 Hello everyone, my name is John Hammond and I am super excited to bring this video to you. This video is a walkthrough of the Day 13 task as part of TriHackMe's Advent of Cyber 2. Now this task, today's activity and its challenge is actually created and developed by me. So I have a little bit of liking towards it, a little bit of bias, but hey, I hope it's fun. I hope you enjoy it and I hope you learn something new. But without further ado, let's dive in to Day 13. I have already deployed the machine here that is part of it. This task, this is called Cole for Christmas and our prompt here, we want to prove these cis admins deserve Cole for Christmas. And in this part, we're actually going to play the role as Santa. We get to kind of play pretend that we are in fact Santa. So hi Santa, hop in your sleigh and deploy this machine. I have already gone ahead and deployed it so we can mark that as correct. The Christmas GPS now says this house is at the address 101067147. So that will be the IP address that we'll use throughout this task. That is the IP address of the machine that we just deployed in TriHackMe's network. Now we want to scan this machine. So we'll move into this port scanning section here. It says it will begin by scanning the machine. If you're working from the TriHackMe attack box or from a Kali Linux instance, or honestly, any Linux distribution where you have this installed, you could use Nmap and you could specify this syntax if you'd like. So I will go ahead and copy that syntax. And again, if you were using this on Ubuntu, you know, I tend to use Ubuntu for a lot of my other videos and the stuff that I do. If you're on Kali Linux, if you're in Parrot, if you're even running like Windows and the Windows subsystem for Linux, wherever you've got Nmap installed, you can go ahead and use that to scan this machine. I am connected to the VPN already and I have a terminal up and ready for me to work with. I am going to create a directory though, specific to what I'll be working with in this video and this task here. So I'll MKDIR or make a directory for AOC day 13, Advent of Cyber day 13. Let's hop over to that directory and I will go ahead and run that Nmap scan. I'll just slap it in, I'll paste it in and I'll hit enter here and start that Nmap scan off. If you wanted to, we could have it display its findings as it finds it, right? If we were to supply that TACV or the hyphen V or a dash V right before the IP address, we'd be supplying a parameter and we tell Nmap, I want you to work in verbose mode and then it would tell us all these ports and all this new information that it finds as it finds it. So here we go. We have some output here. We have port 22 open and that says that is SSH. We also have port 23 open and that's telnet and 111 or RPC bind. Okay, so we have a couple options here or things that we could work with but let's go see what our task here is telling us to do. We can say, sure, we've completed this, we've ran that Nmap command, we have port scan of the box. Now the next question is, what is the full name of the running service that allows secure login to this server, this machine, the IP address, right? Well, if we take a look back at our port scan, we notice we saw port 22 open with SSH and maybe if you're new to this, right? If you're not all the way out on this whole cybersecurity thing yet, you don't exactly know what this SSH thing is or even what this telnet thing is. So you, as the budding hacker, right? You wanna learn about this so you'll go to the internet and you'll Google what that stuff is. Let me show you that. Let's fire up Firefox. I wanna get a different web browser open here and I'll try and type in SSH and just simply Google that. I'll just Google what that might be and now I can zoom in here so you can see it and SSH is secure shell. It is a cryptographic network protocol for operating network services securely over an unsecured network. Looks like there's a little more definition on the right hand side. Typical applications include remote command line login. Oh, okay, so that sounds exactly like what TriHackMe was asking us here. Remote command execution, but any network service can be secured with SSH. That's kinda neat, that's kinda cool. All right, so let's get back to what this question was asking. What is the full name of a running service that allows secure login to the server? Sounds like it's secure shell because that's what our quick Googling found for us. So we'll try and submit that answer and that's correct, all right, awesome. Now what do we have? Now let's try and do some initial access. Well, doesn't SSH just let us login, right? It said, like when we Googled it, it said we could go ahead and SSH and we could login to the machine. So is there like a command or something that I can use to do that? I can SSH to that IP address and what was it? It was 10, 10, six, seven, one, four, seven. I just hit the up arrow on my keyboard there to climb up the command history and I'll change that end map command to SSH and I'll try and SSH into that. Looks like it needs to kind of have my permission. Hey, are you sure you want to continue? Yes. And oh, it needs a password. Kali Kali or something or Kali tour. It's using my current username but I don't know any credentials there. So that's not gonna work. If you knew a username and password, you could totally log in with this, right? Sometimes you can see SSH configured using a private key and that way you don't need to specify a username and password but you have to offer a very special file or a certain token that you can use to authenticate. Looks like we don't have a username and password though and that's what SSH needs. So let's go back. Let's say we wanna look at this telnet service that's running, we should go back and do our homework. What is telnet if I Google that? Telnet, how to use? Telnet is one of the earliest remote logon protocols on the internet. Oh boy, it was initially released in the early days of IP networking in 1969 and it was for a long time, the et cetera, et cetera, et cetera. We could take a look at this Wikipedia page I suppose. There's a lot of stuff in here though. Telnet is an application protocol used on the internet or a local area network to provide a bi-directional interactive text oriented communication facility using a virtual terminal connection. Okay, so I'm like logging in, right? That's everything we talked about. Historically, telnet provided access to a command line interface on a remote host. However, because of serious security concerns when using telnet over an open network such as the internet its purpose has waned significantly in favor of SSH. Ooh, okay, so telnet's like not good, right? Telnet's kind of bad. Serious security concerns. Probably because it's all in plain text, right? It said as it was transferring data back and forth across the wire, telnet is just in the clear, but SSH we know is secure. It's using cryptography and it's cryptographically making that connection. Okay, so that's what we could do with telnet. Notice the telnet service running. You could attempt to connect to the service to see if you can make use of it. You can connect to the service with the standard command line client named after the name of the service with syntax like this. Telnet, the IP address, and the port from the end map scan. Okay, so we saw that was 23, right? I'll copy that and I'll hop over here. I'll paste that in. And I could type in 23 as the port here, but that is the standard and default telnet port. So even if we didn't supply that, it would go ahead and work for us there. So I'll enter that command and you might not have telnet installed and that's okay. You can pseudo apt install telnet if you happen to be working on like a flat Cali instance or if you have apt as your repository manager. So, okay, looks like it's trying to reach that IP address and then it connected, good. And it says, hi, Santa. We knew you were coming and we wanted to make it easy to drop off presence. Oh, that's super sweet. So we created an account for you to use. The username is Santa and the password is Claus Christmas. We left you cookies and milk and then we're prompted with a little login input field there. Oh, oh, okay, awesome. So we have a username and password that we could use and login with because I guess the server is just willingly giving that to us, right? This is super nice. What is that prompt here? It says what credential was left for you? What do you mean what credential? What kind of format do you want that in? Do you want like the username or the password or like username colon password? I'm gonna check the hint just to kind of get clarification. Oh, enter just the password, all right. So that was what, Claus Christmas? Type that in there and I'll hit submit and that's the correct answer. Okay, cool, okay. So enumeration looks like you can just slide right down the chimney, log in and take a look around. Enumerate a little bit, all right. So, well, what I read, it's that SSH is preferred over Telnet because SSH is more secure. Can I log in with Santa and this Claus Christmas with SSH? Let me try it. Oh, I need to specify the username, right? Because by default it's gonna take my own. It's gonna take Cali but I want to specify so I'll hit control C to break out of that and I'll say SSH at Santa at and the at symbol there. There we go. And the password was Claus Christmas. There we go. Oh, excellent, okay. Oh, it has a nice little Christmas tree. That's super cute. Who made this? Let's run the LS command, I think. That's what it said. You can view files and folders in the current directory with LS change directories with CD and view the contents of files with cat. Okay, super easy. So let's LS to see what we got here. We got Christmas.sh and cookiesandmilk.text. What is that Christmas.sh? Is that already executable? I'll use LS and tack LA to get more long information there. And oh, okay, yeah, my face is in the way but Christmas.sh is already executable. So let's go ahead and can I clear the screen? Clear? We can go ahead and dot slash that Christmas.sh script. That SH means it's a shell script and it could very well be executable. That's why we saw that executable bit there. Oh, try to hack me, I've been a cyber with John. That's super nice. Thanks for hanging out with us, everybody. That's fun. All right, let's get back to what we're really doing here. We're trying to hack. We're trying to be hackers. Oftentimes to enumerate, you wanna look at some pertinent system information like the version of the operating system or other release information. You can view some of that information with commands like this, catting out in the forward slash et cetera directory, anything that starts with anything, right? But ends with the word release. And you name tack A to learn a little about the kernel, catting et cetera issue. Okay, so there are some great commands that we can run there but there's an even better list of commands you could run manually for enumeration at the got milk blog. I'll go ahead and click on that and we'll go check out that page here. This is for basic Linux privilege escalation but you could essentially use a lot of these techniques to collect information and enumerate, learn more about the target environment or kind of the victim computer that you're looking at. You could figure out what sort of operating system it is, what's the distribution type, what version is it, what's the kernel version is the 64 bit architecture, et cetera, et cetera. There's a ton of stuff in here. So I recommend anyone explore that if you're interested. Okay, so jumping back to the try hack me page here, we wanna know what distribution of Linux and the version number is this server running. So let's try some of those enumeration commands there. Let's try that cat forward slash et cetera, asterisk or the star release. And okay, looks like it's Ubuntu and the distribution release is 1204. Nice, is that not the answer, right? We could run that unnamed tack A, looks like it's Linux Christmas and there's the kernel version, all that. Can we cat et cetera issue? Oh, that's the little banner that we saw when we were able to tell that in. Nice, okay, so it looks like that's the full version number, right, is Ubuntu 1204. So what distribution of Linux and version number is the server running, it's Ubuntu 1204. We'll go ahead and submit that. It says, oh, this is a very old version of Linux. This might be vulnerable to some kernel exploits that we could use to escalate our privileges. Oh man, there's a trend here. Seeing Telnet, which is super duper old and insecure and now an old version of Linux, so this Ubuntu distribution that might be vulnerable to kernel exploits. Take a look at the cookies and milk that the server owner left for you. Oh, we saw that cookiesandmilk.txt file. You can do this with the cat command as mentioned earlier so we could cat cookiesandmilk.txt. Let me go ahead and do that. I will clear the screen one last time and I will run that cat cookiesandmilk.txt there. Oh, there's a lot of output. This thing at the bottom there though, ha ha. This is like a message, a note for us. Too bad, Santa, I, the Grinch, got here before you did. I helped myself to some of the goodies here, but you can still enjoy some half-eaten cookies and this leftover milk. Why don't you try and refill it yourself? Yours truly, the Grinch. Oh no. Oh no. All of our cookies and milk. I'm scrolling up to see what else is in this file because I want to go back to where our command started when we tried to cat cookies and milk. There's that note again, there's a little taunting tease here, but all this other stuff underneath it looks like code, right? You might already be familiar with what this is and I'm putting on my play pretend hat here. Let's go back to try hack me and see what that says. Oh, it wants to know who got here first, the Grinch. We'll type that in. Oh, no, that's incorrect. How did they want it? I'll check the hint one more time. Enter just his name in lowercase. Okay, okay, so Grinch, I like to do that kind of as a little sanity check and try hack me as super duper generous, right? If you can count the number of asterisks, you can kind of get a good idea as to how many letters or whatever, however number of characters might be necessary in that answer. So Grinch, we can go ahead and submit. All right. The perpetrator took half of the cookies and milk. Weirdly enough, that file looks like C code. All right, yeah. That C source code is a portion of a kernel exploit called Dirty Cow. Dirty Cow, or CVE 2016-5195, is a privilege escalation vulnerability in the Linux kernel, taking advantage of a race condition that was found in the way the Linux kernel's memory subsystem handled the copy on right, or COW, cow, right? That's where we get the name. A breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain right access to otherwise read-only memory mappings and thus increase their privileges on the system. So you can learn more about Dirty Cow here at this link. I'm gonna go ahead and copy that and I'll bring that into Firefox, I suppose, just to go check it out, right? Just to do our research and we could go understand at dirtycow.ninja a little bit more about what this exploit entails. I'm not gonna go into, hey, in the weeds here, really dive in the depths as to all this does and how it's gonna end up working, but if you were to take a look, there are a ton of POCs or proof of concepts as to how this can be used and abused as a hacker, right? As someone that's trying to escalate their privileges and there are a lot of different options here. So let me go explore these and let's read a little bit more as to what we should be doing when try HackMe. It says, this cookiesinmilk.txt file looks like a modified rendition of a Dirty Cow exploit, usually written in C. Find a copy of that original file online and get it on the target box. You can do this with some simple file transfer methods like using NetCat or spinning up a quick Python HTTP server, or you can just simply copy and paste it into like a text editor on the box. I'll do that, because copy and paste is pretty easy for us right here, but what is this that we're actually are gonna end up copying? There are a lot of different proof of concepts here, POCs. Could I like take a snippet of the code and try and find it on Google or something? Is that? Or maybe I could like look in the repository. Is this a repository on GitHub? Yeah. So if I go here, oh, this is just a website. Is there, maybe I'll try and Google it. I will just literally paste in a portion of the code. Oh yeah, okay, sweet, that worked. Dirty.c at, there's gg4, is that, oh, Dirty Cow, Dirty.c. So there's the official one. Dirty.c, I literally just took a string and then maybe you might need to, I don't know, do some trial and error to potentially find something and don't use a line that could very well be in any other file. Like an include would not work all that well, but if you could get a snippet of code that makes a lot of sense for the context of what you're expecting maybe to find the original project from, then that might be a good technique and a tactic just to look for it. It says, this is the source code, right? This is the original Dirty.c rather than the one that the Grinch modified and took half of. We can't do a whole lot with this code that we found on the server, but using the original source code from the Dirty Cow website and finding it on GitHub and everything, we could totally use this. So I'm gonna zoom in on this so we can explore it a little bit more. This exploit uses the Pokemon exploit of the Dirty Cow vulnerability as a base and automatically generates a new password line. The user will be prompted for the new password when the binaries run. The original et cetera password file is then backed up to temp password.back and it overwrites the root account with the generated line. After running the exploit, you should be able to log in with the newly created user. To use this exploit, modify the user values according to your needs. The default is fire fart. Okay, good to know. It talks about the original exploit and links it and gives us the way that we could compile this. Okay, awesome. Let's get this on the target box. So I'm gonna click this raw button so I can get just the original plain text here and I will kind of copy and paste all this. I'm gonna hit control A on my keyboard to select everything and then we could right click and copy this so we could just put it on the box. I'll end up clearing my screen and I guess I'll nano just to get it in a simple text file. I'll call this a dirty.c because that's what we knew that it's going to be called. Then I can just paste this all in. I'll right click and paste and it is all funneled into the box. Okay, now I'll save it and nano I'm gonna hit control O and I'll hit control X to exit out of nano. And now I could run the LS command again and see it there. There's that dirty.c file that we just created and we want to go back to try hack me and say that we successfully got that code on the box. You can compile the C source code on the target with GCC. You might need to supply specific parameters or arguments to include different libraries but thankfully the dirty cow source code will explain what syntax to use. Oh yeah, we saw that when we were reading it earlier. What is the verbatim syntax you can use to compile taken from the real C source code comments? Oh yeah, yeah, yeah. Okay, so we just saw this. It's over here. It says compile with GCC tack pthread dirty.c tack O dirty tack L crypt. Okay, so is that the syntax that it needs? You just slap that in, submit it? Yeah, all right, okay, cool. Privilege escalation. Run the commands to compile the exploit and then run it. Okay, so the instructions here in the comments said like, after you've compiled it, you can run the newly created binary by either doing dot slash dirty or dot slash dirty and then my new password. And then afterwards you can either SU fire fart or SH or SSH into it. Oh, okay, so I'll get back in the box and I will paste in this compile line. Takes a second and it works. Okay, our prompt is back and now I have a dirty binary along with this dirty dot C. So I could simply dot slash dirty and it'll ask me, it's set repassword is successfully backed up to temp password dot back. Please enter the new password. Please subscribe. Yeah, gotta squeeze it in somewhere. All right, and then it's trying to create this fire fart user in it's set repassword and it's doing it the magic, right? It's taking a little bit of time to perform this kernel exploit that we were just able to compile and hopefully use for privilege escalation. So this is the benefit of dirty cow, right? Is that if you ever do find or you see some old archaic like ancients, whatever you want to go ahead and call it, whatever old school deprecated technology, one really old kernel version that isn't patched from the dirty cow exploit, you could abuse it, slap dirty cow in there and compile it, for that specific version, if you can't get it in the box with a compiler itself, run it and fingers crossed, you could be root. I think that's kind of neat. I think that has some potential in the appropriate places, right? When it, you get lucky or in the case that you can use this exploit it for an old school deprecated and vulnerable kernel version, it works great. So all right, looks like it is done. Check it's set repassword to see if the new user was created, you can log in with the username fire fart and the password, please subscribe. Nice, cool. Don't forget to restore with the old original backup and I think we're good, right? Let me clear the screen. I'll clear and I will SU fire fart just as it described and the password is please subscribe. Nice. Ooh, okay. So we are now fire fart at Christmas and we can see that in the prompt and we have this octo-thorpe or the hashtag to indicate our prompt here. That means that our user ID is zero and that means that we are root. So if I were to type in who am I? It tells me, hey, you're fire fart but if I were to type in ID, I view ID zero. I have a group ID of zero and I'm in the root group. Okay, so that means that I could hop on over to slash root and I'm getting ahead of myself, right? I think we should take a step back and go take a look at what tri-hack me is having us do here. Let's run the commands, compile the exploit and run it. What's the new username that was created with the default operations, the real C source code? Well, that was fire fart. Submit that. Correct answer. Switch your user into that new account, hop on over to the slash root directory and own this server. All right, so we're already fire fart. Yep, you can switch user accounts like so with SU. We did that. And, oh, looks like the perpetrator left a message. What is that? Is there something over in the slash root directory? Oh, there is. There's that, is that Christmas? Can I run? There's that Christmas script again. Okay. And what else do we have here? Message from the grinch.text. Oh man, he never left. All right, let's cat that out. Cat message from the grinch.text. Nice work, Santa. Oh goodness, there's a lot out here. Let's scroll through. Nice work, Santa. Wow, this house sure was dirty. I think they deserve coal for Christmas, don't you? So let's leave some coal under the Christmas tree. Let's work together on this. Leave this text file here and leave this Christmas.sh script here too. But go ahead and create a file named coal in this directory. Then inside this directory, pipe the output of the tree command into the md5sum command. The output of that command, the hash itself, is the flag that you can submit to complete this task for the Advent of Cyber. Yours, John Hammond. Or sorry, I mean the grinch. The grinch. Seriously, okay, great. So if I were to clear the screen, we're leaving this Christmas.sh script in the directory and the message from the grinch, but we need to create a file called coal, right? Is that what we need to do from Treyhakmi side? What is it saying here? Follow his instructions to prove you really did leave coal for Christmas. After you leave behind the coal, you can run tree and pipe it into the md5sum command. So I guess we just need to touch coal, right? Or like echo something and redirect it into coal. Now if I LS, I have coal in the current directory. So if I were to run the tree command, okay, it makes a little like tree, displaying out all the files in the current directory. That's a good little Christmas tree gimmick. And I pipe that into md5sum and that is the hash that we wanna submit. And that's like the flag that says, okay, cool, we rooted this machine. We've compromised this server and we can go ahead and submit that. All right, that's it. Done. That's day 13 of Treyhakmi's advent of cyber two. That is coal for Christmas. And just a simple showcase of the Dirty Cow local privilege escalation kernel exploit. I think that is pretty handy to use but when you can use it in the appropriate circumstance and situations and scenarios, if you run into some really old, vulnerable, deprecated kernel versions and old school technologies and distributions. So, hey, that's it. That's the video. I hope it was fun. I hope that you have been enjoying Treyhakmi's advent of cyber. I know I'm having a blast. I'm really, really thankful and absolutely flattered. They were willing to include me and like pour this task in. So thank you. Thanks to Treyhakmi. Thanks everyone. Thanks, oh man. It's just gratitude. It's just Christmas. It's just a holiday spirit. All right, let's end this video before I go crazy. Thanks so much for watching everybody. I will see you in the next one. Take care.