 Hello everyone, my name is John Hammond. Welcome back to another YouTube video and we are looking at more of the guide point security capture the flag challenges. So I am connected to their VPN. I am logged in on the scoreboard at 10, 10, 100, 100. And I can hop on over to the challenges tab. And in the last video, we finished up Jeffrey, one of the network boxes. And in this video we'll take on Bell, another network box. Again, this is all about kind of, hey beginner friendly, hand holding penetration testing stuff. So this says Bell is a network device hosted at 10, 10, 23. Your goal is to enumerate this device like you would in a penetration test. So we can run Nmap, Nito, Derbuster, Metasploit, et cetera, et cetera. All of these challenge cards in the CTFD scoreboard will be related to this box and this specific IP address. And we have to go find the flags. So let's hop over to our command prompt because that's where I'm gonna be really starting to attack this. And I've created a directory for this Bell machine in the folder that I've designated for this guide point CTF. So I will make a directory for Nmap and we will start off as we do always with that classic Nmap scan with tack SC for default scripts, tack SV to enumerate versions and ON to output in an Nmap format against this box. So we'll supply the IP address. So Nmap will return with some results eventually. If we didn't wanna wait, we could use something faster like Rust scan. But this comes back, okay, we do have port 80 or a website open with HTTP as a service there. So Apache is running it and we do see that it is a new bun two box. So we can go ahead and start to scan it with Nikto. I'll use Nikto tack H with the HTTP schema, tack H to specify the host. I'll go ahead and tee this out to a Nikto.log output file so I can save the contents. And while that's running, I'll also create another terminal and I will go ahead and go buster this. I'm gonna use go buster DIR. So it's in kind of like directory brute force mode and I can again, pass in the argument here, tack U to specify the URL, HTTP schema of course and tack W to specify the word list. And I will use the word list from Derbuster, directory list, lowercase medium and I have that stored in my opt directory. So I will let that run and then I'll go do some manual enumeration just by hopping over to the IP address in my own web browser. This says simply welcome to our castle and I don't see anything else here. I can control A to try and highlight everything but that's literally all we see. Again, I'll right click to view the page source or hit control U on my keyboard. And it looks like this is literally all that we've got. We've got just this HTML line for the roster check title and the header welcome to our castle. So this is really frustrating and annoying. There's literally nothing here. So hopefully our Nmap scan or Nikdo scans will return at least something and Nikdo doesn't seem to have anything interesting just yet. CSS, JS and JavaScript, all of our go buster scan looks like they're finding potential like static files that maybe we could access. Let's go to the CSS directory. Looks like we do have some entries there but these all look like code for external maybe libraries or modules that might be used elsewhere. I can see the dot CSS and the min looks like a minified representation of the UI kit and scrolling through this it looks like it's just an actual library from like a third party provider not really something that is native to this webpage. Let's see if there's anything in JS. Again, we see jQuery. So another library that again is something external part of the JavaScript foundation an open source tool and UI kit stuff. So nothing extremely interesting in there. And we also saw a JavaScript which looks like we can't access. Okay, go buster did include a PHP My Admin page so we can go check that out, PHP My Admin and maybe just like on the Jeffrey box we could supply maybe weak or default username and password pairs like admin admin as a simple guess that fails, how about admin password? That also fails, dang. Okay, so that won't let us in like we had on Jeffrey. Let's try something else, I suppose. I mean, if we wanted to brute force PHP My Admin, we can but we could do that with Hydra or own custom script or anything but let's see if Nikko got anything worthwhile. Again, a lot of uncommon headers, some PHP My Admin cookies and some default Apache files like icons not really all that helpful. So at this point we might be like scratching our head we kind of hit a wall. Nothing to go off of here. However, we are noting that this is running PHP My Admin and seemingly we're accessing dot PHP files. So running this on Apache on Ubuntu and seeing like is this file welcome to our castle? Is that an index.html? No, it's an index.php. So we can confirm like we can pretty strongly say and safely say this is running PHP code. So with that, all that we're doing when we're running our GoBuster scan at the moment is just looking for potential directories but we wanna be looking for files in this list also. To be able to do that though, we kind of have to specify the file extension that we might wanna be looking for. So we could look for things like dot PHP now that we know that that's running or we could look for some of those dot JS or CSS files because how come Derbuster or GoBuster didn't find those when we were able to look at those specific folders in there. Right now, GoBuster is only working in directory root forcing mode. So we've got to actually specify tack x to specify the extensions that we might wanna look for. So let me go ahead and try that. I'll use the same command at GoBuster dir with tack x but I'll specify PHP extensions, SH extensions in case we have like a shell shock vulnerability. We can do the same thing for CGI, text files or maybe backups or notes, a CSS and JS if we really, really want. We could also look for like ASP or maybe this is potentially we're beating up a IIS server that's running ASP or ASPX. So we could toss that in but we should hopefully just get stuff resulting in PHP. Now index dot PHP return just fine but is there anything else that we might see on this webpage? We could let this roll for a little bit and we could see if Nito got anything else. It didn't, it did just find PHP my admin. So I guess we'll just give it a little bit of time for GoBuster to find. Now, one thing to note though is that we are supplying the directory list and the word list from dirbuster. That might be helpful for us but at the same time it might not include things that are pertinent to this webpage. This is kind of just the most common stuff in this word list but if we are targeting a specific kind of custom and inherent to specific an organization website they probably are gonna have links pertinent to the content that they discuss. It's hard to press the I believe button on this when we literally just have a welcome to our castle webpage but maybe some of these words like castle or roster or check maybe those are sensitive stuff that could potentially have another endpoint or another location that we could find if we created a custom word list specific to this webpage. We could do that. We could use another tool like cool and I think I have cool installed. Cool, opt, cool, cool. Oh, okay, I do. I have opt cool lowercase and cool R-I-B or R-B so it's a Ruby script and I could simply run cool to create a custom word list for a specific URL. It'll comb through the webpage and try and find unique specific texts that might potentially build out other endpoints that we could use in a tool like Go Buster or Durbuster. So let's run cool with the URL for our webpage. HTTP, 10, 10, 23 and let's see if it gets anything. Looks like we have roster, check, welcome and our castle, great. So let's just store this as a custom word list dot text just paste those in there and now let's stop Go Buster and have it do that again with this custom word list that we've supplied. It didn't seem to find anything. It's curious to me that a lot of these are all capitals and we might end up finding lowercase ones. So let me see if I can like force convert this to lowercase. I'm gonna use sublime text to convert case for everything there. Oh, convert to lowercase and now let's add that into our custom word list just so we have a different copy of that, right? Now we can again use the custom word list that we've created though with these lowercase renditions of the URL as well. So back to Go Buster again, running it with our custom word list which we have just modified. Let's see if we get any hits. Ooh, we do have roster dot PHP. Okay, so that's finally something. Maybe we will have something interesting here in roster dot PHP. So going to this URL, we have a roster lookup which is interesting. It says time until final rose petal drops and it says here's where she meets Prince Charming but she won't discover that till chapter three. Okay, again, just out of habit I'll right click view the source, control you here but doesn't look like there's anything interesting here other than this HTML forms, right? No other HTML comments but we do have the UI kit and jQuery being used and we didn't see those in action on the previous index dot PHP. So this is good. Maybe this is the real actual functionality of this website. So let's poke at it. It's running a like form here, right? We could submit, yeah. We could post an employee lookup. So maybe this is gonna be processed server side with that PHP code. Let's just try and enter like A to see if it gets any results. Nope, nothing. What about B? B, bell. Oh, I just entered bell because it's the name of this box, right? Name is bell and role is princess. Did that return just like outright? No, it doesn't look like it. But I didn't see bell or princess in the source code originally. So where is it getting this data from? Maybe it's connected to a database. So with this roster lookup, we could try to do things like SQL injection or other attacks that might be able to get data when we didn't mean for the database to get it. We could trick it or confuse it by trying to pass what normally would be data like what we're searching for the name bell. But rather than just bell as data, we can trick the database server with potential database code. And that's injected into the same query that's used to communicate with the database. Maybe it could leak some sensitive information. So I will try to use some SQL injection techniques to like terminate the string. I'll use a single quote because maybe that name is being filled in in the query with single quotes. And then I'll supply an or one equals one to see if we get any interesting results because one equals one is a condition that is always true. So if this condition evaluates to true and we're using an or here, so this absolutely will evaluate to true, let's see if we get any results. We can try with that hashtag or pound symbol or octothorpe to try and see if it will comment out the rest of the query in case there's other SQL syntax that we might be clobbering with the SQL injection technique. So I'll submit that and ooh, looks like it does have a lot of results. So that worked. We rather than receiving just one entry in the database, we had an or condition that evaluated to true and it dumped the entry for all of the user names and roles in this database. So we do have SQL injection. Cool. At that point, we could use an automated tool like SQL map to see if we could dump this stuff out. We could do this manual if we wanted, but SQL map might work really, really well for us. So again, I have SQL map installed in my op directory. I'll run SQL map.py and we need to specify the URL, right? So let's go to this exact page that we're on, this HTTP and roster.php here. So I'll submit that and I'll specify tack tack form to denote, hey, let's go ahead and hammer this form that we're looking at on the page here. It says, do you wanna test this form? And we're like, yeah, yes. It found that we can supply employee and submit data through a post form. So let's hit yes. And then yep, we are cool with it going ahead and supplying this post data and we'll fill in with random values. Looks like it might be finicky. We can just let it continue and we'll see if it gets anything. I'll let this go. And now when we supplied tack tack form, it's gonna try and scan for that form every single time. Since we know now because SQL map found it for us about this specific post data that we could supply, that is what we can use for the next time we run SQL map if we do. It says, oh, it found the backend database as my SQL. Do you wanna skip test payload specific for other database management systems? Yes, because if we found that it is my SQL, that's all we really care about. Do you wanna include all tests for my SQL, extending provided level one and risk values? Sure, that's totally fine, I'll supply yes. Ooh, the post parameter employee is in fact vulnerable. That's good because that matches what we saw. Do you wanna keep testing any others? No, if we know that that's vulnerable, we can go ahead and exploit it. Okay, so SQL map has found this specific injection technique and this specific attack through that employee type there, or that HTTP variable that we supply. I'm gonna use tack D, so we specify that as a form here. Nope, I think we need tack tack data, is that right? There we go. So now it knows that this specific payload or this specific attack will perform SQL injection because it's already figured that out. I'm just specifying let's use that vector rather than looking at the form every single time. So if we have this, now we could try to do specific things that SQL map can do, like dump the database, like look at specific tables or specific other databases if we could access them, et cetera. So let's use tack tack dump. See if we can dump the whole table. It found, oh boy, there's a lot of stuff. It found castle, what is all this, all this hex? I'll zoom out here, because there is a lot. What are all those? I'm gonna zoom back in because there's a lot of secret stuff. Fetching column for table secret in database castle. Okay, what is at the very, very bottom? There was another table in here. Yeah, yeah, yeah, yeah. There's a staff table in that castle database and it looks like it had all of these names and roles that we saw earlier, but it also includes a secret column and that is peculiar. I don't know what that secret might be. These don't look like hashes though. They also don't look like hex. Maybe it's base 64. I'm gonna copy this whole database response here and try and carve that out. So I'll open up sublime text again and just paste all this in. Now you could see this just barely. I know it's kind of tiny, but what I'm gonna do is I'm gonna select all of the lines here. I'll cut up this header at the very, very top here and move the bottom border, but I'm gonna select all the lines with control A in sublime text and then I'll hit control shift and L to create multiple cursors here. So with sublime text, you can see that I have this like big long margin cursors that I can use that to be able to select multiple things. And if we're clever with how we move around our cursors, like if I were to use the home key or the end key or control, I could bump around to different specific instances or characters and words. So I will move by pressing end and then selecting everything else before the secret that I wanna carve out. Then I can remove it all. So now I have just this secret information. I'll save this as like a secret.text or something, but let's see if this is actually base64. Let's go ahead and echo what we found here into base64 decode, but it doesn't look to be anything worthwhile. Base64 can't decode it just fine. So what could this be? Are these other like directories? Is this a file that has a period here? Let's try and use this as like another custom wordless. Since apparently we've been doing that with cool here. Let's try to run Durbuster one last time. I think it was in the other terminal where I had that Durbuster syntax. And rather than custom wordless, let's use our secret.text. And all these returned a 301. What does that mean? Do they all have, is it all like a redirect? Yeah. Okay. Is there anything in each of these? Oh, there's a lot of these. I don't know if I really wanna test each one of them. Oh, the third one, the CADS thing has an entry. What the heck? There's a, it looks like a flag here. What is this? A flag two, is that what we're looking for? Or flag two, A might be like another entry because there's an A and there's a B here. Can I submit that? I never got bell one. Was that like in the source of the roster that I didn't see maybe? Cause I don't think, no, I did check the source of the roster, didn't I? Let's go back to roster.php or was it in the database that I missed? I don't think so. What is this thing though? This looks just like hex and I keep seeing it over and over and over again in the secret table. Let's try and decode that. Let's echo this big long thing into like xxd, tach R minus P. That's more base 64. So let's base 64, decode that. What the heck is that? Are each of those base 64 things? If I base 64 strictly that, let's like throw this into Cyber Chef cause I don't know exactly what that might be. Cyber Chef, good utility online. Cyber Chef is really, really great for just hammering through stuff. So let's from hex and I feel like that's base 64. So can I from base 64? I guess I'll just use like the magic thing and see if it can find anything. Cause we know the format is flag now. So let's look for like flag one, maybe? No, what is that? Let's take a step back. Is there more to this? Are these different? Oh, these might be different. Oh goodness. Oh, wait a second. SQL map tells me right where it stored it. Okay, so I have that. Can I suble that? These are all codes. Yeah, okay. So can I cat that and do like a wow, read line, do echo line, pipe it into X, X, D, tag R, tag P. Done. Still a lot of noise for every single one of them. Is there anything else interesting in this? Or is it all just like bad base 64? Let's strings that and let's do a wow, read line to do another do echo line into base 64 minus D. Done. Oh geez. Can I strings that? Is there anything interesting? Nope, that's getting a lot of errors. D, DevNol, P0A. That doesn't help me. Oh, you know what? All those strings up there may not be base 64 when a lot of those had capital letters, right? Yeah, and like three equal signs, which is very uncommon. This might be base 32 rather than base 64. So let's change that to base 32, decode. There we go. Okay, okay, now we're getting more hex. So let's try to, we probably don't need all these weird nested lines or wow loops. So let's go to base 32, tag D, pipe, and then let's do another X, X, D, tag R, tag P and see if we get anything interesting in that. We do. Now we get more hex, X, X, D, tag R, tag P. Not the flag, not the flag, not the flag. Do we have anything that isn't not the flag? Not the flag. Ooh, there we go. Flag one. Holy cow. All right, that was an adventure. Let's go submit that. That should be bell one and holy cow. That was agonizing. Okay, now we can go back to that guest book that we saw, right? Enter my name. Okay, John, and comment, please sub. That goes in, right? I guess I could do like what? Can I do cross-site scripting in here? Like add an HTML. John, hello? Yep, okay, cool. I don't think anyone will actually visit this page though. So maybe cross-site scripting might not be the right vulnerability to go after. So how does this do this? Looking at the source code, full name, input name, input text, I don't think we would be able to do a SQL injection again. How does this happen? Can we do like, can we try weird stuff? Like can we fuzz it? Ooh, single quote, just made it die. Is it like a command that it's running? Who am I? No, that didn't work. Hello? Hello. Okay, maybe I broke the database with that earlier. Can I do like, who am I? Command substitution? No. What about backticks? Does that work? Ooh! Backticks got it in the name. It got the username, dubbed into data, and then the comment, who am I still kind of didn't interpret that as a command? But that is code execution. Nice, LS will execute an A. Okay, so let's just get a shell. Let's just get a reverse shell. Can I, do I have netcat? Or I mean, I guess, like let's, let's see if this thing can do a simple like bash script. Let's do bash tax C ID, and then A. Okay, so we have bash, which is fine. So let's move over to Pwncat as I like to. And then let's get pull to make sure we have the latest version, which we do. So let's activate the virtual environment source and then activate and Python tag M, Pwncat. And let's listen on, I guess like port 8888. And now let's try to do a bash reverse shell. So bash tack I needs to be redirected into dev TCP. I think there's an ampersand there, is that right? I got a, I'm trying to remember this bash TCP syntax and I need to know my IP address. So IP AS ton zero for my attacking machine is 101063 on 8888. And then let's redirect zero to ampersand one. And a comment should be A. So let's go move this to the other side and see if we get a shell come back. We do not, do I need that ampersand? I should really listically just go Google bash reverse shell. I don't care if it may be harmful. Just go to high on coffee then. Bash reverse shell. Where the heck is it? Bash, bash reverse shell. Bash tack I ampersand that thing, attacking IP at that thing and it's ampersand one following it. So did I have that right? I did. Maybe I need a bash tack C in there to denote to call that through bash. Let's make a comment A. There we go. Okay, now we have a callback. Heck yeah. All right, we're running as dub dub dub data and we're on the box. Let's see what we got. Are there any directories in the home folder? Yes, there are. Can I access any of them? Backup or public seems to be world readable. So let's go in there. Oh, when there's a flag. All right, I can't read it though. Wait, oh, I can read it. It's world readable. Heck yeah. Okay, there's flag three. So we can go ahead and submit that. Paste that in here. Good. Okay, so now we want to do some privilege escalation that we want to get root. We've got our command shell. We've got access, but how can we escalate our privileges? Let's have Pwncat try and see what it can do to escalate privileges. It'll look for things. See if there are any set UID binaries. See if there are any pseudo rules. Basically it's just going to do its own enumeration like Lynn P's might. And we covered that in the previous Jeff review. So if you haven't seen that, go check it out. Ooh, file read as root with bin cat and shell as root by an end map. Okay, can I just exec? Shell as root by user bin end maps at UID. Did it work? Can I specify a user? Raw exec and then tack U. Maybe, let me just check out the help. Run escalate, no, tack H. What else can I do other than exec? I want to know the module help for run escalate. Oh, okay, there are a lot of things that I can do. Set UID, what else can I do with that? Can I run exec? Shell as root by user bin end map and it won't do it. Exec as root not possible. How is that done? Is it just the version of end map? Is it one of the old ones, right? Can I do like a, let's check GTFO bins because Pongcat is trying to understand from GTFO bins. So let's see if end map, which is weird that it has it and map tack tack interactive. No, it doesn't have it. Okay, end map just happens to be set UID but it's an old version that can do that. Unless, can I use this method? Who am I? Wait, wait, wait. Whoa, what happened to my shell? Who am I? Oh, I'm still dub dub dub dub data but my shell's doing really weird stuff. Okay, so that is not the right route. I could do it with cat because we saw that that was a set UID binary but it doesn't give me a full shell. And that's kind of cheesy and annoying. Let me look into the Pongcat source to see what I can do for run enumerate, if I can. Pongcat modules or escalate can, what can auto do? Cause auto will try exec. Okay, exec will attempt to execute a shell as the given user and then read will attempt to read a file as the given user. Well, how do I specify user, user default equals root? So that means that I could try to run escalate auto with read and let's read et cetera shadow. No, what do I need to do to specify the file? Read and path. Oh, I think I need path. Diving into the source code of our tool to see how it's done. File path is not specified. Do I do a path equals? Yeah, oh yeah, okay, okay, that was it. So with that, if we have root privileges to be able to read because of cat, we could simply read roots flag dot text, right? That's it, nice. Okay, awesome, super cool. We could have totally just done that manually, right? We could just use the cat syntax with GTFO bins to read that out. And it's super duper simple, right? Because it's already set UID. So we could just simply cat root flag dot text cause that is a set UID binary. And we would have found that, right? Doing it manually with find tag perm like 4,000 from the root directory and let's redirect all of our errors so we don't have to see them. Dev, null, and we do see cat in there. Lynn P's would have told us that. Obviously, Ponecat told us that. But that's what we can use to at least read files as that. I'm kind of bummed with this setup because I wanna have a root shell, right? But we can't write files with cat so we wouldn't be able to clobber a password or modify anything. So whatever, I mean, a flag's a flag. We were able to read the root flag and we got it. So that wraps up the bell box or that machine from the guide point security CTF. So there were a lot of fun things to work through there. I think using SQL map was kind of fun and we went down a little rabbit hole trying to decode that little secret there. All that hex that we were trying to uncover but that's that. That is all of the flags for the bell box. So let's turn this video off. Let's all pack it up and go home. But hey, thank you guys so much for watching. I hope you enjoyed this video. If you did, please do tune in to some of the others where we're showcasing the guide point security capital flag challenges. If you have any interest in this game, guide point security is doing this for like once a week for the next couple of months and new challenges every time that are again, really friendly and really fun. So please don't hesitate to check it out and I'll see you guys in the next video. Thanks so much.