grab that root.txt. Neat, very cool. That's how we could just take advantage and prevesque on this box. Keep in mind, sure you're only doing that in the context of the container. But since we have access to their file system, hooray, we completed the room. Congratulations, everybody. Since we have access to this file system, we could modify that at center password and maybe change the password for the root user. Let me do that just to see if it'll make some sense here. So I'm moving into a set of password within this container. I'll cat out the current settings of password. You can see this john user there, and that's not me. That's that john user on the victim. So let me grab all of this data. I know it's gross, but I'll slap it into sublime text and then on my host, I'll go ahead and fire up Python. So I'm going to use Python so that I can import crypt and crypt is going to end up being that same library that creates the password hashes and in Shaw format and stuff that's going to be used regularly inside of an et cetera password or et cetera shadow. We could read et cetera shadow and maybe I guess sure you could modify and change that, but I think doing it instead of a password is just kind of easier and more sane. You can see John's password hash and maybe I guess we could crack his password hash if we wanted to, because we still don't know his password, but we can go ahead and set one for root and that might be kind of cool. Let's finish what I was saying. Sorry. Inside of Python, we've imported crypt and now I could use crypt dot crypt to calculate that hash or the cryptographic value for a specific password. I'll just set my password to please sub, please subscribe. And now that string, this is it returns back out to us is what we could use for the value of that root user. So let me patch this into where the X would be. And that's where normally you would see the password. If you were doing, if you had that access to et cetera shadow, now that that's created, what I'm going to do is I'm going to try and run nano inside of that target container. Let me see if I can actually run nano break. Nope, I don't have that. OK, do I have echo? I probably do. So I'll do use a little here, doc. I'll use cat up to end of file. And then I'll pump that into et cetera password. Maybe I will break the machine if I mess this up. Hopefully I don't. So now that I'm in that little midway intermediary prompts, I can just paste all this in. And I will type in EOF to denote the end of file. Great. Now I can cat out et cetera password. And hopefully I didn't clobber destroy it. Looks like I was OK. And our root user now has a set password syntax in there. Great. So at this point, hopefully I can break out of my container. OK, OK. And I can change user to root. And the password that I have set is please sub. Did I fat finger that? Oh, no. Can I SU bash? Well, I mean SU, please sub. No. OK. Let's change the game here, then. We could just totally easily change our like John and that command that we ran. There's LXC, Proves, TechF, Alpine, just to get that container back. There we go. Now let's CD into et cetera password or CD. Mount root. And let's change that to that John user. Oh, goodness. Grab that password, slap it in for the John user so I know it. Or we could crack his password. We could kind of use whatever technique we wanted to. Et cetera password. Did I accidentally throw that into slash et cetera password? Is that why that didn't work? It is. Oh, you guys should have told me. You guys should have told me. Maybe it was right along and I'm just an idiot. Let's let's find out. Let's use our here doc again. So cat EOF to password. And now I have that pre planted password into both root and John. So let me throw that in and that with EOF. Great. Now let's exit. And I can trust that this should work as you without it. Please sub. No, OK. Can I pseudo bash? Please sub. What the what? What is it's a password look like on this box? Well, what are you doing, dude? Oh, no. It doesn't have my dollar sign sixes. Because we're entering that in bash and bash is going to interpret those dollar signs as if they were variables. So this syntax is gone. Let's. All right. Third time's a charm. Third time's a charm, guys. Let's run it one more time back in the container. Let's include our backslashes there. Is there anything else that was weird and funky there? Let me just grab this syntax and kind of put it side by side to test it. I had up to. This position, there's something else missing. Oh, there's another dollar sign there. Are there any other dollar signs? Anything else that I'm missing? It doesn't look like it. If I miss it again, then we'll go for four times a charm. How about that backslash? Is that noted there? Or that's that's just a regular forward slash. That's not a concern. OK, OK. Now, pretty please. Pray to the demo gods. Ca, let's move into Mount. Root. And move into that, et cetera, page. And let's do our here doc password. Slap that bad boy in. To the classic EOF. Now let's count out password and do a sanity check before we remove this thing. Now our dollar signs are in place. Let me verify that this line is the exact same as it should be within sublime text or move our dollar signs. And that line should be identical. So if I search for that. Do I see it with red checks turned off? It is perfectly fine. OK, great. Now, hopefully clearing that out. Once again, sanity check, catting, et cetera, password. My dollar signs are present. Let me see if I can ask you and use the password. Please sub. I'm going to type that one more time to not fat finger it. And I'm right. All right, awesome. Thanks, everybody. Now we're actually root on the actual host target victim without needing to without needing to go through the container. That was a lot of fun. I hope you guys kind of enjoyed that. I know when I'm like fumbling around and like messing up the very, very last part or whatever, people say I think that's I personally think it's stupid and annoying. And it's not fun to watch. But you guys say, hey, it's really, really cool to actually see you rework and problem solve and stuff like that. So I hope that was fun. Now we got the real root dot text actually on the box, not through the container. So we did it. We finished that room. And I think that was a lot of fun. I don't have a whole lot of practice with some of those LXC privests. And if we wanted to, sure, we could take a look at some of the walkthroughs that other folks, other folks had used. And that's a lot of the fun of doing this and learning and see what other tools people use looks like. Fuff was in there. I'm sure some W Fuzz. OK, and they're using the same sort of setup with LXC. Yep. Yep. Yep. Yep. That's really neat. That's really cool. That's really fun. I like this room a lot. I don't do a lot with LXC containers, but it's very, very cool to see that privest every now and again. But the benefit of try hack me is that, hey, you can take a look at how other people solved it in the world. They're all about kind of like education and learning first. So if you ever want to take a look at the write up, if you're banging your head against the wall for too long, that's an option. I dig it. I love it. Sweet. Thank you so, so much, everybody. Thanks you for thanks for watching. Thanks for hanging out. It's been great. I'm late on getting a video out. So I wanted to just like, hey, let's run through this thing. And I hope it wasn't too bad being an easy room. Maybe that LXC privest was kind of neat. And there was a lot of documentation, but a lot of resources and material out on that sort of thing. So please go Google around. Please go practice. Please go learn. And thanks so much for watching. If you guys did like this video, please do those. YouTube algorithm things. Maybe smash that like button, maybe smush, boop or bonk that like button. Leave a comment, subscribe. You know, I'd be super, super grateful and that's enough for now. Thanks for watching, everybody. I'll see you in the next video. Love you.