 Hey, what's going on everybody? My name is John Hammond. Welcome back to the YouTube video still looking at the junior CTF Last video last challenge. I want to showcase was a oh SSH. It was a 500 point forensics challenge Not too many people saw that if it still has 500 points because they're dynamic scoring It says here the young hacker Zora managed to connect to this neighbor's network After having looking around Zora realized he was not the first hacker there He found some somebody was also slipping valuable information Help Zora find out what information was stolen. So there's a dump file here, which is a p-cap file So we can go ahead and download this and I'll save it in a Specific folder for us called oh underscore SSH name the challenge here You can save it and let's crank it out if we get over there. We'll take a look at this thing in wire shark and We see some connections here Looking at a bunch of the data down a bowl down below. I thought I saw Some open SSH headers. I thought I saw okay. Yeah. Yeah. Yeah open SSH open SSH Responses here So this looks like an SSH connection and then it's all encrypted so I can't see anything later So it's very clearly an SSH connection Oh Later on we see some green. We see some HTTP It's like going to a web page With the data. What do we have here? Follow TCP stream looks like okay. We are using a W get agent So just command line curling stuff for W getting things from a simple HTTP pipe on server And it's an HTML listing a document directory listing. Oh cool. We see some bash history RC files batch RC files and profiles SSH SSH files So maybe there's some private keys we can grab and some other even a password file other stuff here Can we is any of that actually in here? It looks like there. Oh, I see you get robots on text Looks like they do get the bash history bunch of the profile scripts a Bunch of other things so at this point. I'm very curious what has actually all gotten here so I go up to Wireshark and I export objects the HTTP objects and Okay, cool. There is a bunch of stuff So I'm gonna go ahead and save this all and I'll put it in that same folder that we have here So I'll take a look at these things And we got a lot right So I'll check out the The bash RC, I guess bash RC and these one twos etc show us that This the file has been separated into multiple files it's been it's been segmented So I see a really valuable ID RSA, which is we know an SSH private key We can use so I want to take a look at that ID underscore RSA, but it's cut off here Since I know that okay, there are some other files are there it's being split up into we can just Hopefully copy those and put them all together into one thing ID RSA one There's the rest of it here and ID RSA two Is the very end of it, right? Okay, so now this looks like more of a real full key here. So I'll just say this is private Dot key In case we Is hopefully with this we can SSH into something um Oh, I probably want to make sure our VPN is on and running Let me do that Team VPNs Because we are gonna want to try and connect to some of their IP addresses in this challenge Open VPN Okay, cool Connected Whoa, we're not connected device or resource busy What the hell does that mean? Am I still already doing it p s is aux P grip open VPN Okay, cool. So it's already running and we're good So if we have this SSH key, can we actually SSH in anything? um, it looked like there were IP addresses that were already doing SSH In the packet capture And that was uh destination address is 10.0.23.37 and 10.1.041 um So let's take a look at some of those All right, any of these up? I immediately forget everything I decided because those are crazy numbers do 3.37 seemingly down Supposedly I don't know Not responding to pings 0.41 I want to make sure okay. I want to make sure An open VPN is actually working for me. So I'm just gonna make sure I'm connected. Okay. Now I'm connected. Okay, sir Okay, so I can ping that first one. I wanted to verify And the second one I can't ping there are other IP addresses in here The actual ones that were used for the get requests That looks off looks Also off So I'm curious about this first one 10.0.23.37 um but I tried SSH here to that one and I didn't get anywhere It looks like it had a connection timed out or connection refused thing. So back in the packet capture I thought it was very peculiar. I go and take a look. How are they doing this SSH connection? um, so I take a look at The destination port actually you can see I have that added as a column in here. I thought that was very strange that it's not running on the usual SSH port of um, 22 of 22 So they are specifying it on port 38574 And okay permission denied public key Okay, okay. That's an error message. That's actual actual actual result I guess What's it's probably trying my username, but john may not actually be a username over there So now I need to know what username I'm trying to connect as or with and I have a public key that I get or a private key I can connect it with with but now I just need to know what user so I do a little bit more reconnaissance here. I have all these other files I'm curious what they all are so I want to look at like bash history. I know I saw that um It's probably hidden right now. Yeah. Yeah the dot bash history Bash history Oh, it looks like it has some results here pwgen, I don't know profanity I was curious what that thing is So actually when I was going through this challenge, I actually went ahead and tried to I installed profanity and tried to connect with this But it asked for a password and I don't know stan's password But I saw stan at and I thought stan might be a user So I try to connect with that I saw him as a sage into a host my host name my super Puber host or super puppet host that obviously is not a real domain I wasn't able to do anything with strings on random files that I don't have other other things that I don't have Oddly was manning exit tool and man 7z. I didn't find a use for those in the challenge so but I really did try to You stan and I also saw this other IP address that I was curious I end mapped and I searched for and pandian tried SSH2, but it didn't end up working for me. So, uh I tried stan, but that didn't work So then another curious thing that I that I was interested in Was that password file that I know that I saw in the listing and something that is is actually here We do have a password file so I can cat password And I look through here To see if there are any login shells that actually like work And I noticed that The only thing that actually has been bashed as a login shell is the postgres Like the postgres SQL database user and manager the administrator So I'm just like is that seriously what I'm supposed to log in with I tried and that didn't work Oh, before I do this, I should actually make sure that I'm specifying my Private key the the full thing so you can use that with the dash I argument I'm still still wrong, right? Oh, and I have to make that uh change the permissions of this so I need six zero zero private key Because the the error message here says that you want your private key not accessible by others So you just change the permissions to it uh six zero zero Uh read and write I think and zero zero so no one else no group or no other Or all users can actually access it so I couldn't get the postgres one to work and it looked like that was the only user that actually had been bash As a shell and speech dispatcher had sh but that didn't work um So I started this for a while and thought I was extremely curious that My center of password file started with e And uh, there was no root user or anything in here Um, but it looked like this was all that I had of the password file There was no password one or password two like I had seen for the other files Like id rsa or bash rsc and stuff like that and all the in this big Cousin file that I was seeing later on so I went back to the pcap and Actually, I didn't I I was still looking for the ip address or I thought there would be a hidden ip address like it has this agent do before I found that destination port would actually work for me So what I actually had done during what I actually was going through this challenge I had Looped through everything In the File here I actually had a list dot python file. I looped through all the packets And I did this with scapey I just read the pcap file and for every single thing every single packet I just had to display everything and then I would be able to try and like search and look through it So that I put to a file all dot text So this had all the payloads and information and everything that was going through it So what I did is I tried to search for that et cetera password file I just looked for postgres to find that user And there it is right there And I notice again this starts with e So this packet. I wonder if there are any others or anything else around it What i'm searching and sure enough I find other um parts of The password file like the et cetera password file just chilling out And other packets that I wasn't able to extract out or export in the objects when wireshark tried to do it on its own And it looks like it ends in bin false Without the e so I know okay. This must be the continuation of the other one So I start to piece these together. I replace all things all the actual new lines with the real new line And again, I'm just piecing these together just like I had done with the id rsa private key and stuff And I scroll down and looks like there's a few more. There's a couple stragglers that I just copying and take a look at And there we go we find an actual little interesting Uh, uh possibility or potential user that we could log in as this hersh account that actually has a home directory And actually has a log in a bowl like a shell we can log into it has been bash as its default shell So is this the user that we're looking for? Let's try it Change it to postgres And hey, cool. We got a connection and this looks like our flag, right? That's awesome Okay, so the flag is the third season was sold to the aliens or whatever we can copy and paste that and we get it um, so I did a lot more actual like thinking and hunting around looking at all these files with all these i i html and one of the Robots dot text and other things actually were trying to recover the images and stuff But the real meat and potatoes of when I was actually solving the challenge um Was again hunting for a different ip address because I didn't know I could use this 10 0 1 with that strange port I thought it would just be in a regular ssh 22 default port So I thought there would be another ip address in there and that's why I I had done that Scapey scraping with all the packets like these are literally just all of the packets showing all of their fields And that way I guess I can look through them a little bit more easily than trying to go back and forth and wire shark So this is a nice tactic and scapey is kind of nice for that And that way I was able to see I was able to see the things that uh export objects wasn't able to to scrape out So that was really cool and again piecing together private key Knowing that that id rsa 1 and 2 are the continuations of their previous file But it doesn't always work for all of the files like the password one that we needed so Doing a little bit of a reconnaissance looking around exploring hunting We were able to find the user and the ip address the port and the private key all be able to make this ssh connection and get Our flag. So that was really cool. Uh, that one was actually a good Good challenge again on the technical level and I felt like there was a lot of guessing um but still very peculiar for us to know the destination port the ssh connection is making And really look for all the things that wire shark may be overlooking or miss when it tries to export objects like that That password file. So sweet. There we go Uh, I hope you guys enjoyed this video and all the others. Um, junior ctf was really cool and really fun Um, it was also an extreme pain and torture and stupid and dumb In all of the strange mistakes and guesses and russian languages that it has used But I had a good time and I think it was really cool for us to Stay within the top 10 or so and fluctuate with the top of the scoreboard. Where am I at now? Still a nine. Okay fluctuating back and forth open to all Um, again only nine hours until the end of the game. So hopefully hopefully that stays. I'm just happy I beat our rival team. Oh, it looks like they're catching up though. So cool Hey, thanks for watching again guys. Hope you like some of these ctf write-up videos and I'll see you in a later video