 Hello everyone, my name is John Hammond welcome back from the YouTube video and I am super duper excited to bring this to you This is a video walkthrough and write up of the looking glass room on try hack me So let's hop on over to my screen here. I'll show you this looking glass is a challenge room That is a sequel to the Wonderland challenge room and I still need to give you guys a video on that So hopefully that can come out soon. Maybe tomorrow. We'll see But this room is only like less than a week old I have completed already. So forgive me for having the user flag and root flag in here I'll obviously I'll showcase how to get each of those and what we'll be doing to get through all of those But I don't think there are any write-ups for this out just yet So I'm very excited to bring this to you and let's get to it I've spun up the machine already. So let's grab the IP address and hop over to our terminal Well, all the good stuff happens So I'll start off as we start off with just about every box with a classic nmap scan tack SC for default scripts tack SV to enumerate versions tack on to save into an nmap format I'll save it in an nmap directory that I created in Initial being the file name and of course the IP address of this box So what I normally do while that is running is fire up another terminal and I hop over to see Does this actually have a web page associated with it? So I'll just throw that in but it looks like there's nothing listening on port 80 Okay, so we don't really have neat dough or anything to run or go bust or anything We could quick fire off what we could do is just maybe try other protocols and see if anything actually responds while we're waiting Doesn't look like there's anything on FTP We could run like enum for Linux or just SMB client to see if there's actually anything there on Samba or SMB port 4 4 5 I Will promise you there's actually nothing there But those are the things that I would do while I'm waiting for that nmap scan to finish Since this is a video and I wanted to prove that that I would be running in a map scan I'll just pause the video and let that finish and I'll see you in just a few moments Okay, our nmap scan has finished that did take a little bit of time to run So please note that will take maybe a few minutes But let's open it up in sublime text to see what we're looking at here I'll zoom in on this so you can see it looks like we have port 22 open with SSH Just a regular open SSH client or server. They are running on Ubuntu. So we're gonna assume the target is Linux and We see a lot of other Seemingly SSH servers. Oh, there's some weird ones on 900 and up to 903 we can take a look at those manually if we need to but if you see my mini map over here There's just a lot of the same entry of like 9,000 up to 13783 and these are all drop bear SSHD or at the SSH Damon or server. So drop bear must be a kind Note here that nmap only ran. It's the most common 1,000 ports. So if we wanted to we could start an All port scan and I'll turn off the scripts running here and I'll save that as all ports and I'll let that run Well, we start to just enumerate and look at some of those oddball ones. I want to see that port There and we have this FTP line. So that already has the IP address and I'll just connect to that And I get the exact same banner doing a simple banner grab with just net cat connecting that port same thing with 91,000. Okay. Okay. So we're just seeing a bunch of SSH drop bear I hadn't heard of that drop bear before so I had gone to do some research on that What is drop bear SSH and are there any like known vulnerabilities or exploits for it? It is a secure shell compatible server I would just simply okay Google exploit or see if there's anything worth a while there and exploit DB had some interesting stuff We're remote code execution apparently there's some gimmick with like a format string or a printf and This explanation explained that you needed to use a hacked SSH client to be able to actually trigger that and activate that I thought that was really weird But looking at it for the very first time I had gone ahead and just started to like try to Supply a username that would actually have that Printf format in there. So I would SSH Like on a specific port like 9,000 we knew had that and I'd specify like a percent s at that Location. Yes, we'll go ahead and accept that key or fingerprint or whatever and I Thought it was weird. It would respond to me with just the word lower It didn't ask me for a password or anything. So I was like, okay Do I need a different like? Format specifier if I were doing that printf kind of technique, but I would always be responded with Lower and I didn't exactly know what that was or why that was there I thought like, okay, is it going to the same thing on every single port or every single service that had that? So I would try some other ones with that nine one hundred or whatever But every single time I did this even without a username specified if I would just let it use myself I would just get a response like lower or higher and for every single other port. I have to accept that key But you'll notice when I tried one of those other ones like the top thing that SSH had suggested this port over here That would still return some weird message, but in this case it was like Higher and I didn't exactly understand or know why it was saying lower or higher and When I used a really really high number it specified the word higher and when I used the lower number 9,000 which is where I saw the kind of that string and strain of SSH ports open that would tell me lower So obviously though there's there's a little bit of a distinction between those if I'm lower or higher Or if I'm too onto either ends of something Maybe I would be narrowing down to actually retrieve some proper information Maybe there's one service that is actually what it should be, but I am Maybe I'm too high or I've used a port that's too higher as to what it should be when I use this big 13,001 or maybe I was too low when I used like a 9,000 port that was Odd and funky to me. So I thought like okay, let's just simply look at all of these ports Are they all going to respond the exact same way? So we'd have some wank like janky script and loop to literally try and connect SSH for every single one of those ports And it might take forever. It might take a way way way long time But we could do it like SSH spam dot sh. Let's make a simple bash grip where I could show you how that's done I'll use a for loop. I'll use like port in 9,000 to 13,000 as we saw I guess the limit was 13,783. Does it go up to like 14,000? Let me try that on the command line 14,000. Nope, it didn't but what about 13,999 That seemingly will respond but that once again tells me higher Okay, so maybe I need to be somewhere in this mix So let's do a simple for loop and I'll use SSH tack P to specify that port and I'll use the IP address which I can just kind of copy and paste here slap that in Obviously if I were to run this and do this you might see some interesting problems and predicaments because it's not going to be automated all that well Sure, we might be able to try a port. Oh, and actually actually I should like printf what port we're working on So you can see that output and how far we've moved along in the loop, but notice obviously Whether I get a response lower or higher or whatever the case might be Eventually if I reach a port that I didn't already accept or connect to I will be prompted to Accept this key and that takes away a lot of the automation here So you could actually supply I Started to memorize this now because I've had to use it so often strict host key checking equals no With the tack O to specify an option for SSH that way it'll stop you from asking all those silly annoying things like oh, do you want to accept this? In this case, yeah, obviously, that's a good security thing to do to check but in this case Yeah, we just kind of want to see what's there. So I would let that run and it would just take gosh darn forever Because it's going through however many thousands of ports And I would always get this response lower from the lower numbers and higher from the higher numbers So I thought like okay, if there must be something that I need to be smack dab in the middle on and get the right value I I thought lower maybe referring to like okay network big Indian Because it's a it's an SSH protocol port thing doing things with networks. Maybe I'm too low when I specify that number But obviously, I don't know maybe you would expect to read that in a different way So let's go back to kind of what we were doing We're just manually connecting to it But that script could work for us if we just let it run maybe eventually we'll get a hit But if we had the methodology in the thought that okay 9,000 was too low could we try 10,000 and yes, we'll accept that that says higher. Okay, so let me actually do a strict Host key host strict host key. There we go Set that to no and run that command again. We we know that this one was higher That so that was too high So let's do a little binary search because we knew that 9,000 was too low so we could go kind of in the middle of that and Try to see is that 9,500 where is that is that too high or is that too low and That's too high. Okay, so we'll kind of cut that in half. We'll go like 9,200 is that going to be too high or too low that's going to be low So what about 300 now that we know? Okay, we're sort of finding the sweet spot in the responses that it gives me we know that that one is too high so let's go from 2,000 in between Excuse me 9,200 to 9,300. Let's go to 50 within that and kind of have that range Too high. Okay, let's shrink that down again. Let's go like 20 And I would use this manual process and it's very annoying and frustrating because it's a little whack-a-mole game Right, but it would at least be a little bit faster and we could automate this process if we really wanted to but okay To 40 is too high So let's try 30 because we know that 220 is too low, but I would literally just do this Until I kind of found the sweet spot. So 230 is too high and 220 is too low So let's check out that last digit there with a 5 and that's too high. Okay, so let's go to 2 too low So we got to be between 3 and 4 then I'll try 3 sorry my face is in the way But that's too low. So let's try 9,224 We'll find the port hopefully hopefully hopefully that has something real here to return to us. And yeah, okay Cool, we get something super duper new This says oh you found the real service solve the challenge to get access to the box And it says Jabberwocky, but solve the challenge to get access to the box. That sounds kind of promising Jabberwocky and then seemingly a lot of gibberish and Nonsense and we have to enter a secret so I looked at this and It's pretty easy to tell okay all of all of these are English letters, right? So we're at least using the regular alphabet Maybe this is some substitution cipher or rot 13. So if I took this and Maybe I just simply let's make a directory for this like Jabberwock or Syria or a file Slap that in let's cat out Jabberwock So now we've got that on standard output and let's bring that to rot 13 Still didn't give me anything interesting rot 13 is actually part of the BSD games package So if you're in a bun two or a debbie and base system You can get the command line things to do Caesar cipher or other specified key cipher with BSD games other than rot 13 You could also use Caesar with a specific key specified or a shift value a number three four five Obviously 13 will just be rot 13. I would do this I would just try each of these and I would put that in a little loop. I'd go zero to 26 or like one to 26. I'll do it done and then a do and done here and specify that iterator What's the issue for I in excuse me, okay? And I would have all of the possible rotations or rot 13's in there, but that still didn't Particularly give me anything good. So, okay, it's not a rot. It's not a rotation cipher But what else could it be Another thought that I would have if I'm looking at something that doesn't look like Obviously readable English, but it we know that's using English letters It may be a simple substitution cipher and quip quip is really really great at handling those So I went to quip quip comm and I'd submit this and see if it would work and It tries its darnedist, but it just Didn't get it when I was looking at it It would it would have a couple letters that might have been correct. Maybe But it also had a lot of question marks and things like hey, I just don't know exactly what I'm looking at all this It couldn't trigger it couldn't track it down So that was not the right route and I was banging my head against the wall trying to get that right These are just I want to showcase like a thought process of the things that I'm trying when I'm encountering this thing But I don't know what it is my other thought was it okay still English letters Maybe this is a another classic cipher thing Maybe a Beaufort cipher or a vigenier cipher vigenier vignier I never pronounced that right and the internet yells at me. So I would search for vignier cipher and I'd throw this into just decode.fr. That's kind of a simple cheesy one I think my geocaching profile That's a website that also does a good job here and I would try like okay knowing a key Like I don't know a key this thing was labeled jabber walk when I looked at it So maybe Jabber walkie is is what we just supply here and I could specify decrypt But that didn't seem to get anything when I was just clicking around in here I just let it try to do an automatic decryption and see if it could figure anything out and Suddenly I noticed that it did figure out a key on its own It said the alphabet cipher. It's kind of hard to read there But that is the key that it seemed to use if I paste that in I wonder if it'll get it just right. Yeah, yeah, yeah And that reads it out totally fine It says twas Brilig and the sliddy Toves did guy or and gimbal in the wabe I don't know what any of that might be but at the end here It says your secret is beware the Jabber walk. All right, so Let's save this just have a copy of it. I'm just gonna say Decoded Jabber walk and Because there are a lot of moving pieces and parts of this room we could probably get started with a little read me or whatever and Whatever secret or found port nine two to seven To be real service I Received cipher that was vignere cipher. I can type With key the alphabet cipher and got secret Beware the Jabber walk there we go. Okay, so if we need to do actually interact with that SSH service and Supply that secret. Maybe that will work better for us now connect to it and There it is. Okay, so enter secret I'll paste that in shift ctrl V and we get a response Jabber walk faces a glow affectionate rock Now for some of you that have already worked through this room or you've tried to take a look at this I will tell you that this changes the Port that you will find this little puzzle on and you'll have to supply the secret does change and That can be really really frustrating especially as you do some of the later parts in this machine So we've got some credentials, but consider these kind of temporary But with that said now we might be able to connect to just a regular SSH port with this credential Jabber walk with his password and I copy that Connect to it Slap that in and there we go. Okay, we've got access to the box temporarily, right? Let's check out what we've gotten here. We have a user dot text user dot text great This key looks to be reversed because you can see the MHT or THM backwards So you could pretty easily correct that with just rev piping it to rev and now you've got the proper key and that's what you would go ahead and submit for This here. Okay So now we would like to do some regular enumeration, right? We can pseudo attack L Looks like the Jabber walk can reboot the server Cool, that's kind of interesting and peculiar. There obviously some other files in here poem dot text and That looks like the exact same poem that we saw when we connected So what is this twas brillig? Script in here. Oh, it just it walls the poem to everyone that's logged in. That's really funny cool But it's a shell script, right? That's kind of interesting that it's just in his home directory that there's a shell script That will seemingly do stuff Why would this be here? We can do some other enumeration to find out to speed that up I will just fire up quake so I can use some of my cheesy poor man's pentest and like upload Actually, you know what? Let's get ponkat in here Because people always tell me that they'd like to see some ponkat. So I added a simple ponkat.sh script in my poor man's pentest sort of functionality here Just so I have a quick and easy trigger to activate that working directory it's going to put me in my clone repository of ponkat and activate my virtual environment and then go ahead and run ponkat listening on a given port with a Data ponkat RC file. So I will then just run a simple reverse shell with bash and That should work. So let me try and see if I get that to work ponkat.sh We funneled that up and that failed. It probably didn't have enough time to get it. There we go now ponkat's up and running I'll zoom that in and I'll make this dark text background so we can kind of make sense of where we are Does he actually ever get a hostname? Oh It's backgrounded. Let me foreground that that command I've been trying to figure out what I could do to like spawn a reverse shell and then continue the operation in that original shell It's weird to do that because obviously you would if you wanted a ponkat shell or session you would just Start off with that and ponkat I think can SSH, but I've been having some funky issues with it I might just not have the like proper Libraries or things needed, but okay, we're Jabber walk. There we go Okay, let's let's go ahead and switch to our local prompts here and let's upload a local file I have lin peas stored in my op directory. So let's upload that Lin peas, excuse me dot sh. There we go. I'll zoom in on that Kind of screws up that little uploader. But now if I hop back to Jabber walk, we do have a lin peas dot sh file So let's go ahead and run lin peas. You could do enumeration Just with ponkat itself like ponkat has an enum functionality that is meant to Do a lot of the enumeration that lin peas already does and still be smart about it and use it With its own privilege escalation techniques and other interesting things It's slow on a target But I can show you like if okay if you do enum tech show tech a or something It'll start to enumerate things But this might take a while especially when you're going through whatever vpn connection And it'll start to look for stuff if I give it a little bit more time Without boring you too much it will like okay look for chrontabs and there we go Look for set uids and capabilities etc etc But it won't show you it all until it's kind of done Which isn't an issue, but there should be some other stuff that we want to do so That's a thing Let me stop it. Okay there. I lost that ponkat. Let's do that one more time. We'll just connect to it again And there we go Maybe I was too quick. Okay And now he's going to make his connection Running in bin bash And let's make that dark Cool. Okay back in jabber walk. Uh, let's go back to his home directory. We already put lin peas there So let me just run lin peas. I'm sorry for for beating around the bush. Let's speed that up. Here we go Lin peas might take a while to run also, but looks like we have a old pseudo version. Maybe we could kind of abuse that We got cpu Environment nothing particularly stands out lin peas does a really good job of like color coding the stuff that's interesting Oh, and that just died Oh, you know what? that's probably because of all of the Listening ports and net stat will return that so let's just do it through the ssh session. I'm sorry. Let's let's let's capture that Save that output We're taking our time here guys There's a lot to unpack here okay What is this? What section is this? This is a crontab so cron jobs so Looking through everything that we saw earlier. We have some interesting software lxc is in here For containers that's kind of peculiar and we have a compiler. Maybe that will come in handy at some point for some reason Binary process is running ps looking at cron jobs. A lot of these look as they should but One down below has an interesting note here upon reboot The tweedle dumb user will Run that twas brillig script. Oh, and we have control over that because that's in our home directory Okay, so that way we could at least move into that tweedle dumb user because we can control that code And maybe we can make it come back to us Uh, that's a thought. Let me keep looking through this before we forget to And there's a lot here obviously Nothing immediately stands out With the color coding. Oh gosh and all of these net stat entries all the listening ports. Let me turn on the scroll bar and Zoom right on past all of that output. Holy cow Okay, okay, that's enough Are we done yet? Oh my gosh Okay, we're at the end There we go My user is jabber walk as we know no pgp keys Our sudo attack l output lin peas dot sh Oh, this is like an error and I've seen this a little bit in lin peas. It's weird It it like it it trips up on the sudoers dot d readme file um And I don't know why But it's actually I think kind of a good thing because it reminds me to go check out that directory Where some things might be able to hide So I'll take a look at some of those If I can I guess Users with console there are a lot of users. We have Humpty Dumpty Tweetledee and Tweetledum of course a try hack me user and Alice. Sorry. I almost forgot about Alice A lot of users to work through. Oh boy. We are in for a treat Okay Alice seems to be logged in That's funky And try hack me's logged in Wait, is that last logins? Yeah. Yeah. Yeah. Okay. So some time ago and Almost done. I swear. I know this is like probably the most boring thing for you No seemingly weird to set uid binaries At least right now remember when we're running lin peas We're only running it from the perspective advantage point of our current user So jabber walk doesn't have a whole lot that he can do Seemingly other than his reboot. He can pseudo reboot. He can actually reboot the box And we know that cron job will fire off as the Tweetledee or Tweetledum user whichever one that was That would actually execute code that he has control over. Okay, so That's fine. Now that we have that game plan remember pseudo tech l. Oh and before I forget I do want to check out Sudoers dot d I can get in there and we can cut out the readme file. I can't cut out the readme file. Can I Cut out myself No, can I cut out alice? Whoa I can cut out alice Alice salg GNU that's that's looking glass backwards Oh, and that must be specifying it for the host and he can just run as root Been bash. Okay. So it looks like alice is like the keys of the kingdom, right? If we get into alice and we're good peculiar Okay, okay, good to know What else did we have in there? We had tweetles tweetles. Can I read those? Nope. I can't whatever Let's get back to our mission here to modify our twas brillig and go ahead and get uh Connection back as the tweedle dumb or tweedle d user before I do that I know this is going to come to bite me because as I said It will change like the port that you connect to With and the password specifically for This jabber walk user. So before I go crazy. Let me try and make another ssh connection to this machine Jabber walk At this thing. Well, I'm gonna have to reboot it. So that wouldn't work either. Gosh. I hate this this gimmick You're killing me with this gimmick Is that password still there? Is that still the right password currently or let change on me? Because I know it does. Okay. Good. That still works Uh, regardless we need to modify our twas brillig script twas brillig So let me just have Poncat listen on a specific port And I'll slap that in with my current address and two one five six four will be the port that we use Okay So we could just run that upon reboot and since we can reboot it will work. So let me spin this up Make that black and let that listen And let's try to let's let's just remove this Session because we're gonna have to stupid reboot the box. Which is a weird Sensitive thing to do Let's ping him Actually, sorry, let's reboot first pseudo reboot and it requires no password. He's doing it. Now. Let's start to ping and in a little bit We should see our pings come back online And we should see a connection from our listener I realize this output's really really wonky because I zoomed in so I'm sorry about that But you can still see rich with his nice little loading bar. That's kind of nice and fancy All right, I will pause just a moment and see when this comes back online Oh, okay, there are pings and we've got our connection. Okay, great punk cat's running in bin bash Setting up our prompt and we are the tweedle dumb user. All right Where are we? We are just in the root directory. Let's go home And we have Humpty Dumpty dot text and poem dot text. Let's check out poem dot text tweedle d and tweedle dumb Agreed to have a battle. Oh, this is just another silly poem from like Alice in Wonderland stuff Humpty Dumpty Let's see what that has Humpty Dumpty that looks like just hex nonsense Are these hashes How long are these Echo that into word count tack count 65. Okay. Well, no Because that's not oh that is including the new line So maybe that's a hash Whatever let's cat that again um Oh, this one's funky. This looks like ascii Or like the six the sheer amount of sixes and sevens Makes me think that this is just going to be like actual english Or x stuff. That's a real thing. Uh, let me try that. Let me cat uh Humpty Dumpty again and let me xxd tack r tack p to Like unhexalify all that so the oh the top stuff is nonsense But the bottom part has a password the password is That thing and what is it a password for is that a password for Humpty Dumpty or myself Do I can I pseudo tack l? Uh Oh, I can get into tweedle d because i'm tweedle dumb right now. No password bin bash. Okay, so we have two things going Uh, let me just jot this down Humpty Dumpty's password Maybe or whatever we found that in Humpty Dumpty dot text. Let me see if I can get into tweedle d So I'll pseudo tack you to specify that user and then I'll run that to bin bash And there I am. Okay. I'm tweedle d Can I do anything interesting as tweedle d? I can get right back into tweedle dumb Okay, what's in what's in their home directory? Oh, like it doesn't think that that's set right now So I'll have to go to home tweedle dumb tweedle d tweedle d that's the current user that I am and We have Humpty Dumpty and poem dot text The exact same literally identical tweedle dumb fantastic useless great. Um, let me exit out of that Let me go back to tweedle dumb and let me try that Humpty Dumpty password. Can I su to Humpty Dumpty? Try this password Yes, okay, cool. So that gets you in as Humpty Dumpty And tweedle d and tweedle dumb might have been able to like see more in the file system Maybe maybe they had access to some set uid binaries or set group id stuff So they would be worthwhile to run lin peas on that as well um But we could do it as Humpty Dumpty just as easily can I ssh into Humpty Dumpty because I have his password Like ssh Humpty Dumpty at Gosh, why do I always lose this IP address every single time? slap that in this location and his password No Very weird. I have his password, but I guess just he wait. Is that public key? That's a public key. Am I just not allowed to log in as a password with him? Now. It's just permission denied Okay Whatever, um, let me Set my prompt Back What can Humpty Dumpty run as root? Did I check that already? We have his password Humpty Dumpty may not run sudo Okay What was in his own directory poetry Poetry dot text. Oh gosh What is this? You seem very clever at explaining words, sir Said alice. Okay. Alice is in play And then jabberwocky Is there going to be like steganography in here? Is there going to be like something funky and weird? Are there Like I could download this Let me download a poetry dot text. There we go Where am I? Oh, I'm just in the in the home directory. You're in the repository of pong cat. Whoops I guess that makes sense, right? There's no like extra tabs or spaces in here I don't know what that could be whatever Okay, maybe that's a lost cause Okay so Enough acting at this point. Um, I was stuck on the Humpty Dumpty user For so long like I had no I could not track down what the heck to do While I was just bumping around the file system like I would run lin p's again I would run lin enum again When I went back to take a look at the users and to see like, oh Would I be able to actually move into any of these other directories? Like it was weird to me because I could tell that jabberwock was able to be accessible from like everyone Because lin p's and lin enum would always see files within jabberwock and it would know that it could see them And that was just weird So I took a look in the home directory and I noticed a really weird thing where alice this this other user alice Has her home directory executable by everyone Uh, so when a directory is executable that means you can actually move into it But if it's not readable, you can't read anything in there, which is really weird and funky So I would try to move into alice And I could be there, but I couldn't actually read anything in there. I couldn't see any files but Weird leap of faith weird thought And it took me forever to freaking come to this and I uh, I owe all the Shoutouts and kudos to the people that were like helping me kind of bump ideas back and forth If we're looking at their home directory and ssh is the thing Maybe we can access that ssh idrsa or their or their private key So I thought let's go ahead and try Inside her home directory. Let's check to see if we can her see her private key And we can Okay If I like try and ls this it's a thing I can ls tack l this Apparently That private key is just owned by me owned by Humpty Dumpty Because I thought like well why why did I not see that or was I was there a reason I couldn't see that as Jabber walk or as tweedle d or tweedle dum and tweedle d and tweedle dum were like a weird rabbit hole themselves Because they could just circle back into each other with their pseudo privileges, but Alice's sshk is apparently just owned by Humpty Dumpty. It's owned by this current user So regardless we have a private key. I'm scrolling up way too high. So let's grab this uh, let me just Slap that into like a alice idrsa file And then let's Hop on over to its YouTube looking glass and let's ssh tack. I alice idrsa alice at the ip address And see if we can log in Oh, I need to mark that as hours and hours alone. So chmod 600 try again boom Now we're alice okay So we got that user and we Remember with some of our previous enumeration if you were to check out that pseudoers directory Alice has her own file that once again for some reason we could read so alice just seems to have weird permissions But note like if I were to try and pseudo attack l it would need a password and that wouldn't work So I wouldn't be able to see that with pseudo attack l because I don't know alice's password But we were able to find it and see it within etc pseudoers and that alice file weird gimmick though They set this they set this issue where you are Using a different host name for pseudo rather than it would normally be So if I were to pseudo bash It would need a password So it's not triggering this uh no password setting because we aren't at the right host name right now We're at looking glass and not looking glass backwards or that mirror right the reverse of it So what do I do here? How can I fake the host name? Uh, I tried to google this a little bit. I was like pseudo fake host name And how to change the abode like the host name These are all things you could do and like modifying it set a host or it set a host name And I tried to see like okay. Can I actually modify that file? I have permission denied on reading or writing on that And that didn't work Pseudo command trying to search for host name Set a host name ctl. I couldn't modify hosts Same thing and it set a host name Still unrightable that would not work And I'd have to reboot right and I don't know if that change would actually take effect so I would do a lot of research for this and it took me a little bit But then the answer kind of came to me pseudo with different host name I'll look through some of my previous research to see Where the solution actually popped up I think it's here Yeah, yeah, yeah, it's right here the pseudo command can actually take a host name parameter So you can just straight up specify that like you don't need to do any hardcore crazy things to modify it Like the real legitimate machine host name you can just simply pseudo attack h and that Looking glass in reverse And then try and run bin bash And there you go Your root that's it. Now you now you root of the box right cat root dot text There we go rev that again for that nice gimmick You could slap that in and get your points So that was that Interesting room interesting things here. What is this the end file? I don't think I actually Took a look at some of these Nice, I like the alson wonderland theme. I thought that was very cool kind of fun and clever What are these passwords that we've got here past generator? Oh is you can probably see like how Jabber walk had his password reset or changed for some of you that might have been Struggling with that. I know I was when I was going through it passwords.sh Yeah past generator to try hack me password And they would they would just apply it to jabber walk gosh dang So weird things right? Let me let me explore a little bit more and kind of showcase this if you're totally cool That I know we're on a long video and it's going to be even longer. Um, alice I noticed that she has that weird directory and I was so confused. Why couldn't I read that or why couldn't anyone else read that? idrsa key any other users so Moving into alice's home directory. Oh, she has a kitten file. I never really showcase that Whatever But her dot ssh directory still executable people can move into that and This dot idrsa is owned by Humpty Dumpty Very weird interesting misconfiguration. Uh, so I was thinking like how could I have ever Remembered or thought or made myself actually so you see that leap of faith or be able to take that and know to go there Other than oh, I see that alice's home directory is very weird with it with an executable bit on it That tipped me off to it. But how do I make sure that I will catch that in the future? So let me deviate and actually go back to some pwncat stuff Um, just because I want to be able to know how to make this better and make me smarter So for those of you that just wanted to walk through for this room That's the end of the video. I hope you guys enjoyed I I think they were really interesting and cool tricks for for rooting this box and some fascinating gimmicks And stuff to stumble on and trip over but I hope you enjoyed and hope you learned a thing or two That pseudo tack age trick is kind of neat Um, okay To seeing how we could smartly determine alice's private key Um I go to I go to pwncat right because this is how we're trying to weaponize or automate some linux red team operations or things And how could we track down this private key? so if you take a look at Pwncat.readthedocs Pwncat is the labor of love project that I've been working on with my with my good friend Caleb stewart And it's on github if you have any interest in this tool github Caleb stewart Pwncat There you go, you can play with it and tinker with it, but we're trying to do some more interesting things with it because we might end up making it look like a little bit more of a Metasploit methodology and trying to run some things or communicate with some things but Uh, Pwncat is supposed to smartly be able to understand the victim or the target or what you've connected to With that it could do enumeration it can automate privilege escalation for simple set uid or pseudo password stuff And it's also really just a great thing to have working alongside you for easy upload and download and transfer c2 xvill Whatever there's a lot you can do with it because you can automate And script on the victim without ever being on it before and that's kind of neat So I had the thought Because Pwncat has some enumeration Like it will try to enumerate the same way that uh Lynn peas will and it has different providers or types of things to enumerate and look for to to do that actually make that happen So I would run enum tact t and if I tab complete you can see some of the things that it could look for I look for file capabilities crontab fstap maybe some kernel exploits that lin like I don't know the Linux exploit suggestor might showcase or the screen version or the processes running or the private keys or Pseudo set uid there's a lot of stuff it could look for and uncover and find the user private key Is the original thing that you would see if you're actually still working with Pwncat and you're tinkering with it Let me actually show that and see if it can dig it up or track it down This user Humpty Dumpty does not have a private key, right? So let me uh Start to let me ask you to Alice and I'm kind of going Off script here right now, right like let me run that one more time. My timing was probably just a little too quick Make that black one more time So I'm running as Alice right now once Pwncat starts up And I could run that enumeration one more time. So let me simply enum user private key To see what we've got and it hopefully would okay, apparently just not find her private key Or long nope not going to show it fine That demo was useless incredible So let's look at what else we could do because that would just look for a private key that that user owns And since Alice doesn't own her private key apparently, maybe it's just not going to showcase what I wanted to do is I wanted to write something where You would look through all of the home directories And just check to see can you read that user's home directory? The and their ssh private key. Is that going to exist? Will that work? So I took a look at Pwncat's code And I recommend you kind of doing this as well if you would like to tinker with it if you're interested in that sort of thing You can download clone the repository work with it But Pwncat is nice in that its victim module Has a lot of information already stored about what it's what it's really working with So there's a section here the victim object and you can simply search for like users and It actually has in the victim object an understanding of what users are available on the target Return a list of users the local database cache if users have not been requested This will call victim reload users and reload users will search and find those and get all that info so I had I disconnect I let me just get a regular shell. Sorry cd get Pwncat Inside of Pwncat source code. Obviously there's a Pwncat directory. The enumerate directory has Providering scripts and code that will work for an actual Enumeration provider or a type or what you're actually looking for. So there was originally private key And I'll show you this Private key would work with A Function enumerate that will do the thing that you are trying to automate And it will store and return and keep track of all the information that it finds as what are known as facts And this is a private key fact So what this would do is it would look with grep to see anything that looks like a private key that has that syntax In common directories like home, etc. And it would run stat on them and stats pretty nice because it's actually like Is stat pretty well known or that's not a built-in. What is Okay, yeah, it's a binary, but it's pretty common just about everywhere So it would read all this information out and then it would grab like by running this command stat on a specific file I tested this locally on A syslog account, so I would stat home syslog dot ssh id rsa And it would tell me okay that user that owns it And the path there those are the format specifiers that These arguments are being used for so That's how that original one worked. It would grab the uid of the user and the path so The path would then be Enumerated and returned as a fact and it would return with this private key object They're kind of to denote that and I thought like let's tinker with this. Let's recreate this Let's have another private keys enumeration file that will do Stuff not just looking in these directories, but trying to check in every single user's home directory What their actual ssh key Like permissions and privileges are can we read that private key just by looking at all those home directories and seeing if we can just cat that out Maybe a little brute force So I wrote that And it's just a slight tweak to what this code already does What I would do is I would look through the username and user data in this victim users dictionary Because it'll have a username and then the the user object that actually has some information And there's a home directory property Inside of that user data object. So what I would do for every single username. I would stat all of this out and See if in their home directory I can read their ssh id rsa And to just read it as we did previously and append that to a list where I'm grabbing the username uid path I added the username as an element here. So when it's read out into the source In and displayed to you you can work with it just fine And then we try and import the private key to make sure it's a real thing but read all the content as we need to so That's a thought uh, this can be made better and I still need to do this by Combining the stat command into just one stat command that will be a lot faster And uh, let me let me Can I try that? I really want to let me All right, let's let's go into uh unknown territory here. Let's grab the user data home for Each of these in a list Oh, and I want Yeah, user data home dur I don't I don't ever use this variable That's funny so stat Or no, no, no, no, no. It's going to be user data home data for each of those. So let's just say a space to join all of those Because that's going to take the place of stat here because you can supply multiple. Can you not? Um It's at rehosts I guess there you go. Okay. Yes. So just as another argument in there So we're putting all those together as priv keys And then we don't need this loop anymore and we can stat f priv keys So now we'll have a list joined together of all the user home directories for the usernames that it finds Um, and we actually don't even really need that. Oh, no. Well now we don't have the username If I specify the uid Let's just do uid And then we won't need to specify. Oh, do we ever even use that? We did not I removed you or uid Sorry, I'm just Again, this is the disclaimer of me going into unknown territory is that I will uh Self.uid which is past good And we'll stat all of those private keys and we'll read them all so that might be a little bit faster So it's just one command ran rather than multiple and this could obviously be made even faster By only looking for files or only looking for users that have an actual shell that they'll interact with Because obviously if you're looking at like users sys log games or mail, that's not or nobody That's not going to have an actual thing to ssh into so that would be a waste of time to to look for But maybe that will work so Okay Anyway That's how I've been reading and just getting that data by looking in their home directory and dot ssh id rsa And we can make that a little bit faster The idea would be to have this utility so that Uh, let me get an su Humpty Dumpty Let me kill this. Let me kill this. Let me kill this. Oh okay Let's just fire up ponkat With Humpty Dumpty one more time There we go He's initializing And because I've saved that script and it's using a local, uh, virtual environment that I created It should have those changes. So I should be able to show you that Black and we're Humpty Dumpty. Okay So let me flush my numeration so far because I don't want the stuff that's stored in the database to showcase it Obviously, you just want to simply be able to run a showcase Everything like tack s for show and tack a to show me all the information that you can find But as I showcased earlier that takes a long time. So Please bear with me Because I'm just going to do some suspended disbelief Obviously, if you're doing this for real, you want to just run all and just keep doing your manual enumeration your manual interaction Later in a different terminal or somehow and you would just let that run you'd let that go to see what information it can find for you In this case, let me just use a specific type of enumeration We'll use the one that we just wrote which is system users dot private key And let's see if it could find Alice's or that that other The the private key for alice that it found. Yeah. Yeah. Yeah. Okay. Perfect. So it found a potential private key for that uid which we know is is Owned by Humpty Dumpty's that's actually going to be Humpty Dumpty's we should we should keep track of that username in the code But we know that that's a thing and it was able to find So if we actually just run tag tag long, it'll dis give it'll Poop out that rsa private key That's it So i'm trying and we're trying to figure out how we can automate some of those things Even when we're doing this sort of thing because the methodology and mentality behind katana and ponkat and our other projects Is to remind us and Do the things that we would otherwise forget to do Especially just checking a directory you wouldn't expect as a user to see something that will really really help you but Okay Wow, that was a lot of me talking. I'm really sorry for all that nonsense But I hope you enjoyed that little deep dive into ponkat and what you could do to also write and explore Some of the enumeration modules and scripts and code and stuff that you can do Let's exit out of that Let's submit our route and let's get our points for Looking glass. Wow Let's end the video guys. It's been talking for a while. Hey, thank you so so much for watching I know this was a long long video and we got into maybe some rabbit holes that we didn't need to get into But I wanted to showcase everything for you. I want you to be able to kind of see Hey, what i'm what i'm doing what my thought process is and what uh, I don't know maybe that that might help you So Alrighty, thanks everybody. I love you. If you did like this video, please do press that like button Please leave a comment. Please do hit that subscribe button the bell whatever you'd like to do. I'm really really grateful Hope you enjoyed this video. I'll see you in the next one. Take care