 What's up everybody welcome back to another YouTube video on the sans holiday hack challenge 2018 I am logged into crinkle con here And we're gonna be talking to Holly evergreen this nice elf that can give us some hints for objective number five Which is what we're gonna be going through in this video So she will give some hints after we complete the terminal challenge here And we can go ahead and talk to her see her dialogue It looks like that she has some HTTP to Version of a server or a web server running and we need to be able to curl to it And she gives us some hints if we actually check out our badge here We can take a look at the HTTP 2.0 basics and we can open that up in a new tab I'll switch to it here, and it's kind of a lengthy article that's talking about HTTP 2 and how it really works It's kind of cool though. It actually uses a Little bit more binary in the way that the headers and the communication is actually done It's no longer an ASCII text and it's actually going to be specific to a Connection right so multiple pieces of data or multiple like files between the JavaScript or the CSS and HTML Can all come in one request rather than multiple so it's very very cool And you can watch the video the talk that's represented by Chris LG and Chris Davis again Just checking out that link here in the talks or crinkle con so alright. Let's jump into it We have the terminal challenge here I will go ahead and connect looks like we are looking at a web server running a local host port 8080 We can check out the contents of the configuration file in the etc. Engine X Folder here so engine x.com We cat it out and Some interesting stuff here Kind of basic on HTTP. It's setting files has some common stuff out here Love using the new stuff as a comment from bushy here looks like it's listening on port 8080 and using HTTP 2 So that's peculiar. We can go ahead and try and curl it right curl HTTP local host port 8080 and We get some weird characters. So that's not what we would have expected there, right? So if this is running on HTTP 2 we need to be able to speak that HTTP 2 Language or kind of talk that talk right again if you wanted to see more about this Please view the Chris LG and Chris Davis video or the talk from crinkle con. It's really cool They showcase using HTTP 2 just kind of the argument here for curl But that doesn't give us a whole lot of success in this terminal challenge, which is odd So I wondered well, what else can we do? I tried to play with it on my own Terminal here like a command line that I have just running on my own machine See if I can pull up a terminal guess not. I'll just type it out again. I Don't know why they keep moving out of here. All right I guess I'm still on the Sanos castle automation But I want to use curl but except I noticed that my version is 7.47 Which is old at least relative to what they have in this Docker container So when I tried to check out the man page for my version of curl and learn a little bit a little bit about it It didn't give me anything that had HTTP 2 in it So maybe I'm just behind the ball. I got to update curl But if we were to check out the man page of curl in a Docker container, we don't have man That sucks what we can still run curl with Tac-tac or dash-tash or hyphen hyphen people asked me why I used hack But I guess it's just kind of what I don't know. It's what I said military stuff. I don't know so Tac-tac help and We don't have less so can't pipe to less but we can just go ahead and scroll through it If we wanted to you could grep for HTTP 2 and stuff like that But looks like if we were to look through it, we have the HTTP 2 Argument that we can use. We also have HTTP 2 prior knowledge. So I thought what is that? That sounds cool. That's interesting Let's go ahead and try it curl tactic HTTP 2 prior knowledge Knowledge and then just connect to local host 8080 and we get a valid response back some HTML That's coming through okay to turn the machine on simply post this URL with parameter status equals on all right, let's just say data status equals on and We get some good stuff. You see the achievement unlocked in the background there Unencrypted 2.0 such a silly guy. Congratulations. You've won and successfully completed this challenge. All right, awesome So that wasn't too hard. I just kind of learning about the tool that we're using and Reading the help file see what arguments we can play with and if you want to Google that do some other research You certainly could Let's see what Holly Evergreen has to say now Unencrypted HTTP 2.0. What was he thinking? Oh, well, have you ever used bloodhound for testing active directory implementations? It's a mirror little tool that can sniff active directory and find paths to reaching privileged statuses or Privileged status on specific machines or separate machines. I didn't see it implementations Ad implementations can get so complicated that sometimes it's hard to actually have the administrators understand what's going on So they offer a link that we can check out in the hints here. I believe it is just the demo from Raphael Mudge here going hi, this is Raphael much greater of cobalt strike So in this video he discusses how to use it and it's not too hard I thought we were gonna have to have it that set up And like go ahead and install bloodhound get the Neo 4j database and everything running and all the graph library and stuff but it looks like the OVA and the virtual machine that they offered when we downloaded it in the in the hints here or not the hints Sorry, but the objectives looks like they like cringle con in the sense hold a hack challenge Just offer everything inside this Linux image So if you don't have VMware VMware player I would use VMware player because a lot of people are having a lot of issues with this VM inside virtual box Which is a free like available version. It sounds like Someone I think I saw in the comments or the chat here was able to get it to work if you change the OS from Debian 32 Debian 64 I haven't tested or worked with it that much But I know I could not get to work in virtual box and I tried VMware player and ended up doing okay with that I think but I now have VMware workstation and I've been digging that so we'll open that up and we'll see what we can do here Okay So I've got the machine already loaded in I just like go to control O and open and it's downloaded and all So I can open up that image looks like it will start just fine for us I'm gonna hit control alt and enter so I'll get it full screen and that way Maybe VMware tools will play nicely with it. Nope. Nope. Or it'll just go away There we go. Great. So I can't really zoom in all that well here Control plus and shift plus didn't work in this terminal But I'm just going to switch to the desktop and because I have a bloodhound shortcut in there So we can dot slash bloodhound and it will open up for us So it seems to log into the Neo4j database just fine And I had never used bloodhound before truth be told to be completely honest Um, I know it's covered in a lot of hack the box stuff. I think real is a machine reel Yep, got the right number of ease and uh, but it's super cool, right? So let's say we have uh domain admin as the goal over there for an active directory Like cluster or forest or don't I'm using all the wrong words domain admin And all these user accounts and their members of whatever groups are accessible to some computers and stuff like that so if we weren't to Use that hamburger button over there. You can see there are queries that we can run Let's say I want to find the shortest path to domain admin because that's what we need right We need to be able to figure how we can uh leverage and work through a specific path from one user to reach the domain admin account So we can specify this is the one that we're working with and I actually ended up using some filters here Uh, I actually tried to trim out. I think by default all these are enabled So you can hit the checkbox to turn them back on and rerun the query here That had a little bit more to view but I had success when we remove the can rdp box, right because The prompted itself in crinkle con and in the hall to hack challenge told us that You don't like totally disregard rdp and then I just kind of removed everything else. It's inspecial, but it shouldn't make I think execute dco m didn't work either Again run the same query see what you can dig up and I figured okay It's not going to be any of these users Because that's way too quick and then we probably wouldn't have that account But if we were in a compromise or doing some pent up situation We would have some of these other low hanging fruit accounts So I thought okay that gives me a couple a couple options So I tried just kind of kind of going from the top down this ldub dude And display name is lian dub j dub j So I'm going to go ahead and copy this because as we have seen in crinkle con It wants this It doesn't say in here, but it should in the other Okay, great It says in the static page and haul to hack challenge.com. It's in the username at domain dot td tld format So we can go ahead and submit that Oh, we got to get back to navigating all these windows here paste it in And thankfully vmware tools and vmware workstation is really nice so I can copy and paste in and out The shared bridge clipboard is really awesome and handy. So there we go green check mark another challenge complete That one wasn't very hard, right? You just kind of Mess with bloodhound a little bit and really whatever it spits out. You're willing to trust and go with That would be really really cool if we did more with The domain admin stuff and tried to understand more about that data set or actually had a cold compromise system to work with Um, actually, it's really cool talking and kind of lurking anyway in the central sec slack Um, jeff mc junkin and ron bows and a lot of the other developers for crinkle con in the haul to hack 2018 challenge Uh, I remember jeff mc junkin. I think was saying like, yeah, we had like seven different challenges planned for bloodhound But we compressed it down to the one I think it may have been seven. Maybe it was three, but seven sounds good, too All right, next challenge. Why don't I why don't I close that out? We want to take out the next objective badge manipulation number six bypass the authentication mechanism associated with the room near pepper minstinks pepper minsticks a sample employee badge is available What is the access control number revealed by the door authentication panel for hints on achieving this objective? Please visit pepper minsticks and help her with the ulog analysis cranberry pie terminal challenge All right, now we have to go track down pepper minsticks Okay, so we found pepper minsticks in the absolute corner of can of uh, santa's castle here Looks like she will tell us Hi, i'm pepper minsticks. Have you heard of password spraying? It seems we've been victim We feared they were successful at accessing accessing one of our elf web access accounts, but we don't know which one Parsing through event x files can be tricky, but there's a python script It can help you convert it into xml for easier grepping nice And that's it. Okay, so let's check out the badge here. See what hint she offered password spraying password spraying with mail sniper ps1 I open that up And we can close out some of these older tabs we have here Sensitive data discovery and email with mail sniper tradecraft security weekly. Oh cool the security weekly podcast They hosted ed scotus a bit just before the be just before the opening of the holiday hack challenge Looks like this is a whole video we could listen to or watch And that's we could certainly do that if we want to do but uh, I won't showcase someone else's video in my own video. I guess Let's get back to it. Check out ulog analysis. See what we have in here It says I am peppermint six and I'm looking for your help password spraying is to blame for this grinchly fate Should we blame our password policies which users hate? Here you'll find a web log filled with failure and successes one successful login there requires your redress Uh redress Can you help us figure out which user was attacked tell us who've held Tell us who fell victim and please handle this with tact submit the compromise web bill username to run to answer to complete this challenge Okay, we have The python script to apparently dump event log files and the event log file itself and the run to answer binary Cool. Let's uh, let's tackle this in the next video as always. Uh, thank you guys for watching I hope you're enjoying this series I say it in every single video because I really hope you are enjoying it It's it's a lot of fun, especially to record and to crank through so Hey, please do uh, leave a like comment subscribe all those fancy youtube things help, uh, you know Keep keep it growing spread the love Thanks guys. See you in the next video