 Hello everybody, my name is John Hammond. This is going to be Kind of a long-form video where I do something a little bit different I'd like to be developing a new box or what I'll submit as a room to try hack me And I want to kind of in capture I want to kind of capture and encapsulate that whole development process from start to finish So that's what this video is supposed to be Which means it's going to be raw me writing something me failing me going in cold me troubleshooting and debugging and Planning and doing all the things and that might be many hours long right now I'm recording this. I have no idea that how long this is going to take I kind of a plan for what I want to do and I don't know what roadblocks or stumbling blocks I'll run into but I know that I will probably hit some so There might be moments in this video where I'm not talking or providing the content because this is just me doing my thing and I want it to be captured so people can see the entire process if they want to I thought that might kind of be a cool little experiment and thing so Let's Let's jump to it. I have a Some planning already done. I want a room called peak hill and the reference is Python Pickling I Have a lot of pong cat stuff already up, which is another project that I've been working on. Can I close? All of those and like lose the folder, please. I Guess not whatever. Let's just kind of nerf that So peak hill is meant to be a challenge room with only two prompts What's the user flag and what's the root flag so that there's no guidance or walkthrough for the player But I want there to be an FTP server with anonymous access enabled that has a hidden file with the Python pickle object How did I envision this I think that FTP service will give you credentials to another port and That will Maybe that's an SMB server Because I want to have three things. I want to have a File that is pickled data and I want them to Decompile a recompile Python bytecode and then I want them to access a program that does pickling Okay, and the root user has a annoying flag file name so First of all, let's build a box. I guess Let's make a directory for that box and I'll use vagrant to do this So if I vagrant and knit now I have a Vagrant file in place Question is what I want that box to be. I'm pretty sure that they are comfortable and fine with I have a lot of books marks open. Let's go to try hack me calm and Manage I can upload things so I can create a new room and they would need an OVA file or a Q-Cow file. Okay, let's just make a small Ubuntu box 64 but only and they will take 1604 Okay, so vagrant Ubuntu 1604 it's it's that's zenial, right? vagrant box ubuntu slash Zenial 64, so that's right. That's the config that it needs to have so let's do that and There is a way to make a sync folder, right? So yeah, let's put a data in there and a vagrant Stuff for pico so just for my development stuff I can write code and know all that it needs to do Because I do want to figure out how I can get that fdp server in to start So now that that's up we can probably or leave that's configured We can go ahead and create that vagrant up and I need to make a data folder So let's make directory data Now let's go back in the box and bring that up See if that will build our virtual machine in a nice same way for us And while that's doing that let's go back to thinking about our Our service anonymous access is enabled the hidden file for python pickle That will give them On the box that they low privilege user And that has access to file. Okay, so there'll be another service that I want running that is the service running With uncompile and that will give them code execution And then you can access a regular program that does pickling and the root file track so High port random high port service that gives Access so we need ssh then just as well service that Will run commands after checking credentials So need ssh and ssh will only allow Okay, that vagrant box is good On the box via ssh The low privilege user so regular user Sorry, these are my random thoughts, right? So originally the player will ss will connect ftp with anonymous access find a hidden file that is python pickled D pickle that or unpickle that to get credentials that they can log in with via ssh That will give them a low privilege user that has access to a file That is python bytecode and they'll have to decompile it to understand the credentials or know what they need to use For the random high port that will give them code execution as a regular user And the regular user has a little set uid binary that will do pickling And then they will get root and then as the root user they will have to read that file with unicode in the way Okay, I think That's a fine Conceptual architecture. So now let's play with our box. Let's do vagrant ssh Good what is my kernel version 404 that should be totally fine. So Let's start to craft some of our setup Scripts let's create A little shut up script Set up script that will pseudo apt update update to get all the things And let's do apt get update. So that's not weirdly interactive And now I need an ssh server or an ftp server This should already have ssh in it, right? What is my ip address for vagrant? This guy Is that a thing? Yep, so let's ssh into him and see if I can actually access Vagrant through that Vagrant vagrant. Yep, let's do okay needs a public key. Good. So that's configured properly. So Let's start with the ftp service. So ubuntu install ftp We should just get vsftpd That should be fine Install ftp service And then we would start it and allow it. Okay, so let's actually make sure that's allowed pseudo Allow ftp connectivity ufw allow 20 tcp for the data channel and 21 for the control channel And we need to get this configuration file set up so Let's try to run this on the box. So let's go into data Make set up executable and go ahead and run it So now he will be hopefully pulling down and installing vsftpd We should make that Tac y so it doesn't need to prompt us for it And then as that's installing Okay, cool. Now we have that set up. Can I Nmap that box that I know that I have now You know What was his ip address? Did I lose him? I had an interface for that This guy If I ping him, does he exist? How did I just do that? I thought I just did this Oh, pinging for myself. So, okay, that box isn't created as like Another vm So Make him a Network that I can test with Let's All of this and do it again Yep Do it Rebuild I'm trying to be cognizant of the time See how long I can do this for Again, this video will have to probably be Very very much edited and a long video over time, but We'll see what we can do Oh, he needs it. He has a specific ip address A host on my network is that collage of the non-host only network. This will cause They're specified in ip to No longer matches a bridge or host on my network. So, okay, so let's do 55 and we'll make him 10. I guess Let's see how that looks The first one is nat That first thing she was knatted. Should I have been able to access that? Would it have been on the other vbox network? That wasn't an interface. I didn't have a I didn't have an ip address for him Okay, maybe he's fine Let's just vagrant ssh and It's being 192 168 55 10 10 10 not 19. Okay. Now he's a thing Let's go into data and go ahead and set up I should be using like ansible or something to kind of build this and create this but I'm not smart And I think we need to enable that fdp Unless it's already running. Can I fdp to myself? I can let's um end map this guy on port 21 and that is open and accessible. Okay, so now let's go figure out that config file. Where did they say that was that's in etc? That guy So let's take this config file and let's make a Copy of it our own version of it where we can move it into data Oh, let me pause. Sorry getting notifications Okay, sorry real life Let's make this a stuff in data for vsftp conf and let's make that a Our vsftp deconf And the things that we want to change are what are outlined here anonymous enable. No Anonymous enable we do want to allow that. Yes Right enable. I don't want them to be able to write anything Local umask Is there anything else that we need in there? Specifies user label CHR local user. Yes What happens when they log in as a Anonymous user So let's change this script to pseudo copy Uh data as our prefix our vsftp d.com over to the et cetera vsftp dot conf And let's just run that just as well Our vsftp D dot conf Do that again The oh come on The sftp d there we go so Now if I were to ftp to that hose 55.10 I could just as easily log in with anonymous Hopefully hopefully hopefully hopefully I think I need to restart the service. So system ctl Yeah, okay service Or Is it list all god? I'm so bad at these commands start vsftp d Yep, okay That needs a pseudo and let's do restart Okay That behaved now. Let's try that log in again anonymous enter and now I am good So where am I I'm in my root directory According to this but where did that actually put me? Let's include this line After we've modified our config file Change the config file to allow anonymous access And Uh, where does that put me? Secure chr directory var run vsftp d empty Is that a directory? Uh, let me actually see can I put stuff here put Good it does not allow me to put anything there So I don't know what directory I'm in That is a directory Echo test into test I am not allowed to do that Why bash taxi Up double close Cat test Okay, now I can read it There's nothing here anonymous ftp Directory That's all good. We have our firewall and everything set up Make space for the files nobody nobody Let's try that stuff create a directory and test file for anonymous ftp to read And let's make that owned by the nobody group and let's put a cheesy file in there Now we make anonymous allowed and we also Don't want any local users to log in that is a good point. I don't think I'd need that It's local enable, right? Yeah, so let's change that to no And a non route is where we want it to be don't bother prompting for password. No, I actually do want to leave that there Is there an a non upload a non make directory and I don't know I don't want that but I do want our a non And that's in pub they put it in pub I don't want that I want them to go directly into pub hide IDs Yes That would be good Passive ports. I don't care about And then let's restart. Okay. Let's try that Uh, I was in data back on the box So let's run our setup again Update should be quick because there's not a whole lot to grab. It's already installed and we've updated that thing Okay, so now let's ftp as our anonymous user ls Now we have a test dot text, which is what we just created. So let's cat that I guess we can't really do that. Let's Get our test dot text Good And now I have my test dot text, which has the vs ftpd test test file. Okay, fantastic So let's now create now that we've made that ftp functionality um some python data for credentials We can do that with a python script, right so Let's move into data and let's create a python script to uh obfuscate creds dot Pi Okay, so what I want to have is a username and a password in a weird funky way So let's import pickle and Can I actually mess with that? first before we do that import pickle Dot loads. Uh, I don't know how that's done. I think it's dumps And it needs a straight object a object. So username equals Hello And that's a bunch of good nonsense and creds Equals Please sub Good Makes it as bytes It also has a lot of nonsense in there So I want to obfuscate that a little bit more. Let's do let's do um data Can equal that dictionary that we were just thinking of so I'll call it ssh username I'll call him dill for a dill pickle I like that ssh password. What should his password be? Let's look up some good dill pickle facts dill pickles Put this in my google search history pickles around the world That's a fine uh password pickles I don't want to I don't want to reference pickles just yet though Well, they would know at that point because it's already going to be pickle data um But it will be obfuscated first Right How did I it's just going to be a plain text string in there? Hmm I want to obfuscate that a little bit more So it's not just going to be the plain password I know i'm going to end up obfuscating them into binary, but once that's all put together Unless I were really dirty I might be able to Pickles So Let's do something really dirty Let's say ssh password equals that so for Character in ssh password. Let's add another entry for ssh password Zero or the thing so let's do four Index in each of these so I could have a password zero be the first character password one be the next etc, etc So that could be really really dirty ssh password. Let's do data f string ssh password index Set that to Character Now let's print out our data Just to see how bad that looks good and Let's try to pickle that so let's See how Muffed up that looks pickled dumps this guy Good that's all in order, which is kind of a nuisance, but it still looks a little bit harder to read Can I Shuffle it's a dictionary so it's automatically going to be It's automatically going to be sorted. What can I do with that? I could add in trailing nonsense at the end, but that would take away from the fact that it's password and the numbers would still get in the way I could make it a tuple Or a list that will be very very dirty If I do pickle loads, how does it look? Yeah, so let's do a tuple Let's do a list Let's do that for both the username and the password ssh username I also don't want deal to be the original username. What's another kind of pickle types of pickles? Deal pickles Carrot tomato onion deal pickles deal pickles Butter pickles gherkin Is that the one that I want who knows? Because deal could be but actually a potential name right that works really well uh I'm getting notifications on my phone I should pause the video This is a real raw long form video man Gherkin could be fine Let's use that ssh username gherkin gherkin pickles That's a thing Sweet okay cool gherkin will be the first username and deal will be the second so Let's do ssh username index Let's do data dot append a tuple Of a random position of the character let's do the exact same for ssh password And now that's all set, but let's import random and let's do random dot shuffle Shuffle please on our data Okay, good. So now it's a little bit more random So let's do ssh user actually ssh pass so that looks Little messy and muffed up cool So now even when we dump the data Oh am I I'm forgetting parentheses that looks messy and good. Okay, so let's do Let's convert that to a number first of all. So from crypto dot util dot number import bytes too long uh Yeah, bytes too long crypto capital u util there we go Pickled Equals this guy so let's do uh bytes to long of our pickled data That's going to be a long number and then let's do The binary representation of that with the zeros cut off So that's a bit of a troll And that will be taking some time to unravel Okay, I like that um I do want to Split that up a bit How long is that? 7,048 which is plenty and that should be cleanly divisible by eight Which it is So Do I care enough to make like spaces in between every eight bits part of me really doesn't honestly I might be able to do that later if need be Let me pause to check something Okay Cool Regardless We have our dirty data So When I view that this is going to be our dot creds file Let's make that a creds good And let's set up our script to Move that into pub so pseudo Copy our data creds file to var ftp pub Dot creds Hidden so it adds a little extra nuisance And this shell let's run our setup one more time good um Now let's ftp back to him Anonymous test dot text is still in there which I might Actually leave in there Because it makes it kind of dirty So if you could get dot creds Now the vsftpd test file is still in there, but we also have dot creds. That's kind of dirty leaving that test in there And all of those credentials In a dirty pickle way So that's good Let's Okay, let's let's Keep this last line But let's also put our test file in there as well move the binary obfuscated pickle creds into the ftp server Good good good Now let's go ahead and make the other user. So we need to add user home Sorry, he should be gherkin, right? And we need to actually echo Let's let's bash taxi this because I know I'm gonna have to do some weird stuff Uh It's gherkin And his password that we just set is pickles all around the world Paste that in here and let's give that to change password which we should have Change password. Yeah, we do. Okay. Fantastic So that's good Let's run setup one more time and see if our add user thing gets angry which it does. So let's use a user add instead No, just give up, please Uh, do I have gherkin created? I do Let's remove him because Gherkin gherkin Gherkin, what am I doing? That's a password, please Then here good And gherkin is a thing. So let's rm r gherkin. Yeah, and just pseudo that Clean up our mess, please Let's get back to data and try and run that one more time Group gherkin exists That did not work Why is that is that because of the Special characters in there if I change that to chpass or does that work? Dell user is a thing, right? pseudo Dell user Gherkin Good Can I Dell group? Is that a command? Yeah, okay So let's remove those Dell user gherkin and Dell user Dell group Gherkin See if that will behave now I should be putting those in variables Obviously gherkin does not exist user does not exist fantastic I don't care about those errors now. He does Can I ask you to gherkin? He needs his password Which we now have And we're gherkin Okay, fantastic Um He does no home We need to make his home directory Oh boy tag p home gherkin And then let's make sure he can access that so gherkin gherkin Home gherkin how many times I'm going to say that in this in this In this video Now let's do that again. Let's set up good su gherkin With his correct password cd into home and he now has a home directory okay so Now we need to go ahead and create A service that will run commands Given a specific password So dill Needs to have a service That will ask for a password Okay, let's try that Before I do all this let me verify that I actually have this ova file made So if I go into virtual box vms Uh box default Yeah, that's mine vbox. Can I convert a vbox to m ova? I'm pretty sure that's a thing There's like a vbox manage, right? Let's do it in virtual box command line Oh, they have a vdi file which I don't have virtual box Vmdk it's ova command line Convert vm. No, no, no, no. Let's go back to the stack overflow ovf tool That looks like a thing Okay ovf tool How do I get that? That's a vmware thing, isn't it virtual box Can I do that? this guy Oh, sorry. He's on a different screen that you can't see videos Export to oci What the hell is that man? I might be able to just make a snapshot of it and then export that virtual box convert to ova file Go to file and then click export File export appliance Use that one and it would need to be turned off so I won't do that right now Okay, but it can create it as an ova perfect Good, good, good. So we can keep working around in virtual box And now let's go ahead and create that service to run commands So Let's go back into Let's rmtest.txt and we still have creds in here. Don't we lstackla? Yep, let's rm.creds So in data I'll ask please Obviously creds Let me take note of this. The script is used to create the file contents of dot creds Which will be a hidden file Inside of the anonymous ftp folder Good enough It will contain creds That can be used to ssh into the box Which will allow the user to find the source code source the bytecode source for the service running Whatever good by me um Let's make a stinking service that requires a credential so Subtle cmdservice.py used to be environment python creds equal let's say username equals dill Password equals we a new dill pickle reference pickle jokes 13 bad pickle jokes This is quality content Never a dill moment. I love that never a dill moment okay so While one or while true Let's do Let's make a function test for Credentials ask creds is a much better name um input username input equals that and Can I do get pass? Maybe that will work better get pass dot get pass Password ask creds if username input is equal to username And password input is equal to password We can verify or we can return true else Return false and then print wrong credentials We probably need that in the after the fact so Logged in can equal our ask credentials and if logged in we can print successfully logged in otherwise we will just say Wrong credentials And we can exit so simple proof of concept Let's try that cmd service username equals john Password can be anything wrong credentials. Let's use dill and never a dill moment So now let's give them the ability to enter commands. So do a While one or immediately ask for credentials If we are logged in we print successfully. So if not logged in let's that's a better Do this And then if we do successfully log in we can start a loop to run command. So while one Input cmd will equal something and then We'll do import os os dot system Let's just say command equals that and let's run their command Without any filtering Good enough Should we put a sleep in there input will be blocking so we can probably just have it break Dill in the password successfully logged in id. Who am I ls? good, okay So there's our simple primitive and Now we need to make this a service pause for a quick second to check notifications Okay Back at it now We need to make this a service. That's that's kind of where we're at um Question is How can we have this run all the time? It'd be good to just kind of make this a cron job task and I think that's what we'll end up doing But Yeah Let's let's go get One of my ctf Chdc tf. Let's go get a simple Threaded server that's in chasm is a fine example of that. So let's check out this code and steal all of it That's all I need I don't need any of this Probably don't need any of that Debug it doesn't matter this will be our actual service Which we can build out we obviously need our send and receive lines to be pulled in there Those are all other functions and We need to create a threaded service and do all of these things. So Let's start it on port. Yeah seven three one two. I guess is a fine Random number that we've just chosen. We don't need success or any of these things. Let's just go ahead and print this guy print this guy And run all of that So The ask creds function We can go ahead and define Outside of here and then the handle functionality is really all that we need To change With each send properly So I guess I can't use Get pass nice and easily. Uh, and we should we should probably put that into the class so Def ask creds because I need to be able to import those Self dot receive And then the prompts can be what we supplied which is totally fine self dot receive as well If not logged in we'll do self dot send wrong credentials and then die So return here. Otherwise we can self dot send and receive their command self dot receive And then we should run it Hmm That will show Let's import sub process Because os when I run it will run all of those on the server and not the host So let me show you that if I were to python that server Uh, we don't have socket server because we aren't python 2 That should be socket server should all be replaced with socket server lowercase try that guy Oh, sorry. Uh, I am in the completely wrong directory. So p kill data p kill data Please work can open server. Yep, because you don't exist. It's cmd service indentation is wrong Let's do indentation to spaces. There we go. Okay. Now we started that service Let's connect to him on seven three one two And ask creds is not defined because that needs to be self dot ask creds I probably just borked that server. Yep. Okay. Now let's change that port seven three one three Spin him up there ask creds takes two positional arguments because he is now a class object So he needs to have self as an argument Probably just broke that server. Yep needed to go change the port because my allow reuse address is weird and doesn't work Holy cow, all of this is python 3 every single part of this needs to be now bites b b b good good good Switch that port again Run run. Holy cow. What is happening? What? What is the issue? Oh, it's because the stink and receive I think right bites bites bites. Those are all bites. Yep Change that port Let's get out of him run him again connect again username john password john And that fails so Why is that where did that run self touch send wrong credentials? Because he should be bites Prompt should be bites Anything that is a string should apparently be bites Because python 3 it's better this way. I'm not complaining. I love it john john wrong credentials And it loses it cool Let's supply the correct credentials. Let's use dill and this guy. Excuse me Is that because There are new lines in there. Oh, he's dill. Nope Those are actually wrong credentials Dill this guy what what the what? What are you seeing there? Show me what you see Those are the values Yeah, yeah, yeah, shut up If not logged in and return So logged in will return true if that condition is met Dill never a dull moment Dill be never a dull moment. Oh, it's because they're stinking bites Oh Python 3 Why do you do this to me? server is already in use 7 3 19 dill Don't need the decode anymore. I want the actual password, please Go successfully logged in id so it's running on that side. So let's send all the output to it Because it's a service now uh And let's only get centered output So Let's try Rather than os.system command. Let's do sub process dot popin Their command A byte should be fine. If I make it dangerous, let's make shell equals true So danger danger danger here be dragons. Uh, and let's do standard out equals sub process Dot pipe and standard error equals sub process dot pipe So the intention anyway is to give a Self dot send p dot centered out dot read That should be fine The intention is to give the player some means of remote code execution So that they can Get it over shell and not have to deal with this thing Just to give them access as this user So once they're in here, they should be able to interact with another set uid binary that they would find Uh in dill's home directory once we create him as a user And his ssh password will have to be very very much different Because I don't want them to Decompile this and then do something else. So That backdoor password that we're using here will have to be different Then uh, they're actual on the box one. Let's Spin this up again. Dill never a dull moment successfully logged in id now we send it and we get it. Okay, perfect Here am I? Great Question is how can we make this a service that runs all the time? We could put it in cron job Which python 3 is on this box by the way? Am I doing horrible things by? python python 3. Okay, that's fine. I don't use any f strings in here. So I think it'll I think that code would run fine Let's find out. Let's do python 3 CMD service and he's listening. So let's netcat 192 168 55 dot 10 7319 username John john have that fail good, uh, we don't need to print these out anymore If I were to python generate pi c file, how do I manually create a pi c file? Import pi compile That's just a thing or I can use compile all if I do that will I break everything? Oh, sorry Good good good. Let's take a late. Oh, no, what happened to them? They're all still the same Did that not work? Where do they go? Oh, oh, oh, they're in pi cache This guy So let's strings our CMD service And he'll have the credentials just right in there Yeah, so that's not too good We'll have to, uh See how we can obfuscate that again I don't really like it, but It's kind of what we're working with What's the best way to do that? You can base 64 and code it, but that'd be stupid strings wouldn't help. So let's just do another from crypto.util import bytes too long and int or long to bytes So let me do that here and let's do a bytes to long on him And since he'll return actual bytes We don't need to decode this Right So let's do the exact same thing on never a dull moment So now he won't be seen in strings And you were never a dull moment Good I don't know if those comments will still be in there. So let's Muff around with that Does it still work from crypto? No That's annoying well Do we just need pycrypto? We probably stink and need pip. Dang it Uh Let's go to apt install Python. Oh, can is it just a thing? Can I run that? Python 3 no module 9 pip you stink So apt install Python 3 pip please That will do it. So in our setup, we probably need that as well Install Python 3 pip so we can get pycrypto Literally just for the convenience of being able to run that function I don't care If anything, it'll show the player that hey, you can use this technique and it's really nice and easy Let's make sure that works. Does it does it work locally? That's a better question Uh close this guy python cmd service. He's still on nine. So he's still dill and he's still Never a dull moment in which case that will give us no it fails Oh no, is that because of um The bytes again for some reason Let me print out username input and password input. I guess I should never have removed that to begin with fantastic Uh already in use because he's broken. Let's do seven three twenty seven three twenty dill never a dull moment wrong credentials dill never a dull moment. Uh Because it's decoding it. Uh, so that is just why I just forgot to remove that. That's it. That's literally it fantastic Will that one behave seven twenty one dill never a dull moment Stupid special characters. Good that works. Okay, so now that we have pip Excuse me pip three Good, let's install pi crypto pseudo pip three Or look, uh, we probably don't need app for that because I think it will behave right Yep, pip doh, bib doh. Good goody bud And now that runs. Okay, fantastic so I had a netcat command now to seven twenty one and dill and Never a dull moment will work And I can run commands fantastic Good He's still working john john Benefit of having the threaded service. Okay Let's Now I was thinking of doing oh, let's let's verify Uh rm tack r py cache Let's do our python m compile all in there. Let's go into py cache And try and run strings on our cmd service again So he should no longer have the password in there Bites to long long to bytes good Good credentials are not in there Okay, awesome. So do I have uncompile six? no How do I get uncompile six just to kind of sanity check This work Is that just a pip install? pip install Make sure you can see that uncompile six Good enough Is that a command I can run now it is uncompile six On our cmd service Good it spits it all out recovers the bytecode and will get our username And data out of that perfect. Okay Now we just need to figure out how to make this a service I think we can do that With cron which would be kind of stupid Or if the if it dies or goes down But it shouldn't because it's A threaded thing that will handle every request Should we use cron? I'm thinking Okay Back at it Took a break Um Okay after thinking I don't know why I wouldn't just make it a service It like there's no need to do it with cron top. I just make a system Make a python script a service Yeah Well supervisor d the system system CTL system d right Yeah, I think that's what we need Working directory equals ops project Where should we put this? Let's Move our cmd service Into a Directory Let's make Crypto So sudo make dir Attack p. Oh boy Let's put it in var cmd And then Copy sudo copy How do I specify Who it's going to run as system d run as I'm sure that's a thing that you just pass Yeah, there we go. Yeah user that thing Data How should I Sorry, uh, I'm just Completely losing my mind cmd service So data data cmd service dot pi into var cmd Service dot pi. That's fine Right I think Let's make a cmd dot service cmd service and Which python do we have? Break out of that which python we have python three Python three. He's in user bin python three. So that works fine Um, let's put him in var cmd Just as he kind of was to begin with we don't need any environment stuff And that should be var cmd cmd service dot pi You probably don't want to accidentally remove that So I should make that not writeable or something Um, anyway, let's make a user to run that as let's run user Mmm We need to create a new user dill Create the dill user to run the service Getting messages that aren't important dill dill dill dill dill dill dill Okay He needs a password some random Password string you would Never guess because I don't want that to be something that they can ssh into Smartly anyway We should get code execution only through him Um dill Group dill Will that work? We made the user So let's let's try and set up now What will fail? The things that we had it do are make a var cmd directory Var cmd lstackla That is running as root We should make that executable sudo chmod plus x data cmd service And let's actually run that okay good So if I were to run that cmd service What the heck? Oh crap needs to be var cmd this guy cmd service User environment python no such file directory that should be python 3 and that's why that would fail That won't matter too much because our service Is the thing that will start it with explicitly python 3 So I guess it doesn't really even need to be executable. Uh, that's totally fine Let's go ahead and make that service Var cmd var cmd good good good Wanted by sysinet thing So Now Let's copy our service into that so Make our cmd service actually function as a service How should that be done? That needs to be Moved into system d service Is that uh, is that where we expect things to be? In here. Yes, it is. Okay, so Let's copy system Our command service data cmd service to cmd Dot service, which will work for us And then we need to sudo Oh boy system ctl Is a thing. Yeah Because that's what we used earlier, isn't it? Yeah, yeah, it is. Okay. So sudo that sudo that Damon reload, which will know how to do it Enable the service if required to start automatically at boot, which is good. We'll do that for the cmd service And that should run it and let's go ahead and restart it so that it runs automatically Hopefully hopefully hopefully hopefully Let's sudo those And cmd dot service again. Okay Now let's try Our data Setup script What will it break if anything? Added gherkin made the list made the thing System ctl Is he running cmd? Uh, yes, he is Can I Netcat to 192.168.55.10 on 7 3 2 1 What port is he running on cd var? Uh, let's ps auxat or ssl ntp Please Assumption dl cmd dot service status It should be status right status It failed Exec start that thing That failed Why is that? That command will run Thank you maybe he Didn't restart it because It wasn't running Can I sudo that please? Now can I netcat to myself? No But why? Running the command works Is it because dill cannot move into var cmd? We could put him into temp Would that work? If i run setup again, will it clobber it and put him into temp? Grill dill does not exist dill is now a user which works perfectly fine so Now Does he work no Unit entered failed state failed with result exit code What Is the error? Is it because The dill user doesn't know how to use that? Let's switch into dill and Oh, I never actually changed dill's password Whoops all I did was reset gherkins So let's rebuild that again And let's cat out etc system d system cmd.service running as dill group dill you can directly read all of that So if I su to dill and then do this Can I run this command? Let's even do it from temp. Let's cd into temp run this no module name crypto Okay, so it's totally because he does not know how to do that In which case we will go ahead and sudo this so it is available worldwide Let's run set up again good good good su dill I think I changed my Clipboard prompt so that probably didn't work. Yep Let's go into temp. Let us sudo Can can dill go into var cmd. He can so There's nothing wrong with that We should make that a hidden file though, so it looks a little bit more interesting Yeah, I'm good with that Into var cmd cmd service And let's make that hidden again Let's run set up one more time so we can make that change cd Var cmd lst hack la let's rm cmd service Which I need to be root to do So now let's su to dill Get that And cat etc system d system cmd.service Okay, so even in well now he's still in temp that Let's go into there and make that change afterwards, but he should be able to run. Why can you not run? you just Installed pycrypto How do I pip install for all users? I would think sudo would just think and do it should we do it after We're dill After we've made the dill user Let's uh destroy and rebuild so vagrant destroy And try that again Yep, it's totally fine blow away. I'm gonna eat a peanut butter and jelly sandwich While he starts up again, and I'll pause the video so you guys don't have to listen to me chew Okay, now he's back up It's vagrant association to him He should have no configuration, but if we run setup He'll go ahead and do it Hopefully, hopefully, hopefully The dill user will know how to use pycrypto at this point Man microsoft teams is going crazy over there in the corner Okay, I think he's done winding now Good Nope, he's still back and we're installing a lot of stuff finally at pycrypto Did we move that Until okay. Yeah, so that was after we made the dill user and we did not copy Our data cmd service in there because that should be plus but We should have our cmd.service which is correct. So let's su to dill to make sure that we can Run it as him good Let's cd into that directory And let's try and run this command And it's running Okay perfect It yelled at me which means it's running and I can access it from my house So perfect. That's doing what it's supposed to do if I were to nmap scan That guy on that port will he tell me that he is open good if I were to do a regular nmap scan Very very very very verbose All he sees is ftp and ssh Perfect, so they will need to run an all port scan to find that Let's be very very very very verbose And he finds that other odd port Great, okay So now that it's running as a service They can get command execution as dill And dill now needs a First of all, can I ssh with The specific password can I ssh to That host 192 168 5510 Yes And it needs a public key. So I will need to reconfigure ssh Let's do that after we get a pickle exploit Because we should have a Set uid binary set up For dill We also need a user flag for dill so um Can I Head div u random And then make an md5 sum out of that just to get a quick hash for that user Okay And we also need to go ahead and put that source code that compiled source code into gherkin's home directory So Let's sudo Echo That thing into Home dill user dot text Let's sudo chmod dill dill home dill user dot text make the initial user flag and What did I just say what else did I oh we needed the we need the compiled version In that script. So let's move our cmd service uh To the parent directory with cmd service Dot pi c Good. So that exists now if I cat That cmd service dot pi c out. It's a lot of nonsense If I were to run strings on that it still doesn't have the password Which is perfect. That's what we want So We need to put that in gherkin's home directory So sudo copy data cmd service dot pi c Into home I want that gherkin And we need to chmod that so gherkin gherkin on home gherkin cmd service dot pi c Add the bytecode for the cmd service Good Okay, so now there's a way to get into dill as long as you know the password Which you can only find out By uncompiling the bytecode Which you can only find out by reversing The credentials from gherkin That you find in ftp So Now we need that pickle service Oh man, do I want to write that? Obviously I have to Let's do it The thing that I'm thinking about is this Hiding the flag and doing a jerk move on that flag would be kind of Something that it's something that I want to do by adding a little unicode like Zero width space character in there because that would just trip them up and be extremely frustrating Which I want But if they're inter-aversal, I don't know how well that would work So Because of like the lang variables and stuff that kind of needs to be set and I can't automatically set that for the user the other The thing that I'm thinking is if We keep it private key enabled Or one user needs or dill user needs to specify his private key Because he could read out private keys Is there a way I can do that? ssh one user Requires private key That'll still work That would still work The question is they can still get a remote shell. They can still get a reverse shell as that user and I don't Now I would no longer want them to Or I can just have the Pickle service verify that you're actually in a pty But they can fake that because you just create a pty other option Is changing the functionality of That command service only to like local file read But you could do some damage with that too And it'd be good if they could get a reverse shell Because I want that included There's no way that I could I don't I can't think of a good way for me to successfully verify Okay, they're running from an ssh thing Just for the sake of getting that annoying flag wait I can set their environment variables I do this in a other Challenge that will be developed in the future So maybe I'm sorry. I'm going to look over on my other monitor for a second. It's Just show me the file, please How is that done? Let me verify it. Let me test printf U 2000 root dot text It depends how annoying I want to make it Because if it were a hidden file, I'm sure they would be even more angry about that Which I could do Whatever Let's let's cross that bridge when we come to it And let's get back to writing the actual service Can I make I can't make a script a set uid binary? How will I let how could I let that run as root? because if I want a service to be exploited With a python pickle exploit it has to be written in python I could pie Freeze it I've never done that before Why not? Hello, I clicked on that link BB freeze pie installer BB freeze makes all of that BB freeze only works on python 2 So that won't work Maybe pie installer will work Question is how do we want them to supply their data? How do I how should I just write this script? I should just kind of shut up and start to write the script, I guess Obviously creds commands or we don't need any more creds. We don't need any more all that stuff We don't need any more. Let's go ahead and make a new data for a What should it be called? It should be a pickle pickle farm Those things Is there such thing as a pickle farm? I guess so pickle farm Dot pie These have been environment python By.3 Let's import pickle And let's print uh, uh, print what the heck? grow pickle And let's Have it base 64 encoded Let's input there Let's just have a new line extra there and let's input pickle Or entered equals this thing Let's try base 64 dot b64 decode Entered and then okay actually let's just call it data except Benaski error I think that's I think a benaski error occurs when you fail to base 64 decode something, right? So let's import let's import benaski and let's just test that real quick import base 64 Base 64 dot b64 decode b Stuff benaski error incorrect padding perfect If I had the correct padding Or that really doesn't help me man. What are you doing? Failed text Benaski incorrect padding So let's put that in a try and accept Uh print Exit failed to decode base 64 just so they get an idea. Okay. It's looking for base 64 Uh, and if that doesn't work then it will do it can pickle Loads their data and then we can simply print That out right Let's maybe that will work on the pause to have some more peanut butter and jelly Okay, um, let's just have it print uh Your pickle grew to And then have it display that out on the other line. So Let's see if that will work and just kind of our own test bed. Um Let's do python pickle farm grow a pickle anything And that will die Hmm That's the hex of those bytes So let's what actually is the data that we're getting Have it print that out too Hello filled decode b64 anything Decode has a utf-8 byte Why is that? We can also catch, um Unicode decode errors Maybe those are also problematic anything failure Please sub Okay, good Let's echo anything into base 64 Now Let's try that A bytes like object is required not a string Okay, so it does need to be encoded after the fact So Uh Is that giving me the error? Let's let's just let's I feel so weird encoding in base 64 and so Unpickling under the pickling stack overflow. That's good. Um Can I try This can I do an accept? Uh, is that in pickle pickle dot pickle unpickling error? That's kind of weird this pickle Did not grow What? Stupid convert to spaces you jerk Uh, oh gosh I splat in a lot of stuff So if I take that and I supply that pickle pickle has no attribute unpickle Where is that stupid unpickling error variable? Um Import pickle bars pickle Pickler My phone is blowing up right now. I'm sorry. I need to check this I don't know if it's just like my friend's group chat that's going crazy Yeah, it is All right mute for one year pickle python 3 Will that show me some of your exceptions exception pickle error unpickling error Pickle pickling error And that can probably get some other pickle error and pickle dot pickle ring error Just in case This whole thing blows up. Let's try that Um, I lost my stupid base 64 string. He's there Spit that in this pickle did not grow Sad, um, let's echo Anything in there as a string variable This pickle did not grow. He needs an object doesn't he so So Let's do uh some python and let's do it up here be so that way you can see it a little bit better What is this guy doing? Oh, he's still running our own cnb service locally. Let's import pickle Pickle dot dumps so we get the pickle object of Uh, and let's actually import base 64 dumps A can equal anything So Let's base 64 dot b64 encode that And let's spit that in and it fails to decode supposedly Maybe I don't need this stupid decode. I don't I don't want to risk that Pickle this guy your pickle group. Okay, so that that must have been it um anything key error Key error Okay, so they kind of have to fuzz it a little bit just uh just to mess with it Question is can we get a Uh python pickle Execute code Yeah, okay, so that will generate a shell They do this thing here There's a quick and easy exploit Pickle arbitrary code execution New post They build a random object and make a shell Can I just do bin sh tag i? Yeah So when they load something they just break it, right? Let's mess with this. Um bin Bash Tag i maybe Oh, and we need to actually decode that crap That article did it root for loot They do this guy c pickle Let's do that la la la la We don't need any of that We do however need c pickle. So let's How do they invoke that they just let's get the payload base 64 encoded Which is here Base 64 dot B64 encode this guy Will that behave well in my python shell? No, it will not Grr, uh, let's start in temp test.py Good. Let's run that No One name c pickle Can I just do it with pickle man? I feel like that would behave. Yeah, okay Print payload Yeah Okay, will our pickle farm exploit it your pickle grew to this and it completely ruined that shell We could try it to get a reverse shell Might as well So what did they use? I feel like there's a way to get an interactive thing Maybe just don't know it That's obviously Maybe that won't just give me Command Like input and output right away So what did they use they used their stinking? reverse shell And it's going to be ran with netcat 127001 let's listen on quad 9 Let's use bash tack i I wonder if the set uid If I if I made this thing set uid It would still work Anyway, let's get a payload and let's see if it does it for one thing so let's Let's sort a little listener over here lnvp quad 9 Let's run our pickle farm submit that and we get our session Okay, so that fails Can I just run like system? Please Whoa Who am I? Where am I? Am I in my shell? exit exit Okay, I was not In a shell Did this run no Spitting that in there connection received Now I have bash exit Wait a second. I'm getting very confused I need to do that properly exit Still in my regular shell, okay So If I were to compile this And if it were to be set uid Would bash keep the permissions Let's use tack p in there Run that So we still have that as an option Oh gosh, how do I compile? Freezing your thing. I need pie installer pip install pie installer Is that all that it takes? seemingly I'm gonna have to take a break here because I got to jump on a call pie installer And then run it on the thing so pie installer yep on pickle farm Does it build it? seemingly build pickle farm Pickle farm heck. Yeah, okay. I can run pickle farm and it fails fantastic It doesn't have a shared object file what All right, let's pause and take a break and figure that out later Because I need to go do other real world things okay Welcome back everybody. It's been a day So I have not worked on this since you last saw me on keyboard I know I said hey, let's go for a quick pause But then I kind of got carried away with some other stuff So now I'm back at it making the try hack me room peak hill is kind of what I want to call it I need to go And determine where I left off So let's try and reset from where we were the other day I have my box that was created And I don't know if he is up or not. Let's kind of remove him And start fresh Yep, that's totally fine to do Let's go into that data script and see what our setup or that data folder and see what our setup look like I have a lot of other tabs open. So let me try and clear out some of those Close close close close Was that a private key? No, it was a public key I was like, oh better not show that on the internet Okay So we update everything Then we install ftp Then we open up the ftp port Um, I'm not sure if ufw or the firewall is already on and enabled I've had a thought Where I might change it up so that reverse shells actually aren't allowed like it won't allow some of that outbound traffic So that way I can kind of force Them to be doing this all through ssh and not a reverse shell Which might be better for kind of the later trick that I want to do at the end So I might tinker with that idea soon and then we update the configuration. So we have anonymous access Nobody nobody all in that ftp We also have a test directory And we do put the credentials that we created with that python script into the ftp Service and work with this gherkin users the gherkin user has his password, which is set Um that what What did we use that for was that necessary in Obfuscate creds Yeah, so you ssh into gherkin after you found his creds And Then you would see the bite code for the service that's running as dill okay, so I don't want a user flag within gherkin. I want it within dill shown dill dill And his password we don't want To be known because we want to grab his private key now. I want to make that in We get pip 3 and everything so that we can run that service and that should still run on 7 3 2 1 And we echo That into dill user dot text We make it owned by him And now that's running and available. So where we left off was working with the Make a new terminal that I can move in and work with That was in data on the pickle farm Let me rename that pickle farm dot pi I want that to now be called pkill because I don't want all the references to pickle to be that explicit I never want to directly mention it. So pickle farm can call it pkillfarm Dot pi Now let's rm that pickle farm spec and we'll end up rebuilding this I think Yeah, because we need to change these banners here pkill farm grow pickle Grow something On the farm not grow on the pkill farm this grew to this Okay, so now there's no real mention of pickle and what I want to do is I do want to end up having this um compiled so I use compile all just like we kind of did earlier and I don't know that was that was um That was using it with to get the bytecode So this will need to be done with pie installer And we'll need to carry all those things over there, but rather than making this set uid Uh, I realize okay that probably won't keep privileges So I want to end up putting this in a Folder and making it sudo accessible. So let me do that um We don't need build and dist but what I learned the other day Was that using pie installer? I was looking in the wrong um location So what was that blog that we were at? um Make python script to elf There was a There was a blog post we were looking at This is not it. I don't want to be on windows Pie installer, maybe that's just it pie installer On the script name I think So let's get rid of that build and dist folder and let's pie installer peak hill farm We'll just do it. Yeah, it'll just know how to do it. So it puts it in dist rather than um build So if I move into dist now I have this folder peak hill farm and I have this peak hill farm binary So I can dot slash that and now it will work So some of the tests that we had earlier. Let me make sure those still work Had to pause real quick. Sorry Okay um Do we still have some of Our tests in here I don't think so that was all probably Dang it In our test directory in our temp directory So regardless Let's go ahead and move this in so Because that's all compiled what we can do is we can copy data dist Everything right Yep And let's put it in home deal. Let's make a directory peak hill farm Actually, yeah, let's use copy r because that has a peak hill farm directory in there and put it in home deal Okay, so let's just get get the peak hill binary into Dills home folder Okay, we should Also figure out getting his ssh key done So let's actually do that um What we can do is just go ahead and create Our ssh key on our own data side Let's just do ssh hyphen key gen on to The current directory. We'll call it dill idrsa No password There we go. So now we have dill idrsa and dill idrsa dot pub um Can I suble? dill idrsa dot pub because I want to change that not at john at xps, but to dill at peak hill Just a small nice city and now in our setup script. Let's go ahead and copy that over so sudo Um, I'm sorry that should not be a comment. Let's sudo copy data dill idrsa into Home dill dot ssh idrsa Let's also do that for his public key And let's put that into his authorized keys as well We should Make that directory just to be sure. So let's sudo make der Attack p not really necessary because we know all the other ones exist at that point, but it's still good practice And we should probably chone all of that and we should do that for the other as well. So chone dill dill Home dill dot ssh Everything in there Let's do it also for Everything that's in dills home directory Yeah, because pkill will be inside that Hopefully that will work um Let's try it So let's build this new box. Let's do vagrant up And then we can go ahead and run our setup script And we should be able to tinker with the box. I'll pause and let this go Okay, that finished building So let's ssh into this guy There we go Now i'm inside and let's move into data run our setup and see what breaks It's going to take a little bit to download and update and get all this installed as well. So I will pause here also Okay, so that finished running Uh got to write pycrypto created the sim link, which is fine It erred on home dill user dot text, which i'm curious why Oh because that That directory should exist by now Oh, oh, oh I'm not keeping my right permission in that. So let me bash text see that and chone And I also want to chone that Not chmod that okay So what do we have our p address is this guy Can I safely ftp to him? Yes I can log in as anonymous See the test dot text file can also see the creds file. We can download that That would give us the creds for That ssh user Um We should we should ssh into that uh before I do that. Yeah, you know what let's let's figure that out um Let's just see what our et cetera ssh looks like ssh d config Let's take All of this and make our own. We'll call it another like our hour ssh d config Let's set the syntax to be bash so I can see things So they use private keys And I do want I Password authentication should be yes because I do want that as well pubkey authentication is also accepted for fluid separation Will that work if I had that setting and then if I were to service ssh restart I would need to sudo that Good Now I should be able to ssh into 192 168 55 10 um That is a different box now Yep, okay Yes should be fine and it doesn't let me do it Do I need to do ssh d restart? I do need I want it to ask for a password But I also want it to accept private keys ssh password and private key authentication methods pubkey and password Do we have that authentication? So that should work pubkey authentication. Yes Private key authentication. Maybe I can have it do both public key public key Let's try that Oh, I didn't even change that One which is kind of why that had that problem I'm stupid Maybe that did work and I didn't actually update it on the machine itself. So let's vim etc ssh ssh d config Up I need to sudo that so let's Allow password authentication That should be yes Let's save that and now restart it Good Now can I ssh it will ask me for a password fantastic. Okay, so let's do um gherkin With the password that we know That is this guy Paste that in okay that logs in Fantastic I am gherkin That does not put me in bash Now I'm in bash Okay, and that behaves Is that not his default shell? He doesn't have a default shell Let's set one up We should do that for both of those users I think it's user mod tack s right been bash gherkin And that probably needs a simple sudo right Now he's good. Now if I were to reconnect Paste that password in okay now I'm good And he can see the cmd service fantastic So Let's let's make that change sudo user mod tack s been bash On gherkin and let's do the same thing for dill Okay, great Now let's go verify that we can actually go access that service 192 um What 68 55.10 I was just fading out there. I don't know what happened to me. Okay good So that is running it needs a username and password Which you could determine from The thing The compiled bytecode, but it should be dill and never a dull moment good So I could run id I could also run ls I could run ls tech la you could find where I am If I were to move into my home directory Um, do I have a home directory cd home dill ls tech la It's not letting me move. Oh because it's all within the current context. That's pretty cool ls home dill ls home dill p kill farm That should have been ls good So let us ls Or just run the thing. Let's do home dill p kill farm p kill farm Okay, that will not Work for me, which is good. So let's go into home. Let's check out home dills ssh key and which we can get so If we were to cat out that home dill dot ssh Id rsa we could grab their private key In which case we could go ahead and log in with them. So let's try and do that We had just ssh, but now let's use dills id rsa to dill good And he does not have his password or one thing said yet. What a guard regardless We can put in user dot text and now we should put in sudo So let's cat or sudo cat et cetera Visudo or sudoers I'm thinking I'm conflating the command visudo and the sudoers thing itself Okay, let's just snag this and let's make our sudoers And at the very very end let's allow dill to run all all all and We don't know his password yet Dill the player never learns dills actual passwords. So we will need a no password um home dill peak hill farm peak hill farm Good, so he could potentially privask with that binary Let's Reset everything. Uh, let me destroy this now that we've kind of got a little bit more progress Uh, actually, let's turn let's figure out how to before I do that. I'm sorry Let's let's figure out how we can disable outbound connections I think we just kind of need um Never a dill moment as the password for that CMD service never a dill moment Okay, so if I were to net cat lnvp quad 9 um, I would need to Know my ip address which We can assume is this guy And I would need to know a pentest monkey reverse shell cheat sheet Because I always forget that Literally every time let's just throw that in a shell or a little script If anything just a text editor so I could work with it Let's see if that will work Prove a concept to get our reverse shell to begin with right So he's running I run that command. I do have a shell and I am dill Okay, let's figure out ufw disable reverse shells Or block outbound traffic cool cool cool cool Will you give me actual ufw syntax? Probably not Do you stay able to disable outbound? ufw deny outgoing And they allow specific ones so The things that we know that we need Are 20 21 we also need ssh And we also need our service seven three two one Http and https we can make annoying By not allowing that Because there is no web server here. So Maybe that will behave Let's find out And then like ufw enable right so do ufw enable Uh, how do I allow ping so ufw allow icmp? Maybe I don't care about that. Will that will behave ping one on two one six eight fifty five dot ten That will respond good Um, let me get back into the box And try to run those commands Good Keeping existing rule ufw enable Do it Okay firewalls active we can still cock to it good ping still works fantastic Uh, how does our netcat look? Also still seems to be good Let me grab Our stinking cmd service credentials Okay, great. So that still works as well Um, let's try to get a reverse shell with netcat lnvp quad nine and just to frustrate the player This should not work Good it doesn't because host Firewall is not allowing that to work Ping is still going so they have to get the ssh key through here They'll never get dill's password Does ftp still behave? 5510 That seems to good great Okay Fantastic So Only a now ftp ssh and cmd service connectivity Great so Now we have our We should we should move and put our C ssh config in place ssh d config Config please and put that into etc ssh ssh d config and restart ssh d We will Need to change our Pseudoers to etc Pseudoers so dill can do it Change the pseudoers file So dill Can run pkill farm as root I feel like that's All set to get a pathway to root Let's let's tear it all down and rebuild See if it works I'm going to pause to bring this up and then do the same when I run my setup script Hopefully there are no errors. Hopefully we don't have to troubleshoot anything But if there are we'll get back to it. So I'll pause until then Okay, so we're back at it It immediately broke pseudoers And it asked for our inputs For ufw That I'm not too concerned with because I only really need to do it once um Why etc pseudoers is dying? I'm concerned with Our pseudoers into etc pseudoers How does our pseudoers look? It looks just fine Right Let's uh, let's try this locally Do a little vice pseudo pseudo vice pseudo Paste this guy in yeah all all no password Does he need a space after it? No, he's totally fine Far to pseudo tack you dill Who doesn't exist on my machine? So that guy Why does that not work? Probably editing it with that method is really bad Just to clobber the entire pseudoers file But what else can I do does he need to have a new line? Please consider adding local content and etc pseudoers d Instead of directly modifying this file Uh, what does that look like? cat etc pseudoers Give me that It fails line 31 no valid pseudora sources 31 Oh, that's because dill isn't real yet right We probably should do that after After we've made dill at the very least Let's try that And after we've made the binary and everything. Yeah, so let's totally move our it's at resudoers stomp Probably until like the end Let's rebuild Thankfully this is kind of quick. It doesn't take all that long. I wonder if there's a way for uh ufw force Enable is it like a hack f Yeah probably ufw enable and Tack tack force. It looks like good. All right, let's spin that up Up Okay, that started so let's move into data and run our setup script. We'll see how quickly that goes Okay new bug Obviously, it can't reach all of these updating websites Because they require the internet and since I just stomped over the firewall. We should probably do that Also at the very very end Let's tear down Maybe we can keep it Because we didn't actually upload anything. So yeah, let's actually just keep it Well, the firewall is still barked. So let's actually tear it down Benefit of local VMs, I suppose Now he's up Let's move into him And see if this setup will work better I'll pause again until we get our hiccups Okay Set up ran updated the firewall seemingly no errors for sudo Can I su into dill? Let me sudo bash and then su to dill. So if I sudo attack l I can run this guy And that fails So Should I be in that home directory? Is that kind of how it should be? I'll use it at texas here. So that's a plus That still fails uh He probably needs to upload uh compile it on this machine Grr, I guess there's nothing wrong with that right Move it over compile it Remove it Then I just kind of need to Dang Okay So What else do we need then we need pie installer Will that work? sudo pip3 install pie installer With two l's for install No What the heck Collecting pie installer Oh because we don't have stinking internet ufw disable Sweet man Should have just done that earlier Okay Pie install there's a thing Let's Make sure that he's installed good, which he is and then We have not moved This this we know will not work. So let's sudo copy data peak hillfarm Dot pie into home dill and then let sudo pie installer home dill peak hillfarm.py And see if that will work if I'm in a different directory will it do weird things? uh Let's start with this copy to get that in there ls in oh sorry, let me be dill ls home dill Actually, I don't need to be dill just yet. Okay, so that's in there now. Let's run pie installer on that Will it put it in the current directory or the directory of the thing? Oh, it will not. Okay, it'll do it in that directory How can I specify an output directory? dist path That's probably what we need Yeah, that's definitely that's definitely what we need tack tack dist path home dill peak hillfarm Did that work? Let me see CD home dill We have a peak hillfarm A peak hillfarm Okay, so We definitely don't need to use that then Uh, let's RM tech our peak hillfarm Yeah, just yeah, just clear it minute. I don't care do it anyway Okay, and now Dispath does all of those things So there should be a peak hillfarm in here Which I should be able to run and I can fantastic pseudo attack l I am not dill If I were to be dill let's pseudo bash and then su to dill ls pseudo Tack l I can run peak hillfarm peak hillfarm on here and that will let me run it. Okay fantastic It gets an EOF error. Hmm. Maybe we should recompile Where does that happen line 17? in the try EOF error Also toss that in good enough Oh, I put that in the wrong file. We want peak hillfarm Not pickle farm. Oh dang it I shouldn't have removed that dang it dang it I can still I still have the original file because it's right here Pisces Good Let's place that and let's do an EOF error also in here good So Now it will compile it for that machine as needed and then we should have it remove it So once that's all done Let's pseudo rm home dill peak hillfarm dot pi I actually remove everything after that right Because I want to remove peak hillfarm dot everything. Yeah, that's fine. Yeah, that's fine So he just has pi cache And we can probably get rid of pi cache too because that has the exact same thing I wonder if we can move That's a good idea Having pi cache there actually Because now you have the bytecode for it in kind of a weirder directory. Maybe no, it's fine And let's rm pi cache That needs underscores and it should be an absolute path. I think Will you do it? Yeah, I know you can't do that dill. You're not good enough unless Do I even need build honestly? Let's remove build too like Clean up the whole process su dill pseudo attack l He should be able to run peak hillfarm without a problem And he can despite the fact those are gone line 11 We accept we catch that exception been ask you dot error. Just do it again And then it gets a name error whatever let's uh Go back from the start See if that setup script works one more time. Yeah, go ahead and kill it and we'll check in after we've set it all up again Okay, I was just looking at the setup script again To see if it would work a okay, but it seems to So let me su to dill Go into his home directory. All we have is peak hillfarm And the flag and at least seems like that will run so Do verify and make sure that will work. I guess I don't really care if it errors all that much uh, let's go ahead and python Pickle exploit to see if we can just get that to root Because I know we did it The other day What's going on with this website, man? Okay, whatever Let's see if this will behave pickle exploit Dot pi Will that work? No Why is that? Oh, because you are using python 2 print not python 3 And you need to be using pickle rather than c pickle There we go that should run sh Did that kill it? Yeah, it did because it just ran popin. Let's let's go get system import os I don't know why Or os dot system and then that doesn't need to be like its own second set that just needs to be And let's keep it sudo. I guess Will that behave better? Who am I? Oh, I need to sudo it That did work. Okay, great. So So sudo attack l This with no passwords. So sudo that and then let's grab this Slap that in and now we're root. Okay, fantastic. So now we need to set up a root flag So the dirty way that I wanted to do this Was to put a little unicode guy in there We could still cat all Which would be a trick But some of the things that I did in fake file the challenge that I have In mind maybe we can force I'm gonna go find that syntax here the bash rc file Set a lot of our globbing Hmm, maybe that will do it But the question is where will this execute? Is it in? Yeah, just display that out to me. Let me see Lang set up What does that do? Oh, it exports it just that in there I'm looking at the code for my other one. I'm sorry Because I don't think roots bash rc is going to be executed. So we should probably keep it in our own dill Bash rc since we know that we will ssh into dill To get this previsc So Let's go ahead And cat out dill's bash rc and let's kind of collude it together. He doesn't have a bash rc Well now he gets to have one Let's take this Let's put it in dill bash rc Let's set that syntax to bash And what we want to glob out Can be root dot text So he's not allowed to glob root dot text with a sneaky space character from Unicode and He's not allowed to glob at all If someone were to find that they could probably track it down, but that's totally fine I do I will encourage that, but I don't want them to just immediately grab a root dot text I want them to be a little bit of hey wtf Dill is all good What else do I need to do? Let's just copy that in there. So copy data dill's bash rc Into Bash rc Let's do that for bash rc just as well to make sure that actually happens Let me copy all that in oh and let's actually make the root flag. So we need to Go get a head devu random And give that to md5 some there we go Let's sudo bash taxi echo this guy into Let's do a dirty trick Oh, can I do that? I wonder if that will work Um, let's try that locally. Let's go into temp and spit that in there Good enough. Do I have a hello file? I do. Okay, great. So that will work And let's call that root dot text good let's See if that works Let's kill all of him and tear it all down just so we can bring it back up again Let's pause again. Okay. Just finishing up Running setup looks like that all worked so I almost forget what to test now we need to be sudo bash we need to be dill su dill All of that fails That's good to know But we are dill So that's better Let's uh Try and priv us to root So we know That we can sudo attack l Run this guy and if we pass along This string we can get a root shell Oh I did not sudo that I'm an idiot. Okay. Now we're root And In my home directory Tell us heck la did that not create it what the heck Where did you put that file? Did I just name that wrong? Uh Damn it It put it in that directory Within data. That's why I saw it in there and I was like, what is this thing? Question is can I copy root dot text and put it here? Good So if I move back into data Let me run that command. Let me just freaking Get this Okay, so now I have root dot text if I try and cat it out It will not work if I try and cat it with a space it will not work If I try and cat everything will it work? No good Can I cat root dot text at all no So the trick is I have to know how to use this printf Backslash u 2000 root dot text and that will read it or As the dill user I could edit my bash rc file. What the heck Can I not do that? Uh, let me out please. Let's just friggin nano mar bash rc file And set all of these things seemingly errors Now let's try and get our shell one more time If the player Globs are invalid an option name. Okay, let me let me finish modifying that Because I want to know what that what is that that's wrong Globs star I should fix that. It's a blind text not in here So shops doesn't need to be in there Where is the other shopped? Uh that I don't care about shopped glob star Where is he yet? There he is. Let's turn that off Let's do the pseudo. Let's get our prevask. Let's see if it winds Good CD root Cat root dot text will fail cat all Cat That thing will work if I were to do it correctly but because we know about glob star or no glob if I Could do that one more time and now glob star should be in place Can I cd into root and cat that out? So Yes Okay, so they need to either catch that glob star or no to use that trick Benefit of them knowing this But because the rest is aging in They might overlook that so That should all work Thanks, Vim whatever the heck you were doing Um, I need to make sure that it does give us that root directory root file So let me Do all this and let me actually remove the ubuntu user because I saw that was in here for some reason Um Dell user and dell group we have this Let's remove those Create the root flag with a trick Remove the ubuntu user And we shouldn't be removing the vagrant user as well, but I'm not ready to Pull that trigger yet We'll pause that let it do its thing Okay Set up ran um Let's try and just ssh in as dill So we need to clobber that previous host key Yep Uh What happened he should be using the private key Did I not set that authentication method thing in there? Maybe it does need that. What is that? It's that our our sshd config Authentication methods use public key and password cat dill idrsa Which is the right private key Right No, no, no, no. We were doing so well cd dill home dill cd.sh cat Authorize keys uh Okay, can Let's just be sudo bash sudo sudo bash su dill cat idrsa cat dill idrsa These are the exact same private keys ssh just does not want to do that gr Password authentication. Yes Maybe it doesn't need that Maybe it can just do both Without it Let me try that So vim etc sshd config Let's turn off that authenticated then Methods thing here And then let's restart ssh That will log me in Can I log in to gherkin with the password? Yes. Yes. Yes. Yes. Okay That should be the only fix that we need then um Gherkin pickles all around the world Good and he has that cmd service that we could run uncompile on But we don't have that so you have to x-fill it down with scp Because you have no other access of other ports That's good. Let's go back to dill And sudo attack l to try and prevesc good Let's get our build output to grab that here Do that Uh, I needed to sudo that Good enough. Okay CD into root Good Uh, I saw this dot ssh file here and thought that was weird Okay, good. I guess he's just it's just made it there, but it's not really necessary Um, what is in home? So ubuntu is still there And vagrant is still there So I'd like to remove those To make it not look like I did those things But del user vagrant might be kind of bad Who knows? Let's uh remove their home directory sudo rm attack rf home ubuntu And let's do the same thing for all of vagrant vagrant vagrant And to finally finish things off Let's unmount data Because at the end of our script Then we will not need this actually on the file system so Release the Shore or like Tie off the ship. Who knows? Root at ubuntu lasineal all works. Oh, we should change the host name. Can we do that? sudo bash hostname peak hill cat etc hostname Let's echo peak hill into et cetera hostname good Will that work? Next time I loot in is it going to be peak hill? No Why not? Who cares? That's not extremely important to me um Let's bring it down and do it all again I'll pause again here See if it will sanely Untie things and remove the vagrant necessities Okay, now we're just a bit at the end Looks like we finished It doesn't really know where I am or who I am Data is still in use. So I guess we'll have to unmount that On our own You mount data cd into root We can cat we can't cat our root dot text if we cat it all with our glob that would work Um deal will have the issue where he wouldn't be able to get there Uh So I think that should behave I think what I'd like to do right now is go ahead and Let's try and log back in as deal I suppose Thank you Root has no password set. So you shouldn't be able to just s you right into root But we have user dot text We can go ahead and peak hill to get our privsk and You should be root good. Let's move into root. Let's cat out that root dot text which will fail Try and cat all which will also fail. So unless we turn off our glob or figure it out that we need our cat um printf u 200 2000 root dot text and it will get it for us. So that is all At this point We have the virtual machine created It has all the paths From Gherkin to dill to root With a few different gimmicks and gotchas each way So I think we're good. Um, we unmounted data So there should not be any other remnants of that stuff on here So let me uh Go ahead and export this I don't know how long that process might take but we'll see box default running He needs to be off right export appliance. Yeah, he needs to be off So let's vagrant down to shut him down Or what is it vagrant stop vagrant halt? Maybe that's it There we go. Now he's powered off according to my virtual box. So let me export that appliance This one here let's call him pkill and Hopefully that networking thing will work just fine Do it. Well, let's hit export and let's see how long it takes 37 seconds remaining I don't know how long this will be. I'm gonna leave this running. I'm gonna go step away for a little bit. Um, but, uh Right now, I think we're at a good point I'm hoping that we got it built. I'm hoping that we're almost done. Let's see how it goes. I'll pause Okay, uh, it's been a little bit of time Now, uh, I want to go ahead and upload the OVA file for the try hack me room on the website So I have that open here and we'll see if it will behave. We'll see if it'll let me function with it Let's go ahead and create pkill as the title. Um, I'm assuming I can change this description later uh, room to practice common python Exploitation techniques How about that and then let's upload The pkill ova file. Excuse me We upload one at a time. All right, let's see if it can do it Um It looks like that's happening. Okay. Good. Yeah, it's cruising I will let that go and see if it Behaves and finishes for me Hopefully I'm just gonna leave that tab where it is and not screw around with it But I think I do need to go into the other Manage rooms or create things to actually make the content there. So once that's done, we'll get back to it Okay, just about done here seemingly There we go. Oh, okay. Now it needs to be converted. I suppose The my material page still working. Okay Does the manage page let me make things? Okay Let's create a room then Call it pkill and So random thing I had in my clipboard um, let's turn off Desktop audio for the time being because I think that ding went through. Sorry Good enough And the challenge room python pkill library Byte code maybe oh, I did have a um Icon for him. I think He was in pkill. Yeah. Yeah. Yeah Kind of drag that in we'll let me yeah sweet create new room Awesome Now let's go into that room medium hard Medium I think is a fine difficulty. I'm kind of hoping that works well Simple room only contain the task and the room branding Oh question points don't matter publicly accessible. Yes public rooms are reviewed before going live ip type Room as virtual machines user can deploy are they public facing or only accessible through the track maybe pm So they have to be through the 3 pn Yes, it's free locked Points in first blood That's good stats Doesn't have anything in there yet tasks. We need to go ahead and Make some tasks. So we had those We don't need a deadline um Let me try and grab the read me information What is the user flag and what is the root flag was the only two things that we said that we needed? title compromise the machine objective Cane user access pkill I don't know how this will be displayed yet. So let's see Um, we have the user flags and everything all in data For the setup, right User flag is that Paste that in What is this drop down? Let me do nothing add hint remove the answer. Nope. That's fine And then we need the root flag Nope Need the question. What is the root flag? Slap that in I don't think he needs a description Can I just do that? Okay So if I look at my rooms Does that created now? I want to see like a preview. Is there a way that I can preview this Tasks he has the tasks design room icon He has an icon. We just gave him that does it not display it Official write up. We don't have one just yet. I mean I guess this video Oh Don't have any issues and delete I need to give him a Machine to work with how can I see it? Can I go to it? Yeah, okay What is the user flag? What is the root flag? That's all fine. I need to give him a actual Machine Manage rooms good Is my material Done I'm being converted. Nope still going. Okay, then we'll stand by What else is in that manager? I should give him a description because it looked kind of bland when I looked at him Free to use. Yes. It is free good And now let's update the tests Nothing else in there that I need to worry about so I guess we'll just wait For my material to finish converting That's still going So we'll see when that finishes Okay, now that is done We should have that material ready so In my rooms. Can I add that in? How do I design VM yes Your VMs, okay good, so We'll just specify it right Okay Now can I go back to the room? It's this guy There we go Now I have this guy set up. So let's see if it'll deploy successfully And I guess I'll hop over there and see if I can connect to it The heck is all that Some pwncat stuff apparently From my other project I've been working on okay connect to the vpn Let's ping him See if he becomes available Hopefully hopefully I have no idea how the networking is done. So I'm hoping that will respond eventually Oh, it does okay Let's uh end map 21 on him Who seems down You just pinged him. Okay now he's open Does it just not like to respond to ping or Interesting Let's just do a full scan and see if we can work with him And let's ftp over to him as well Bind address already in use ftp data is closed. That's not good Probably on the firewall crap Did I not test that after the fact? Dang it Should be in data Set up No, I allowed it All the ephemeral ports are closed. Oh no, how do I fix that? I need to specify an ephemeral port to use I probably should have thought of that Okay, let me kind of pause and think through this Stand by Okay, now that is done Uh We should have that material ready. So In my rooms, can I add that in? How do I design Vm yes You're vm's. Okay good. So That will just specify it, right? Okay Now can I go back to the room? It's this guy There we go. Now I have this guy set up. So let's see if it'll deploy successfully And I guess I'll hop over there and see if I can connect to it What the heck is all that? Some pwncat stuff apparently From my other project I've been working on Okay, connect to the vpn Let's ping him See if he becomes available Hopefully hopefully I have no idea how the networking is done. So I'm hoping that will respond eventually Oh, it does. Okay Let's uh end map 21 on him host seems down You just pinged him. Okay. Now he's open Does it just not like to respond to ping or Interesting Let's just do a full scan and see if we can work with him And let's ftp over to him as well Bind address already in use FTP data is closed. That's not good Probably on the firewall crap Did I not test that after the fact? Dang it Should be in data setup No, I allowed it All the ephemeral ports are closed. Oh, no. How do I fix that? I need to specify an ephemeral port to use I probably should have thought of that Okay, let me kind of pause and think through this Stand by okay, so I uh just chatted with skiddy or uh the tryhack me guys organizer and they said oh We need a specific write up to go ahead and make it a public room or something submitted for review So, uh, I need to bang that out. Admittedly. I have gotten started. I hope you don't mind I kind of forgot. Oh, I should have been recording while I was doing this So I just got to the point where I discuss end map and ftp getting the credentials pulling that down Let me mute the notifications from my computer if for some reason that came through sorry And I have to go in about a half hour. So let's see if I can crank this out in time Hopefully hopefully hopefully and let me pause because I'm doing some things. Sorry Okay, now let's get back to it. I mentioned my python code. I just logged in Now we're working at the uncompile part. So I need to get the scp syntax to pull that down Let's exit out of this and let's use scp We need home gherkin cmdservice.pyc in the current directory Good Then we can Uncompile six this code. Oh, I am getting a call. Nope Okay, I'm back. I just got off of a ton of work calls. I don't know why that was Piling up. Okay, we can uncompile the code So in my terminal Oh, he still needs the stinking password and that box expired now. I think Um, oh my goodness. Sorry. I gotta pull it up in the other window I gotta get back to all this No, I don't want to go to king of the hill my rooms Share room go back to this Did try hack me do anything? No. Okay. So skiddy has not continued. I'll go ahead and deploy this To get the IP address and we will ssh all again Do you still have that password save? Yep? Okay um What the heck is going on with that IP address? Come on man, there we go. Once that loads up We'll grab that Do we actually have the file already in here? P kill I do. Okay, so we don't need that whatsoever Get the uncompile thing That gives us all of the code that I will grab Pile six cmd service dot pi c This outputs all of the original source code for the For the python script you can see by reading through the code the seams To allow code execution after being authorized by a connecting client while the server resides On port seven three two one After our all ports and map scan came back Who would have found service port To be open to be available with the source code We can determine the proper The correct credentials username Let's just say the correct username and password credentials to use to log in I'm getting a message okay Correct users and log in again I will decode this with python And That won't give me the original ones, but let's just do that We have the source code here I do want that just so I can save and run it There we go Perhaps that service is running as a new user and we could go use That account trying to connect With this account Via ssh does not work That must not be the right password But if we can run commands User on the service Maybe we can do some other tricks and techniques Okay, let's netcat to that guy seven three two one Do that on the terminal Dill and the password is never a dull moment never a dull moment Paste that in successfully logged in now we can ls Or netcat to that Oh geez come on Dill Never a dull moment Who am I? Dill okay good Looks like this does let us work as the As a new user Dill pause this Okay, our gut reaction now Is to get a reverse shell So we have Better access than this simple service unfortunately Trying the Normal reverse shell techniques We do not seem to get a callback Perhaps the host firewall Is on and does not allow for remote Or outbound connections This shouldn't be an issue because we might be able To read this user's ssh Private key If they have one cat home dill what's ls home dill dot ssh id rsa And it turns out they do have one now. Let's cat that out With this we can log into the machine via ssh as the dill user ssh tag i dill RSA Copy and paste the contents into a new file And then make sure to Set the correct Permissions so ssh can use it Without a problem good good good And that ip address is This guy again Yes Good i'm gonna sneeze Good thing i muted the microphone in time This is the realest video you ever did see man i'm like you can tell Depending on the different days how i'm like burning down like losing steam and what i'm excited about this and what i'm actually talking Good stop for what i'm just handjamming crap man, i need to change this ip address to uh Use the same thing over and over again Because i know that i'm Needed a different one Because i had to stop Okay, we can see what this user has access to Let's Connect back to him Give me the stinking command again. Where did that go away? Can the other user gherkin actually read that? Oh dang it now he doesn't have the right stupid freaking Holy cow I'm just tripping over myself because now the ip address is wrong or different again this guy Connect please there we go lstackla Everyone can read user dot text as that uh Same thing pkill farm You know what i'm not too worried about that Well, everyone can execute pkill farm so they wouldn't need to crap Need to change those I guess the rim is not ready yet after all He has the user dot text file In his home directory Let me do that After I change the box information So in setup Home deal We need to sudo chmod Uh, what is it to read? 440 home deal text and then we need to do the same thing Can everyone read it deals ssh key? lstackla cd.ssh lstackla Okay, only dill can read his private key. So that's good But pkill farm we should absolutely change to What is in um Home as well. Okay, just dill and gherkin. So that makes me feel better um, but now we need to pkill farm Dot everything should go away What do we need to chmod after that chmod? pkill farm No cd back into dill lstackla and you could move into that pkill farm directory But I only want So that's seven five And zero for pkill farm Everything pkill farm everything should be seven seven five zero Tack our home dill pkill farm everything perhaps Let's go back to our vagrant cd pkill Vagrant He was he already destroyed destroyed not the story. Oh man. You can tell I'm burning out dude Yeah, just go ahead and remove it, please And then build a me a new one While I keep writing this thing Doing some classic enumeration We can see via pseudo tack l that dill can run The binary peak hill farm in his home directory has a root So we should explore that binary And see if it can be abused For privilege escalation to root Okay How's that guy going good? He's up. I can no longer ssh into him probably. Oh, I can okay because we need to go into data and run setup That'll do its thing pseudo attack ill You just sneeze again Maybe later. I feel like it's common dude gosh There we go some finagling finagling Seems to accept base 64 encoded data Which is then unpickled Does that something that I can do? Can I test that? I realize my face is in the way there. So maybe that's a bad window to use Echo anything into base 64 If I just slap that in here This did not grow Not grow did not grow on the pickle farm Uh Should that be what it says? peak hill farm This pickle did not grow on the peak hill farm I should be now. I'm comfortable with being explicit there unless what can you do on that binary? You can do strings. Do I have strings in here? What is going on with my typing? That seems to work peak hill farm Let's do a little tack eight pickle Why are you not are you referencing here? combat pickle It's really it so Let's keep that Anyway, let's su on the virtual machine over to dill And let's go make sure that dill can uh Read that just fine Oh, I need dills actual password if I do that So that's this guy. There we go. Now I'm dill. Let's go to home lstack la So I can cat user dot text good lstack l I can execute peak hill farm, but no one else can So gherkin would not be able to use that. That's fine um FTP is still working just fine so We can Get out of here sudo bash Now let's cd to home and let's umount data Why is that still being used? There's nothing in here that's using that there shouldn't be anything that's using that data There's nothing that's using that is it because oh vagrant is still in it sudo bash sudo umount data good Okay, now let's go into our virtual box Turn this guy off Let me lose the connection How is it done power off? Just powered off dude, okay Now we go into file and export to peak hill Second Go ahead and export that please and we'll let that do its thing. Okay After some nagging and testing the binary it seems to accept base 64 encoded data, which is an unpickled via python This we can abuse this unpickling Untrusted data deserializing Untrusted data is very bad And can Certainly be abused I'll grab a fine exploit and tweak it off the internet and tweak it To give me a shell root shell Okay That's in Pickle exploit. Let's just take this guy python running this I get a base 64 encoded payload That I can provide to the binary which will then execute a root shell Keep a shell which will still Run as root since I invoked the command The binary with sudo. Let me grab that build output here Good I do have a sudo in here. Give me something to grow And there we go. Okay Now that we are root We own the box We can go collect root dot text root flag We can expect to find in root Ooh, is that file readable by everyone? If freaking is Okay, let me stop this Stop the export process, man Did it already finish? Gosh Vagrant destroy update And just to be dirty Let's move that To the end Since now we have the opportunity to rebuild So that way the copy and paste will be a little bit more annoying chmod 440 on That guy Yeah, delete it. I really delete it all Because I was stupid Yep, yep, yep Everyone can read that root dot text file Okay When we go to the root directory temp to root dot text We hit a small snag This makes no sense Because the file is there But it says it isn't In which case we also need to change our Bash rc dill bash rc. Yeah, so root dot text This now goes over here To remove the glob because we'll put that at the end Now let's build that guy up again This also fails seemingly Nope. Nope. Sorry pause Okay This finished. So let me ssh into that Move into data and let's run that setup one more time seemingly we cannot glob some of the This is a dirty trick a dirty trick is being played against us here where the root dot text file name includes a zero width space Just following the name so it is not So when we type in root dot text on its own It is not being read and understood as the actual as the real file name what we could do is go into dills bash rc file and remove the No glob or weak We could also know recognize Recognize and know that the zero width character Is in place which might be difficult leap mental leap difficult mental leap for players and just read the file like so printf root dot text 200 which will include the zero width player must know that one last option Let me go back to this guy sudo bash ls cd root ls tack la Okay, now only root can read it cat that guy cat root dot text on its own will fail good Copy and paste the text text of the file name that is displayed when we ls the directory But the player must notice and include the space that follows text text I believe that the Going I believe that going into the dill not bash rc file to remove the globbing makes the most sense to a player once they recognize that globbing is not allowed then they can read the file with these but a copy might work just as easily with any of those techniques you can read the root dot text file okay so now root dot text is only readable by root dills user dot text in the privest is only readable by dill gherkin doesn't have anything particularly worrisome so we have everything that we need let's cd into home let's sudo bash Let's you mount data to remove that now if I were to go into data there's nothing in it which is good so let me remove that stop the machine and try to recreate it all again close power off okay now we can export it finally again let's call this pkill re render that out good let me grab this guy and see if the other is in here I see pkill ova I don't see the other one yet oh no he's there pkill ova is still cooking what happened to the other peak? I don't know where the other one is alright that's fine this is the one pkill 3 is the only one that we need so I'll let that go ahead and finish maybe it got cancelled or something somehow for some reason but now I will need to re upload that all so let's pause again and wait for that all to finish but we know that that's all working and we have the write up written and completed for try hack me guys to be able to review it I guess I should figure out where they need that to be hosted so let me actually go back check out this room here and general we need to supply a write up so if I were to make this publicly accessible updating the room it says please add an official write up ok stats, tasks views is that all me total deploys 3 that's all me I'm the only one that's completed it compromise the machine official write up private link to download the room write up um let me put that on github or if I make it just a mark down file does it work probably um pkill write up md write up for the pkill try hack me and let's grab this entire write up let's see how that looks create a secret gist there we go ok save that and where is our vm is he there did he survive did he make it ok there we go looks like he's done over on my side so now let's upload that again um my material can I change him no ok so I'll need to upload again I don't want this to break please don't be broken oh my gosh so this has been broken for a little bit of time my gosh I have so many messages ok you free I'm gonna message skiddy and see what we can do ok after talking with skiddy what I can do is make the changes on this box and then go give him the IP address to fix it so dill has been has been corrected let's move into pkillfarm lstackl that command is chmod this guy chmod this everything am I not allowed to glob right now no I'm not ok so I need to nano um dills bash rc to go turn off globbing and ssh back into dill ok so I can move into pkillfarm ls lsall that works ok so crap I need to be rude again well these are all owned by me lstackl so let's change mod 750 all of these lstackl good and now let's nano my bash rc one more time to change this glob ignore to include it there good let's reconnect all over again cdpkillfarm lstackl ok only those can now be ran as me I can still run pkillfarm good let me pseudo tackl this guy throw in the payload to get my root shell cdhunt root cat root.txt should fail cat that should fail um cat that should work which it does ok um I think that's everything I'm pretty sure that's everything oh I should have checked if that one was world readable by root crap do I what's going on with my bash history file is that a thing ok good that's not readable so let's move into pkill and let's pseudo attack l spit that in so it's in my command line that should fail pseudo this I'm going to copy it again anyway because I'm stupid cd into root lstackl root is still world readable so it's a good thing that I did that um chmod440 root.txt techla forgot the O in chmod and I need to have the correct command lstackla ok root root root ok so root.txt is only readable by root deal things are only readable by deal cat user.txt lstackla that's all good kill farm that's only readable by deal I think he's good crap what stinking IP address is it please don't be dead yet that's good can I ssh in as deal password I'm pretty sure it will not let me we have the write up curkin never a deal moment which should be the wrong password and not let us in good add some time in there for ok let me see if skinny will give me any other good words and we'll wait I'll pause again ok skinny says terminate the machine and redeploy so I just turned it off now I have a new machine hopefully you have all the creds enough to reroute manually yep yep yep see if he is up on the new machine not just yet but let's see wait for that to come through might take a second hopefully hopefully hopefully go back to pinging he's up and tech p22 on that guy why is it closed let's ping him he's up what about 21 any of these ping works all his ports seem to be closed no he's there man like that's the box is the upload page still broken yep ok skinny I have to jump on a call again let me pause ok I've been going kind of back and forth with skinny with ben trying to do some stuff with the new machine we got up to work and I accidentally switched the root text to have the zero with the character at the very end but I also wanted one at the very very start because I realized you could just tab complete you could start typing root text and it would include the character for you so I realized why don't I just use both let's have a character in the way at the very beginning of the file name and at the very very end so he's been recloning in the cloud for me which I'm super duple grateful for because it saves me from having to have to reupload over and over and over again I should have had that done to begin with so kudos to him and thank you for him I've been chatting with him over off on the side once he is telling me that he's good with cloning this one then I can go test that one more time but now he has the write up and they can go start to look through I might need to modify this I don't know if it'll let me edit it okay cool so let's go down here and also add in a zero width space character at the very very front like so just before and after the name hit it with the file like so there we go which includes zero width space character if they all know use that knowing character that is before and after the root dot text good I probably should save that for my own write up paste that into writeup.md now that should be saved okay he's telling me terminate and redeploy to check good so let's kill him spin him up one more time hit deploy and take a little bit of time but now we have a new IP address let's get back to our terminal let's ping him wait till he responds on it tell skiddy that we're moving and we'll see how this goes a little bit of back and forth at the end there real sorry wow that's getting pretty bright it's getting to be dark out there outside so I don't need all that light shining in my face just makes me a giant washed out dude I don't know I love changing the lights on that probably because I'm silly our ping is working that is still way too bright let me turn that way down so let's now ssh to the proper host and that is still not up oh my lord e1 tell skiddy close ports dang let's tell me to wait a little bit more still closed this is literally the definition of insanity where you do the same thing over and over again he's like you want to do this again as long as you're cool with it man I hate to be wasting your time like this skiddy is so good he's like yeah no worries okay he rolled it back so let's terminate terminate deploy fix it one more time so let's wait on this new IP address please respond you know all the edits of this video have come out to like seven different video files I'm going to have to compile them all together and they're just giant okay now they're open good so let's go back to ssh spin that guy yep good let's sudo attack L to grab the peagle farm path let's sudo that to get root before I do that let me lstack L okay good he's still good let's sudo him let's grab the exploit good who am I I am root seen in my home directory which should be root lstack LA root.txt is only readable by root which is good but he has it just at the very end here so see I could like I could just simply add root.txt and include the null with space for me so I don't want to do that I want to take this guy paste him in here and then move this white space character also at the very end good so now I could cat everything that wouldn't work I cannot tab complete root.txt anymore it doesn't think it's there but it is because it has annoying thing we tried to cat out a space root.txt that would not behave a space following that would not behave so now let's nano our home deal .bash rc just because I want to make sure this is set spit this guy in good lstack LA root root root that should be all fine lstack LA pkillfarm he is also still not executable by everyone only by dill I am good with that so now let's close out done making changes let's tell skiddy goodness gracious totally my fault because I completely I completely forgot to change the permissions on the flag files and they were rolled readable and then when we fixed it the first time then it was like oh crap now I've ruined it because you can tab complete the root.txt file which kind of takes the fun away from it so now we're changing it again let me pause and wait till skiddy responds okay skiddy is back so it's good let's terminate and redeploy please please please behave let's ping this guy wait for him to come up unmap tkpn, tkp21 open amazing okay now let's ssh in yep ports are open tell skiddy let's take this guy sudo attack l spam him just to get that in place let's grab the exploit good I am root cool so now we can cat root.txt which will fail all good learning experience he said he thinks it was me skiddy thought he might have been doing something wrong and the ports are being closed for root.txt is in place think he's all good is there anything we would like for the room banner I would love a room banner I haven't put anything together yet yeah a hill would be great corporate pickles not sure how I can corporate pickles on a hill let's keep looking for pictures hill banner what will we find if we search for that banner hill rolling hills skiddy says I can put this guy behind the hill that would be perfect he's sending me more more goods that's awesome let's do that he's cruising through it oh boy can I pick one of these he sent me a link hill vectors I will then edit and upload your banner thanks so much skiddy can I have that back where did you put it no no no I want this can I right click open image a new tab uh oh it's a premium one this will let me download it what the heck man stop this website is tweaking out can I just have the free download thanks can I upload that to skiddy can I extract that please put it in downloads uh 335 if you don't mind throwing the pickle in I'm super grateful thanks so much appreciate that extra help making a little banner this is an interesting website I didn't know that a free pick would just do stuff like that for you that's just windows XP man cool this thing is glorious I want to that that I like him a lot he's just so stupid oh he says I have a premium account so that premium one would have worked what we could use that big one which one was it this guy I think the hills are nicer it makes it easier banner okay that's enough of me staring at that I said if you don't mind throwing the pickle and I'm super grateful and he responded out of context this can be super confusing thank you thank you skiddy alright I'll pause and wait for a little bit more motion but I think we got a lot in place I think the room is just about done I think he's just about set we built everything we made everything this is a super duper long video my hair is doing stupid things and I need to stop touching it like a stupid idiot but I hope you enjoyed let me stand by and see if the everything's done on that side but hang on I'll pause again okay a little bit of time has passed they put a little banner in that looks hilarious with the pictures that we chose and they threw some other stuff in so I'll play with it so I'm very very pleased it's kind of cool to see some people testing I don't know if anyone if these guys are actively working on it right now but it's I don't know it's just really cool to see in motion I don't know what that more tab is is there something in there I don't know what other visibility that I have when I can see it working so users this is the still same room right I know we've done a lot of clonings and changes so it has a few other views I don't have any tasks in it oh which account am I in right now I'm probably I'm still in Google Chrome so that's probably why it's weird let me go back to this so I was logged in on my YouTube account and not my real one looks like it's still being tested they're still chatting in there they're still working through it but very cool I'll stand by and wait maybe depending on how quickly they can get a look through it and give me a thumbs up we can get it approved who knows I'll pause again but it's cool to kind of see everyone working through it and hope that they are it's cool to see that people jump at it apparently they got excited when they heard that I put in a room we'll see okay it's been a little bit it's really really cool to watch all these people start to play and play test it it's kind of surreal looks like Skitty is already cranked through it but he had the walkthroughs we'll see if the others I think they're going in cold coming in back and forth I said are you in my room and I sent him the Shrek meme what are you doing in my swamp pull it up here quality good fun so feedback from Skitty was hey if you wanted to make this something more guided I'd include a little more questions I'd include more steps right so including the access to the FTP server what directory are you in it's not really needed but it might make it a little bit more guided also including a hint on the user flag to assist with initial access or getting some more points on root.txt and he really liked it and we can go ahead and make it a hard room because I don't want it to have any hints maybe I'm a jerk and he wanted to add a badge to it so we changed up the room code it looks like it's finalized and it's done so we made it pkill room is now a thing looks like Ben's got some points I'm excited for the others to solve even a lot of things to it so I like that a lot but they seem to really really like it I think we can call it a wrap I think there's nothing wrong with us tuning in tuning out because it's all done I don't know how long this video is going to end up being I feel like this is like five hours of footage and somehow I'll just combine it all and it's nighttime now you can tell the lighting around here so wow that's the whole video that's from scratch creating the pkill room I hope you guys learned a little bit for some crappy development techniques just using it in vagrant to spin it up spin it back down making that setup script just to kind of provision everything we could have used ansible we could have used like chef or puppet or done a little bit more decorating but I think I got a little bit more control with the bash script and then bouncing back and forth with the machine wasn't a pain all that much but it made for some good quick and easy development save my mistakes and stupid forgetfulness at the very very end thank you guys so much for watching long video different format different style kind of a raw overtime like mass in days but I really hope you enjoyed it I hope you guys learned something and I hope you guys play the room I hope you enjoy it thanks so much for watching I'll see you in the next video