 Hello everyone, my name is John Hammond and welcome back to the YouTube video and in this video We're gonna be taking a look at a try hack me room and this room is called zero day It's put together by my good friend Ryan here or zero day in the try hack me community It has a medium difficulty, but we'll see about that It says exploit Ubuntu like a turtle in a hurricane which is Interesting and weird So I've already deployed the machine and I have already filled out the answers here So please forgive me in that regard, but of course I will showcase how to find user.tex and root.tex and how to work through this room So I've got the IP address and let's hop on over to a terminal here I've created this zero-day folder in my directory structure And we could take notes and a read me a file if we really wanted to you guys know that I'm bad about that Well, I say I'll do it and then I don't so Let's get started though with our typical nmap scan or rust scan Whatever you want to do to start your enumeration. I will actually create an nmap directory and I'll nmap taxi For default scripts tack SV do enumerate versions I will do on to output into an nmap folder or excuse me nmap log file in a specific directory that I've just created I'll call it initial and I'll include the IP address there So I will let that run and while it's going I will go ahead and start another terminal down below here and maybe enumerate manually I'll go see if there's a web page open. It does say route my secure website. Take a step into the history of hacking. Ah Okay, so let's open up a new tab I'll paste that in here to get the IP address and it's loading. There we go zero day Ryan Montgomery Good, I didn't know if I wanted to say your last name. I didn't want to dox you buddy Internet marketer dev entrepreneur and all of the classic Socials that's good dude got to get that marketing in marketing makes the world go around Let's view the source on this in case there's anything interesting here. I don't see any particular Weird HTML comments of then I guess I commented out Microsoft icon nice These are all External links other than a main dot JavaScript file, but it looks like that's just Toggling particles to look pretty and elite But that's about it. Nothing interesting in the CSS file. Nope It's CSS so static files nothing particularly Interesting there. Okay We could close out of that and let's see if our end map scan has came back. It looks like it has okay We've got port 80 open as we saw and Port 22 for SSH Good to know. All right. Well because we know we have port 80 We can do some other enumeration. So I will get started with a little Nikto scan I'll Nikto tack H on that IP address You do have to supply the HTTP schema if you use Nikto and I will tee that out to a little Nikto log So I can keep track of the results there and I'll also do a little go buster. I will do a go buster with a Dur methodology or dir to look for directories and stuff like that I'll use tack you to specify the URL again HTTP as a schema and then tack you to specify the word list I'm in Cali right now. So I should be in user share word lists Durr buster. I always have to like fumble find this thing. Yeah, Durr directory list 2.3 medium. That's the one I want so directory list 2.3 medium and whack. Okay, cool. So now go buster will go along Ooh, and it found CGI bin and IMG and uploads and admin. There's a lot of stuff here. Okay, cool This is this is cruising for us. Let's go check out that slash admin seemingly Empty page. It gives me a 301 though. So what is that? That's a redirect It should be 301 response code. I should probably have these things memorized. I Google everything move permanently Okay. Yeah, it is a redirect. I Don't know where it's actually going though Nikto's cruising over there. We found backup also Back up what the f we got an RSA private key here. Is this just for SSH? Is that it? Is that it? I actually I'll be honest I'm put I'm feeling a little bit behind the curtain here. I'm breaking the fourth wall I had not seen that when I went through this originally Let's slap that in a sub all ID RSA to create a private key Is this oh it is encrypted? Let's let's tinker with this for a little bit Let's specify this and I can assume right. We probably have a username Ryan What was the IP address of that box again 10 10 14 to 50 10 10 14 to 50 Wack and valid private key format Yeah, yeah, okay, I got a CH mod the thing Make it so only I can read it CH mod 600 if you ever see that warning unprotected private key file Then that's what you got a spit on it and the format It has new lines It's supposed to have new lines whenever I get that invalid format I know it's supposed to have new lines doesn't need to have to for some weird reason What oh? Yeah, yeah, yeah, okay. No, so it does just need a pass for us. Let me see if I can crack that I have John the Ripper right don't I I also know that I have rock you Okay, rock you excuse me Do we need a little update DB? Kelly let's keep looking around while that's doing its thing Also slash secret these are stuff that I had not seen before I just kind of went straight to What I expected so what is in slash secret turtle? What is this? Turtles and we have that turtle link. Can I like download this? Yeah copy image location and then I guess that's like W get that I'm gonna get another terminal up here. W get that guy Is there anything like weird in this Turtles? I'm just gonna strings it to see if there's anything hiding in this It is a PNG file. So if there's any steganography we could use z-steg Steghyde won't work on this cuz Steghyde only works on JPEG files fun fact and z-steg Also only works on PNG files another fun fact update DB is taking a long time I'm pretty sure it's just in word lists like I probably don't need to do this So let actually let's copy user share Word lists Rock you that thing. Yeah. Yeah, I literally saw it earlier and just didn't realize let's guns up this and and Now we have rock you that text which is huge and ginormous fantastic. Let's use John. Oh I need to use like an SSH to John. Don't I do I have SSH to John? I'm probably going down a rabbit hole here. I don't even know if this SSH private key is a thing that I Care to use. Why does Kelly Linux not have SSH to John fantastic question internet? Let's steal all of this as we do Great, is that a Python 3 thing or a Python 2 thing Python 3 SSH to John? Yeah, okay? I guess it just doesn't IDR a say spit that out. Let's redirect it to a for John dot text Good and now let's try and use that John the ripper on for John with the tack tack word list Equals are rock you dot text in the current directory Let's see if that actually ever gets anything. I don't know if will ooh, let me in is the password. I Don't know if you can see that down there great Can I use that let's control R to get a reverse search in our terminal and I'll look for the SSH tack I gimmick and I'll try the password. Let me in What? Let me in Okay, I don't know Ryan's password But I did know that IDR si lame Maybe that is a rabbit hole. I I'll be legit. I live not I did not see that when I went through this the first time So Ryan you can scream at me through your computer monitor if I'm being crazy. I probably am But hopefully that was a little fun John It was a fun little Excursion that we went on together and I found the turtles page. So what else do we have in that? Go buster Output IMG which was images admin CSS JS that stuff's boring Uploads we didn't check uploads it did we you guys that know This room know that I'm just beating around the bush here. Let's get to it. Let's get to the real stuff CGI hyphen been CGI been let's check out what you got in there Forbidden we do not have permission to access CGI been on the server ick. Well, we know that it's a thing And what is a CGI been if I were to simply Google that? Let's take a look common gateway interface in computing a common gateway interface or CGI is an interface Specification for web servers to execute programs like console applications running on a server that generates web pages Dynamically some programs are known as CGI scripts or simply CGI's CGI been as a folder used to house scripts that will interact with the web browser to provide functionality to a web page or website Common gateway interface is CGI as a resource for accommodating the use of scripts in web design Okay, so I don't know if you were able to process that but it is going to be running console applications if we're running on a particular like Linux server and maybe we can get an idea as to what we're actually looking at if I go back to that page. I'll hit F12 to open my developer tools and I'll take a look at this network tab I'll bring this up so you can see it and we'll look at Ryan's mean mug over there Okay, refresh the page I can take a look at this get request and we'll see if there's anything in the response and my face might be in The way the header response here And see if it tells me anything interesting Yeah server is Apache 2.4.7 on Ubuntu So Ubuntu, I know that I'm running Linux, right? I know that the server is Linux So if we're looking at console applications, we're probably looking at like bash shell scripts for CGI So with that in mind we can try and enumerate some of this stuff Let's close out this go buster Instance and let's try and run another one with go buster dir mode tack you for the URL and let's include that CGI Bin and then a forward slash know that we're gonna start enumerating from there But now we don't want to just be looking for like directories We want to be looking for specific files So you have to supply this tack x argument to supply the extensions that you want to be looking for If we want to be looking for these bash shell scripts Let's use SH. Let's look for a CGI file extension that might be there We could look for log we could again look for HTML in case there's like any index there or PHP or JS or CSS Whatever you want, but let's just let this roll and see if we find anything I'll let this go for a little bit. I don't know how well it will go But let's also go take a look at our Nikdo results Sorry frantic Vile changes here. I hope you can see this. Oh Nikdo has just found admin and backup and maybe those are particularly interesting Oh, it also found in CGI bin test dot CGI site appears to be vulnerable to the shell shock Vulnerability and it gives me a link here that I can go check out. Okay So Nikdo found it go buster probably hasn't yet, but it might get to it real real soon if there's a test dot CGI file Let's take a look at that in That CGI directory. Let's go to test CGI and that tells me hello world great fantastic Okay, let's take a look at this chromium page that opened up for me the new bash through 4.3 processes trailing strings after function definitions in the I Don't need to offer a new password for a key ring. Can you leave me alone? Thank you Sorry function definitions and the values of environment variables allows remote attackers to execute arbitrary code by a crafted environment as demonstrated by vectors including force command feature an open SSH shd and mod CGI and CGI D Modules found in the Apache HTTP server Scripts executed by unspecified DHCP clients and other situations where the setting environment occurs across a privilege boundary from bash execution also known as shell shock Okay, so I'm excited about this because I actually Don't think I have a video on my YouTube channel that showcases shell shock early It's like when I did a cursory search for a John Hammond shell shock. I don't think anything showed up So I'm kind of excited to be showcasing this. I hope this will be kind of fun and kind of cool Hopefully I don't take forever, but maybe you'll learn a thing or two. So Go buster found it great Nikto has apparently found it a second time I guess And we know we have a response from that we know we can read it with an HTTP 200 success Okay, we've got that page now. How do we go ahead and abuse this vulnerability? What is this shell shock vulnerability? I will do a little bit more googling and research because if this is literally the first time I've ever done a video on this I do kind of want to give you a little bit of background Shell shock also known as the bash door is a family of security bugs in the UNIX bashe shell The first of which discovered on 2000 excuse me 24 September 2014 So some time ago like this thing is old right shell shock could enable an attacker to cause bash to execute arbitrary commands That's dangerous and gain and authorize access cool, cool, cool, cool There are a lot of CVE is identified of this probably because of all the different ways that can be reached like we discussed DHCP We discussed Apache we discussed that sshd gimmick I wonder if this version of ssh is actually Also vulnerable to that in some way Okay, specific exploitation vectors CGI based web servers when a web server uses the common gateway interface CGI to handle a document request it copies certain information from the request into the environment variable list and then Delicates the request to a handler program if the handler is a bash script or if it will Execute one time maybe using the system call bash will receive the environment variables passed by the server It'll process them as described this provides a means for an attacker to trigger this shell shock vulnerability with a specifically crafted document request Security documentation for the widely used Apache web server states CGI scripts can be extremely dangerous if they're not carefully checked Nice, okay, let's figure out how to abuse this now Let me do a little bit more googling. This page is apparently useless for me. So shell shock Pock or shell shock proof of concept. There we go. Oh Mubix has some great stuff. We could check that out something on github Like a little gist another repository here Mubix or Rob Fuller has got a ton of great stuff here. He's an incredible guy. I have a lot of respect for him Okay, it showcases all of these different potential gimmicks the bash command line on Linux OS X and Windows via Sigmund this is a specific CVE and They're setting an environment variable which we understood with a little syntactic sugar there and Trying to snuff in another command CVE vulnerable and bash ID Okay Could we just like try that how do we do it? Let me copy. Let me copy that syntax HTTP. Ooh, there's a metasploit module. Yeah, okay. I want to showcase that once we get to it. So stay tuned Join us next time in five minutes All right, that's enough of scrolling through this page. Let's actually tinker Let's open up this page here Let's try and curl and invoke this HTTP 10 10 14 to 50 CGI bin test dot CGI so we get our hello world response now Let's try and actually supply one of those headers, right? So header User agent and I'm completely working off the cuff here So I have no idea if this will actually succeed. In fact, I don't think it will But let's supply this user agent variable and try and spit in this other syntax here Echo CVE vulnerable this is using another set of double quotes. So I don't really want it to Because I'm already using double quotes for the header itself Let's try it No, okay. I'm not a thousand percent certain on that syntax. So let's keep exploring This looks like it has the exact same code as the other Page. Yep. Yeah, it literally says taken from you mix. Let's take out this other resource This looks like a full play a full like fully fleshed out tool shell shock also known as bash door Straight copy paste from Wikipedia. Oh, they give you a like a vulnerable That's really cool. They give you a little vulnerable Docker environment to poke at and play with ooh Simple example the cat it's ever password supply the user agent echo echo and then running command with bash What was I doing wrong there? Do I need like One of the echo echoes in there Echo Was it like need to be on a new lines? No, all right. Let's just try this syntax maybe I don't need this environment thing that might be because of It's expecting you to be on a regular Linux command line like within the terminal Maybe I don't need to specify that environment variable. It'll just be kind of loaded echo echo and I don't need That vulnerable notion there they just use a bin bash and then a command How about that what that did nothing that gave me nothing does it need to be like an absolute path? Bin slash bash Okay, it needs to be an absolute path So that's something to take note of if you end up running a command through shell shock Try and be explicit about your absolute path for the programs that you're trying to run At least when you're evoking bin bash and then you can you don't have to do it when you supply the actual command or argument within that bin bash taxi Subprocess So we could do whatever we want with this now, right like we have remote code execution as That dub dub dub data user we saw that in the ID command output, but To read files we can cast of hey There's that Ryan user that we took a kind of a guess on So you could go through this and get your over shell now You could fire up home cat if you wanted to use that you could do this Super easy right that's the proof of concept and that is the little sweet sauce to trigger that shell shock vulnerability You could do this manually and you could run that and you could get a bare-boned basics reverse shell We did notice that hey, there also is a metasploit module. I am of the opinion It's there's no shame in using metasploit if you know there's something available It for one thing is going to be more stable and more trusted and it may be not as detection Sensitive right you could do a little bit more evasion stuff. So I fired up MSF console now I will go ahead and search for shell shock Great. Okay. There's a lot of stuff here. So I'm gonna kind of zoom out so you can see this and Let me discuss some of the things that we can see here The description is actually gonna do a really good job of telling us what's up. This is an auxiliary scanner though It's not an actual exploit. So while this reads. Hey about excuse me Apache mod CGI I want to go for the exploit. So the exploit mod CGI bashing environment variable So let's use this library or this module. I copied that and I will use Just that copy paste that I got there No payload configured defaulting to interpreter, that's totally cool. I'm good with that. Let's try and show options So we know that our L host is wrong, right? We've got to go ahead and set L host and I can just use the interface here So I'll set it to ton zero my current try hack me interface We also know that we need to specify our hosts and that our port is probably the same Yeah, 80 is totally fine. So let's set our hosts to that 10 10 14 to 50 So we have the proper target and then what else do we need in here? Timeout is required. You can see that yes there and the required column But it's already supplied target URI is what we need. Duh, of course, right? It needs to know what CGI script is actually vulnerable and in the way here So let's set target URI to CGI hyphen bin and it's test dot CGI in our case. Great I think that's everything we need We know ourselves. We know the target. We know how to get to it So we're good Let's just do it run How do we look setting the stage here Nice interpreter session one opened and we've got a interpreter shell. Let's get you ID Heck, yeah, no user. I do bunty. That's kind of weird. Uh, if I just hop into a shell I'm gonna use bash tack i so I can actually see my prompt because otherwise I'm just kind of like driving blind here Let's use bash tack i Great. Okay. Now I can run the id command and I am still dub dub dub data. Great. Um, let's go explore I can't clear my screen in this Let's exit out of this and let's get back to our interpreter shell Control c determinate it. Yep. Okay. Uh, let's go home a cd slash home and let's see what we've got in here There is a Dot secret. What is that? Hey, is that real? Let me get back in that shell. I'm sorry My interpreter is great when you need to do like, okay extra command and control or stuff dot secret. What the f Can I just read that? Is that real? No But it's all readable. It's a sim link. I guess maybe I just can't read to the sim link Whatever All these curveballs that has been thrown at me while I'm trying to record this thing We're already like a half hour in Let's get into ryan's home directory because we can Traverse into that it has an everyone executable bit. So let's hop over there and let's ls tack la And it looks like his user dot text file is world readable So we don't even have to be that ryan account. We can just go ahead and cat user dot text Nice. There we go. That is that shell shock rules flag you could submit Slap it in there and get some points on this guy Now we should try and do some privilege escalation to see if we can get root We don't even have that ryan user yet. So let's just do some regular Enumeration and Looking around. Let me control c again to terminate this channel. This is the benefit, right? So because we have meterpreter open and also the benefit of pwncat. Let me remove everything that's in there. Can I I still have some of my stuff when I ran through this earlier. Don't don't tell anyone don't tell I don't I just ran shell attack or I'm everything Clean it up Okay, good. You didn't see anything. You didn't know that I staged this. It's all art artifice Let's uh, let's go ahead and upload opt lin peas And Now that that's uploaded. Let's get back to our shell again Again, I just really like meterpreter for the command and control or post exploitation as needed But uh, I keep supplying tack eye to shell and I don't need to I didn't bash Let's lst hack la. We've got our lin peas script there. Let's mark it as executable win peas dot sh And now let's dot slash lin peas dot sh and let's tee it So we can keep a log of it to like lin log dot tech. So whatever you want So if I fire that up there goes our little p head And we'll do our enumeration. I'll scroll up. I'll scroll to the top here to see what we've got I thought I saw something interesting already Because you know how lin peas will give you like that color coded key or the legend, right? Oh, this terminator is not going to let me scroll all the way up you jerk I need to uh Adjust the scrolling here scrolling infinite scroll back, please Thank you. Now I can't actually scroll to the top Dang it. And this is going to take a little bit of time. Let me just stop it here Yeah, we don't need to run that we've got that lin log dot text with a couple of stuff in it. So Back into my shell bash tack i If you wanted to see the colors you can use lst hack r on lin log, excuse me lin log dot text Lin log may be a binary file. Yep. I don't care show it to me anyway Why did you not Let me paginate through that. Oh, probably because you're weird through meterpeter right now But I've still got it out on my terminal and I can see Everything that lin peas returned for me. So there's that beautiful p head And let's see what we've got remember that legend Remember that color coded key here red and yellow is 99 of privilege escalation vector So when we look through here the operating system version Or this uname tack a output like when you try and check the kernel version. It's immediately Notifying us like yo, there's something up here. You could probably bork this you can probably muff around with this so 3.13.0 is an old old old old kernel version and just as we saw with shell shock And just kind of as we saw in the room here for try hacking me. It's saying look take a step back We're going through the history of hacking. So let's grab like this kernel information. Let's just grab the string Let's try and look for maybe something in search sploit So I can stop go buster because we don't need to still be running that Um, I can stop me though because we don't need to still be running that and I can also stop strings Let's go ahead and search sploit though and look in exploit db for something with this kernel name So i'm just going to slap that in And it doesn't have anything so maybe let's widen that search a little bit. Let's remove the tack generic Still nothing. Let's remove the tack 32. Oh There we go. Now we've got something linux kernel This and we've got some code And a text file we could look at let me zoom out so you can see that a little bit better still on ubuntu And it's not going to tell me more than that. I guess because I got to shrink my screen So let me just examine one of these. Let's search sploit tack x to examine this text file and see what it says The overlay fs file system does not correctly check file permissions when creating new files in the upper file system directory This can be exploited by an unprivileged process in kernels with config user ns equals y when overlay fs has the fs user ns mount flag Et cetera Oh, and they showcase it. Okay, cool. Create namespace. I don't know what that is Maybe is that something that they've got configured? Oh, yeah, okay, and they overwrite like et cetera shadow The attached exploit gives a root shell by creating a world writable et cetera ld.so preload file The exploit has been tested on the most recent kernels before 2015 on older versions of ubuntu so Cool if it's a privilege escalation thing this this explanation was handy. Let's take a look at this C code. Maybe we could uh work with that exploit title overlay fs local root nubuntu. Yep everything that we just read about In the comment they showcase The example use here and you just get root Okay, looking at this source code it's making A little ns sploit Taking advantage of the overlay file system overlay fs cool Cool, cool, cool. All right I'm cool with this Let's give it a go. Let's give it a whack, you know, let's uh search sploit tack m to mirror that 37292.c file and now it's in our current directory here. Great So because we still have our little interpreter shell Let's go ahead and upload that I will upload till day ctf try hack me Uh zero day and what was that called 37292.c? Did I get it right? nice nice That's why they pay me the big bucks. Just kidding. YouTube doesn't pay anything. Okay No such file or directory because the till day interpreter is going to trip over Let's slash home slash cali Whack cool. That's done now if I ls that's over here And let's get back to our shell I'll bash tack i so I have a prompt here and let's gcc to compile this 37292.c and it compiled Hello, second. I know up. Yeah. Okay. There's just an eight odd out file in our directory now No problem with that whatsoever. Uh when I had gone through this the first time I noticed that it uh couldn't find like cc one or one of the compile binaries It just didn't know where it was. So I needed to specify the Like path to it. I need to export my path variable and include that in there It just had to know such file or directory for the cc one command In case you ran into that, I just want to let you know, but it's not obviously important right now And maybe the box got patched or something or it got cleaned up where we didn't run into that hurdle If we weren't able to compile it on the target machine Like if it didn't have gcc then we could just compile it locally and pass it over or create a docker container with the like Specified version and everything to try and match it. But uh, let's go ahead and run this right? We got eight odd out That's so nice kernel exploits are crazy, dude. Now we're root. That's it. Okay Little privilege escalation stuff. Let's uh hop on over to cd root And let's grab that root dot text Nice good job zero days, pleased. I have pleased the zero day. Got Let's uh, could I check out that like little dot secret stupid thing now? I mean obviously because I'm root but Car the dot secret Wtf, why is that there? Hey, that was a lot of fun. I hope you enjoyed this video I hope you were able to have some fun with me I hope the little walkthrough through shell shock was not painfully slow and annoying Uh, I hope you got to learn a little bit there and see it from a lot of different perspectives Between doing it just bare bones of the command line and also using a little bit of meterpreter and jumping in and out to uh clear us up from meterpreter and uh Our regular bash shell so we could submit this get that root dot text and Consider this room done. So very very cool. Very very fun Uh, I really like all the references to turtle and now a turtle in a hurricane I realized the shell shock joke there in the gimmick. So thanks for this room, ryan Thanks for this room zero day. Uh, I really appreciate this and thank you all so much for watching I hope you enjoyed this video. Uh, please do all those youtube algorithm things Please like comment and subscribe. You know, I'm super duper grateful I'd love to see you on patreon or paypal or whatever if you're willing to help support So thank you so much. I love you. I'll see you on the next video. Take care