 All right. Hey, hi. Hello. What is up internet? Oh, hi. I have with me. Hello. I'm John Hammond And with me is the one and only mr. Caleb Stewart Hello, so what I have for your faces is some footage of Cyber Force Which uh, yeah was it was a game that we played months ago in New York I drove five hours north to party in New York So we have eight hours of footage When we played this and watch the whole thing yeah normal speed. Yeah, no popcorn no popcorn I'm actually speeding this up to I don't know if you saw that good ol 500. Okay, 281 times percent There's no way that's gonna actually happen. My computer's not cool enough to do that But I don't think I'm sharing that look at that parrot. Yeah the terminal parrot that is some foreshadowing right there So yeah We're gonna be just showcasing this at breakneck speed to hopefully showcase some of the cool stuff in there The event was two days. Oh, okay. Sorry. What was yeah? Yeah? Yeah? Yeah, we are we're red teamers in this case This is a blue team versus red team game for some undergrad schools and universities Testing their cyber ninja warrior skills and their leetness and their cool stuff So I'm probably gonna have to like skip through some things here. We got to be the red team for West Point Yes, so we're Coast Guard kid. Let's move it like yo West Point's here So, uh, we I remember I told the organizers like I want that team And that was team four. It's something like that. I remember you we asked them. We're like, hey Can we request a specific team? Yeah, they're like, um, I no one's I guess I don't know like I guess that's okay. I was like I want that one So I don't think I'm sharing too many trade secrets here. They are any at all really It's a we're it's a red team exercise. So it's kind of Subjective and how that there's grading right or how they actually score So, um, there are stage attacks and like things that you want to try and actually accomplish throughout the day and I want to move quickly through this but This was actually prep time I don't know if you can see the clock up in the in the top right there But this was actually just trying to see what we can see see what we can access And then try and get a little bit of inventory for tools that we want to run or memes that we want to have And that actually is a good portion of that. I hope I pull it up really quick because I start to Start to google. What are some quality memes that we can throw in here? And that's one thing. Um, if anyone is not super familiar The red team is gonna have access way beforehand We weren't allowed to actually physically affect anything at the beginning But we had access before the games even started before the blue team was even there to actually like Not mess around with things but just to see everything and have an idea of how it all worked And that way we could kind of hit the ground running as soon as it started if you will This is when I just had I just bought my Dell XPS 15 So I still need to like pull some tools in you can see me in solar metasploit I think you can see me some grabbing some empire or a python 2 etc python 3 stuff and There it is Start to pull up the inventory red team means. Yeah. Yeah These are hilarious Especially seeing them at the breakneck speed is a little epileptic. I like it Um whole new folder. Yeah, exactly. I need I need to build up an arsenal or like have a repertoire of things I can throw in when the time comes So The game Nine o'clock in the time of the morning. We still just in prep and just kind of scanning Um, the staged attacks started. I think at 10 o'clock. So I'm like that I saw the schedule blow by. Yeah. Yeah, I remember there were some time zone difference because we're playing against different teams across the country for our specific spot it Terminal parrot. It's your favorite. It is one of my favorites Uh, so this is in two two days. So the first day that this is the video right now Um, I like a google empire and the tv show comes up Uh, the first day we're actually trying to get our footholds and get our initial access Um, the second day is when really we can start to kind of be trolls and be annoying So yeah, you see me in solar metasploit here Again, I'm gonna skip along to make sure this isn't too boring But I think showing you guys, yes, it does get once like 10 o'clock hits and then 11 o'clock hits We can start to do some stuff talk about some of the attacks that were on there Um, but it is just the fireworks and you run them through things that some great next page here Pip classic classic struggle with not being able to install something classic pip two versus pip three versus virtual environment versus your own Versus that parent director isn't owned by your current user Uh But I did want to work with empire I told myself that I would and I actually learned it just now like just recently that you can use it for linux stuff Like you can have that python launcher And yeah, so they had originally they had made Power shell empire and then someone I don't know the exact like developers who exactly was but someone was like Hey, this is really good. So they had a fork of it. I don't know if you call it a fork But uh almost kind of a remake in python that was called like pie empire or something like that And and then they ended up being merged together to become just empire I feel like empire with a why I think that's what it might have been it. Yeah Um, and then at some point they got merged together and now it's it's not technically power shell empire anymore. It's just empire Um I like this because this is talking about some of the pan back door stuff and you actually just wrote that Yeah, so I just wrote a little a little pan back door guy So we're a little module and four pan and see Um that basically will allow you to log in as any user with a specified password Just threw it up on github if anyone wants to check it out. I guess we can post I think that's awesome. I think that will be an absolutely very good tool for these red team engagements In fun games. So let me learn a little bit of empire before the game gets started I like there are moments you can very clearly see like either my lock screen comes up And you know that I just like got up to go to the bathroom or something. This is a raw phone. Yeah Yeah, yeah, exactly. They did they did provide food, which is a lot of fun They kept coming in and asking if we had enough It was really funny. They were really worried about whether the red team had enough snacks You need to have food for all the nerd hackers So what we ended up doing was actually trying to coordinate inside of a google doc Um, that will come up soon enough. Yeah, it got very messy But I don't know any other real organized way to do it. You can see us starting off with the nmap scans We can get started scanning. There are a lot of raspberry pies That were filling the network because I think they wanted to have like this industrial control system theme But without having really feel it to be honest. Yeah, there was some there was a that one portal that we'll see later Yeah, it was industrial control system theme, but the rest of it. I really didn't feel it There were a few things we logged into that's a common thing I think in some games or exercises that try to have that and just use a raspberry pi to simulate it But it's still a computer, man Yeah, I mean the day they're all computers just the right the industrial control system stuff just tips over if you poke it too much I love I googled ftp and I got some pretty pretty good stuff there. I don't know if you can see it spinning out That's usually what I do. I want an nmap scan and they just google all the service names, you know, yeah What is ftp? What is net bios? Well, so this is 1045 so we should be we should be off of the race Yeah, we should be starting and I think that's when these scans are okay to roll Oh, it wasn't the first like hour Even after the game started it wasn't a scheduled attack to like the first hour after some right I think there was there was that issue with the time zones were like, oh We're an hour otherwise and well the first one that they started was like a pre planted It was a pre planted like network like bind shell running on port 999. Oh, we can get to it I think our team caught that good on them For noticing a an odd port. Oh, I love this. We created a channel army Let's put warheads on it's fun stuff. It's fun stuff. There's plenty of morale So They had a website that we had to break into And they were very clever the team that we were working against was very kind of smart in their protection of this because they I can't I can't I guess I can't sing their praises too much because the basic author was good But not a silver bullet by any means. Well, so what the basic author was good They didn't tie down a different entry point because we had access from a different way And we could bypass their htq base basic off because of a different vulnerability wasn't I forget what exactly it was You'll see it come very very soon um The first thing that I started to do and running through stuff was get the raspberry pie Because they all had their default password of raspberry like rasp berry And then I immediately add a fake user add it in sudoers And just keep doing this process over and over and over again. You'll see me do that way too often, but as with every Exercise and red team thing that you see people will just say oh, yeah default credentials And that's and it really is I mean in all honesty in like a real world scenario I think that's pretty either default credentials or weak credentials are pretty realistic for like if you were talking about a realistic scenario Um I like to try and add user names that look somewhat similar to others. So you can see I had a p1 So it looks like an eye. Um, there was a default blue team account on all these machines So I added a blue team with a one instead of an l And then I would add just add that to the sudoers group make it so that they could run without any password, etc Um, I'm a big fan of logging in and we'll and I don't know if you'll see it on because I did it all It's about to happen. Yeah, so We we would I would always log in and I like to go in and take Um, whether the lp the games user. I'm pulling you in the shot. Am I am I not? Yeah, okay So we're gonna be close Either the either lp the games user. Uh, one of some of those default users Dub dub dub data is what you always say quadruple dubs One of those are all those users and I like to take those and uh either add s h keys or add passwords Adding passwords is a little more noticeable if someone's checking like etsy shadow But if you can add s s h keys into their home directories like games is uh slash user games I think is the home directory for it. You get an s h key there and then I'll actually go through and I'll replace Um user s bin no log on and Slash bin slash false both those binaries remove them and replace them with bin bash, which you see happening there Yeah, what I started to do is sim link bin bash So this so the sim link didn't like that So the sim link works, but if they have any kind of script that's going through and looking for oddities It'll notice a sim link whereas if you actually remove. Yeah, that's a good thing good Where if you remove bin false and remove uh user bin No, uh, no log on no login Um, and then replace them with bin bash the only way they'll notice that's the wrong one because it's still a binary The only way they'll notice is the wrong one Is if they would actually either run it or actually run some kind of diff on you like the the hash of the original file On the new one, which you can actually do I think with d package I was gonna say yeah something that we tried to do for the pros versus joes game was used like D package some and like your package managers know how to do that Yeah, they can figure out and see but if you don't do that then it looks completely normal So what I would do is I would add an ssk ssh key for those Default users like LP and games and mail things like that and then replace user sbin No login with bin bash and then if you looked at the password it would look completely normal And you'd be like oh cool my accounts are locked down, but I can still log in as those users And then some other things you can do you can add different users to suitors, which is a little more noticeable But that at least gets you user access to the machine. I try to chmod 6000 up there. I don't know if you saw that Those are my favorite things. There are a lot of hilarious stupid things that happen in this And I'm very excited type at like 300 miles an hour. Yeah my 70% of the keys that I hit on the keyboard are the backspace key So you guys know you YouTube fellows won't see that firsthand. Oh, I know too. I sit next to you. That's sure it constantly I started the next schedule eternal blue. Yes. Yeah, I started running it with the eternal blue underscore windows 8 Which I realized was wrong Then just went for regular when it uh eternal blue. There's the ps. Yes I'll say never forget about the ps exact because they're different The regular eternal blue one is the one that has the possibility of crashing the machine But you don't need a named pipe whereas ps exact you need is ps exact you need a named pipe that you can access But you have no change. I think close to zero percent chance of crashing the machine. Um, so there there's differences, but I would say if you if you know, there's a name pipe there that you can grab the ps exact I would say ps exact is probably the better one, but um one thing that I see myself starting to do is looking up Shells with a z which I heard about at pros versus joes And I don't know if I properly understood like what it really was or what I wanted it to be because I mentioned this to you earlier just in like passing our casual conversation that intellectual sophisticated people have is that I want to have something that will like No, I need a I need a range of Ports listening for incoming reverse shells and I want to be able I want it to like smartly handle it Is m player crapping out? No, it's just me apparently going to the bathroom again Um, it happens often. Yeah, I drink a lot of monster. It's true. It's a problem. Is it a problem? No, that's fine Maybe m player is crapping out. I can't tell. Nope. We're going. Oh, we're moving. Okay Um Adding some stuff to it said our host file. I think probably just sink holding maybe. Oh, no I was testing again with shells. So shells I wanted to be able to like know and recognize when I'm making Reverse shell like connections, but it wouldn't do that in the way that I wanted I think I need to get better or just understand more of empire or merlin or even copal strike if if I fork out my arm and legs That would be an option because I want something to like, okay. Here's a callback that happens. Let's catch it Keep it for me in the background. Um, I Maybe I misunderstood shells, but I never got it to do what I what I wanted it to do I have never actually touched. Yeah. I remember you talking about it and I've still never gone back and looked at it I saw this json configuration files and looks like I like explicitly talking about here's how it's going to be working But like I don't Want to have to care about that. I just want some command that calls back to me and then knows what it's doing. So I I think I just Put this I think to be able to have something like that. You're gonna need a more intelligent Payload to go there right right now your your payloads consist of just a callback so that they're not intelligent enough to really know what's going on You're gonna have to kind of move up in the world to a better more Sophisticated payload. That's true. I need to be And I try it for a little bit with some raspberry pi stuff but Crips out little lock screen lock screen doesn't be actually going to the bathroom Always lock your screen at cts. Yeah, that's a good girl Never walk away might bring some burner laptops, especially or like a laptop I don't actually use this in my personal laptop if we go to like def con or something cool. Yeah No Um, you can see and you've probably seen in a lot of other footage where my terminal or my terminator screen Just has a thousands of different sub terminals in there. It gives me anxiety. Yeah I have there's a picture of me on one event where I had I wasn't using terminal terminator And I had like 47 little different gnome terminals Different windows. So I hit alt tab at one point and focus on it and it was like had my screen explode with them. It was hilarious. Yeah Oh god So I Know there was some weird thing we were trying to do. Okay. This is when we're still trying to get around that basic off but when another Stage exploit comes through when we're able to use some other passwords that Have been pre-planted and like vulnerability prior access stuff We're able to get into some accounts like you had mentioned lp games mail and some of the others that had passwords That you wouldn't have expected like you don't normally consider lp games. Nobody in mail User accounts, but they had passwords that were staged So I think as a takeaway as a blue team player as change the passwords for Literally everything and disable the accounts that you need to be disabled right like Even if you don't think or consider it to be an interactive user Anything that's a user can be an interactive user. So And the deep package sums is really good. Yeah I have that in uh pros versus joes repository Because we patched it into the linen linen enum script because I I like to use red team tools in a purple team sense Where i'm going to use them as a blue team member to find out where my security holes are Um, so we put it inside of a linen the reboot user linen enum script That you might see often like hacked a box attempts or stuff like that Um, so this was a lot of googling initially, but we found an fdp that we could log into with the default creds Um, and I I think we were able to put some web shell Maybe if we use the fdp, yeah But I think that pointed us to that. Oh, there are still default credentials that are are being used here So we were able to do some stuff with that um, and at that point we had access Anonymous fdp access file download was successful And then we're allowed to use some of the weak login attacks Yeah, so dub dub dub data was an account interactive and it didn't have a password So we could sudo add our own new accounts and then you had figured out well We can find the ht password file that's controlling that basic http off and then we have Access to the http that we didn't add in another account So they had their own account and they were using that to get in and out And I just added another account to their ht password file So unless they ever they've never opened the ht password file So they never noticed that we were even able to get into it You set your no log in there. Yep, you added that You can see you're typing in google docs for a second, which I think is cool Yeah, Caleb, I was there on another computer j gooblatt. Oh, yeah, there it is j. So that's where we add One of the other really cool and fun things was they had a vnc connection that was visible in In originally blocked behind basic off, but it was running on a different port So we were still able to access it and find it And I started to do something interesting because you could just squat and like watch them You could terminal squat and just see what they're doing because I think that was their only access to the machine At least as that hmi for their industrial control system raspberry pi thing So we started to explore. Is there anything we could see in there? Is there anything we could poke around? any files we could access and You might have been you were the one that found that vnc light file or something that would actually still display Um the h the the vnc connection Yeah, so so they like you said it was being served a different port So whenever you saw it through behind the page that was actually basic off It was just an iframe for a different machine for a different port So that page was behind hc access, but you could just go to that directly to that port and you still see the page So they did a good job Blocking access to the main website. They just didn't realize. Hey, our service is being served on a different port There has no difference. Yeah, so we were still able to get to it. So I guess it wasn't a different port. Oh, yeah But this is a funny thing Um, and I hope we come to it soon because I was like man, this is this is the only vector We have is just watching them. Well, we sat there for a while. Oh, yeah Because because this is not only a view we we could interact with it. We could we could click in it We could change things we could type the problem was that was our That was probably they were on it as well. So the minute they saw us change something. They would know we were there Um, so we stared at it for a long while. Yeah, I kind of waited. I Lurked in the background as a ninja To watch and see it. Are they not using this right now? Are they not going to have eyes on it? If I try and quickly try to quickly add a user And they started clicking on it. Yeah, I quickly add the user to the sudoers file Um, and then I think someone closes the terminal that I'm in real quick So I'm like, oh someone spotted me and I try to create like a little reverse shell connection And I feel them holding down the backspace key. You can see me like literally fighting someone on the other end of this B&D connection Fuck you I knew it was going to be in there. Uh, I was like, I'll just leave that Yeah, so so it's funny you we were able to add a user and we were able to um, add it to the sudoers group However, um, we weren't able to They they had only ssh, uh Private keys private keys. That's what it was So they enabled private key authentication So we couldn't log in with the password So we had a user with a password that was added to the sudo group But we couldn't log in because we didn't have a key So that was kind of our our issue. We're like, well, now they know we're here and we can't add a key to this user Um, so we'll come back to that a little later But that was kind of a fun little back and forth with us on their machine for a little bit. Yeah And we did get the user in um, and I think Soon enough I start to like try and stage Some uh, oh, yeah, I use X automation. That's so yeah, we we can use you can use um I forget what the command was because I remember I was like over your shoulder with it You couldn't paste into the vnc connection. Yeah XTE. So we used XTE to Paste in this like as as if it automated typing in the the string and then hitting the enter key Because I couldn't paste into that vnc connection So hilarious and dumb and stupid, but literally me figuring out. Okay. This is how I press the enter key with this program Staging the little uh, little reverse shell syntax So then in the end of this what's basically gonna happen is we're gonna have XTE Simulate on our the host end on the attackers machine Simulate typing out an entire command to add a private key to this user and then pressing enter We're gonna sleep before it starts that and then we're gonna like say sleep for five seconds And then go over to that vnc connection Click on the terminal and then XTE is just gonna go And type it all for us in like half a second before they can even close the terminal Oh, it's so funny. Um, and I don't think they even knew what happened. I think it kind of just Happened and they had no idea and then we were in their machine. Yeah. Yeah Is this after it happened? Yeah I think it happened really quickly. I think you might have been the one that actually finished the scroll Yeah, so there might not be real footage of it, but we got into the hmi and now we're just okay quick add our users Put up some persistence And this is like poor man's solutions to persistence by adding some hiding users What I've been trying to do recently is add a cheesy reverse shell command as part of a cron job Or putting it in bash rc just trying to hide it in an automated place that We'll run like we'll consistently without use interaction and we'll add a time schedule actually execute Well, something you you tried to do which I think is gonna happen soon Um that I think was actually a good idea. This is this is it's getting close to it and it's actually hilarious I think it was a really good idea. It just Didn't work out. You can see it starting to happen. Um, so what you were trying. I don't know if you want to explain it I'll try to explain it. Okay, you go for it. Yeah, because I am too. I'm starting to put it together up in the top left there Uh, I have this notion that like they're gonna run some commands pretty consistently You know what like the ls command. So here's an idea. How about every time they run the ls command? Let's have it start in your reverse shell and call back to me So I try and create some users and make enough persistence that I know I've got places logged into But you'll see me start to create a new bin ls script A script that will eventually be a wrapper for what I would want to be an ls command So I do this for a bit and then I say Well, I want to see if I can get it time right to create all these create all these accounts get a key in there Because I know this is happening very very soon I'm getting this thing in here And then I say sudo nano bin ls and I create a reversal command And I call ls inside of the script like an idiot I made ls one and backup ls So then I start to make a connection and I've got my listener going And I've got ls calling back to it and calling back to it, but then I see cannot allocate memory job control turned off cannot fork process And I realized that I just recursively called the ls command and repeatedly made shells call back to me So I unintentionally fork bombed this box and this snowballs way farther than you'd expect. Oh, oh, yeah um So so the funny the funniest part to me is is the fact that I reboot didn't stop it. Oh, yeah Yeah, you're right That's the crazy so so you would think that this is this is a problem But you'd reboot it and the machine would act normally until sudo bin rmls Until you reboot the machine and then it would act normally until you ran bin as ls again You would think you'd think that would be what happened. Yeah interestingly though Even after a reboot it did not the footage is here where I try to send messages like I'm so sorry I did not mean to DOS your machine. That was actually an accidental DOS Yes Yeah, that that's probably the funniest thing that happened while we were here on the same along the same line Some of the things we did just this kind of a red team Kind of taunting the blue team. You'll see it some things that we did along the same lines Were things like bin l or bin such cat Yeah, and I don't want to talk about it when it comes to it because it's it's it's very funny to watch But my the most painful thing when I did that was knowing that I made the backup binary Like I actually had the script that would normally do what I intended and then didn't even think to use it Here we're trying to do some web shells I think we tried to move into so we tried to get fdp right access. Yeah, that's what it was I think it looked like fdp was working, but we didn't know what directory it was writing into or something like that This is the one of the cool things because we had about the halftime games This is again, I think getting close to the end of the day where Or halfway or we're submitting the vulnerabilities and things that we found But we do take notes and we do submit something that has I wanted to say a little bit more Formal or intuitive This is an explanation of what we did and why we were able to do it because you guys did a good job You're doing smart and clever things, but we still were able to kind of move around it Yeah, I think it's a it's a consistent thing whether it be ctfs or a blue team exercises or whatever It's always like oh these really these really cool things and these really obscure vulnerabilities We're gonna fix all these and then you forget the little things you forget that Oh, I'm just gonna go and check these things manually instead of oh, I ran my script and it looked fine like Don't forget to just use your eyes and do it manually because it's a big deal I want to get into day two Yeah, okay, cool. So we're about almost done for this day Uploads trying to send some stuff in there Is that two days? It was two days. Was it? I don't even remember it being two days It's a good stuff It's all just one big blur of one. It's one one big thing. Yeah, yeah, honestly Bolt corp So many private keys Yeah, we had the idea or you had the idea like let's all use one kind of consistent Private key as a as a red team or as the individuals that are that are doing the pen test Which is smart Yeah, I think I think it makes it easier that way like whether you created the counter created the counter doesn't matter Like oh, we all have the same private key on slack. Let's pull it down and then we can just go with that right So I do this stupid thing for the longest amount of time where I try to put a meme on their website I don't know if you remember Way too long at trying to put a single image on their website and it wouldn't work. No, you it's just html It was it was just html and I'm like Wtf is this some jango template thing that's like ruining my life right now because image source should straight up do it And he tried to encode it It's still printing. Yeah, I got a cabinet and like I can't get this to stop pkill base 64 I remember like you tackled this like you took it from me. It's like why is it taking you so long? Yeah, like yeah I I felt dumb afterwards. It was like john. You're an idiot. Just put the image in the website right And then after like 20 minutes of me trying to do it. I was like, fuck it. It doesn't matter I think it was jango's templating like it needed to know if this is the location of the static files for jango But it just wasn't taking it was not having it. It's probably something stupid simple too We ended up doing We tried to serve it from our machine. I think yeah, we try to do One is not simply I think I had the file extension wrong Like something something absolutely absurd So close to the end of this day and the next day the next day is all about trolling the next day It says all about having fun. Yeah, so there's gonna be some good stuff I thought I was trying the apache get root mod. There's a plugin. There's some extension You can add to apache like apache mod root or something where you just netcat to it You type in get root and find you remember finding the squirrel mail I did we never yeah, it just kind of popped up and it was not part of the challenge Like they like so they had a list of services. They had to keep up. They it was um, there was the hmi things There was that website that had the uh, the notes application. There's there's a few other things But about halfway through the competition the squirrel mail server just kind of popped up. Sorry for the sorry for the spastic distraction And we we've no idea why it was there and no one could tell us why it was existed Did we get access to it? I don't remember. No, I think we tried a lot of exploits and didn't bother You see me here going through just like manually changing some of the website names to get a little defacement there red team corp though This is stupid and fun You should have changed the red team corp Oh, this is hilarious. I think I added the background background red and it clobbers The whole site and I don't know why Here's like, uh, fuck that. Yeah, like, okay, you know what css you're just not gonna play nice I mean to be fair css never plays no So we get into uh attack number 10 because the in two days we had 20 attacks all in all So it was cut in half. Uh, we weren't able to do any of those things or at least kind of notion of the others looking forward um I think because the ssh private keys Yeah, so so some of that depended on ssh and we they Which is great like they enable ssh private key authentication across the board, which was fantastic not for us But for them it was great So another blue team tip Do that Yeah, because I mean at that point there's nothing there's no chance of like bad passwords Like I can't do anything remotely. I don't not much anyway, unless you had a vulnerable version of ssh, but I just changed like my terminal background. I was doing funky stuff Oh Actually, oh the fdp default login and then we knew that there were default passwords. So we oh, so that was the thing with fdp Yeah, um, they they enabled uh ssh Private key authentication in for their users But then and we just really looking at fdp as the anonymous user and looking at it But then we realized fdp by default. I think it's vs fdp and uh d and uh, you want to yeah We'll authenticate with local users and we're like, oh shit We can just log in with fdp as the blue team user with the default password And it works so they they enabled uh ssh private key authentication, but didn't change the default password for the user Which blocked us out with the exception fdp, which we could log into without the certificate Um, and then we could write files to for example The web root and then we got a shell. I think that's how we did that. Yeah, also You got the one does not simply it didn't have true. It didn't have nano or vi or vim. It had the text editor joe I don't know I think I just dealt dealt with it But I don't know if you people that were watching might have seen me wrestling with that editor Like how do I leave? What am I doing? Why wouldn't you? I never I didn't even know you did that. I don't remember that I probably whined about it at some point during the exercise like what the heck is this editor joe So, okay, so this is the this is the final report on the end of that day. Um, zero one and a 10 tax Were what we were on the first day 11 out of 20 because we hadn't gotten loads of tax that we just didn't put them in um, but We were saying like you guys did good like you guys did well and it was very cool to see some of that stuff um And I put that down here in the notes. You see me bang that out Basically, gtp was good ssd private key was good. Um, but it's not It's not all the walls are boarded up. So And Is that Just about the end of day one. I think so cool If you're still sticking with us, we can move into day two. That'd be fun. Get a little fun stuff Good times. Yeah, this is it One does not simply finally Got the image on 24 hours later. Yeah, yeah Took me all night They fixed my red team corp So trying to see what we still have left for persistence. Um, some of the accounts that we created have not gone away which Maybe was a bummer And I think we see that Especially throughout today because we get to do a little bit more on the offensive Burn them if you've got a mentality because we already had so many Users and kind of footholds and claws still in there. Why hadn't they been taken out like why We are obviously active on the machine. Why aren't they booting us? Why aren't they killing our ssh connections? And that was the strangest thing I think for us And as we get through this, you'll see we were loud Yeah, we were really loud and we were Like they knew we were there because they would like they would kill our connection But then you just log in as another user and you'd be good for another like 10 minutes Then they'd kill your ssh connection, but they wouldn't remove the user. They wouldn't change the password Anything like that. They would just kill your session and so I was like, okay, that's annoying I'm gonna stop me. I remember I mean it was a little more than annoying I remember sitting there and I would be like god damn I just finished this command like I'd log in type half the command and they'd boot my session And then I just log in again I'm starting to look for some silly annoying troll things like okay How can I change the bash prompt to be like red team was here and like glitch text or something stupid? Um Install and go so we can get terminal parrot. Yeah, your thing was terminal parrot. My thing was couse. Oh, yeah And it's hilarious once it hits There's a lot of good stuff as we start to scroll through this because this is when we just meme and troll and and nuisance So I started to write two different connections trying to talk to people We got the wall going So I think so it's not you can't see it on my machine because I was running all these But at some point around in here. I is where I've mentioned a couple times I'm just really proud of I thought it was hilarious the cow say yeah, and that's gonna happen You start to wall. Do you show it? Do I show it on yours? It's like yeah, it comes in Okay, you don't write it. We get to see the script running But you'll see it happening and this is hilarious because you're like wall. Hello dad Yeah, because I had rude in the machine So I was just I was just dumping wall messages to everyone logged in I just like a couple times they responded to us Yes, they did and that was when they asked us like please tell me how to fix the Oh, yeah, I think it was dot four or something and they were like, what did you do to dot four? And I was like, what do you mean? And they're like it doesn't boot Yeah, you'll see when it happens because there's a genuine comp. There's a genuine wall conversation One of these exploits that had us do was paramico, which was cool. We could see different files Um And there were two fdp servers one of which we were able to work in one of the one of the we were not Um, you've been ssh. I think so you said you said fdp. I'm sorry. I'm sorry What happens? So I'm adding in terminal parent to the bash prompt and then you see me connect to it And it errors so often like I don't know what terminal parent is and I think it's hilarious I John you're an idiot. So I try to set up go Uh, get the go environment variables right, which I still never get right and don't understand. Yeah It's really annoying Yeah But as soon as as I'm seeing more and more go is becoming uh quite a swiss army knife for these This is my favorite thing This is like s l but pushin Um, so I try to do that. I tried to overwrite cat with that um, and again, I'm getting into dangerous zone when I try and overwrite ls but I wanted to get s l the steam locomotive command on here to uh switch up their ls command to just be to be a nuisance and I end up tripping over it myself, which is hilarious Way too often because I just so easily oh ls. Where am I in the world right now and then freaking steam locomotive But seeing pushin happen is hilarious Oh, there it is right there. There it is. Oh, yeah, come on talk to me. I'm lonely. That was the blue team Yeah, I think that was you no no that that was them And then I said you should fix dot nine because at this point we didn't know it was our fault At this point we still thought oh a reboot would have fixed that and so I was just taunting them like hey You should go fix dot nine But no it was really broken I want to see when they respond Because it's it's it's so funny. They're like, can you tell me how to do it? And then we I say the stupidest thing Steam locomotives Literally literally like every five seconds. You'll see me run into my own wall I love this technique, uh python simple hdp server. Um because When you're just trying to pull stuff back and forth to different boxes You're much better at using netcat to transfer files. Yeah, I do a netcat all the time. It's simple and easy quick and easy And that's just uh like redirecting to is anyone here Or did they respond because I know it's coming up soon I create poutine Make him into the cat's binary of the kitten something that I did here I don't know if you saw it was s l and and cats at the same time. So the train just goes like, you know Please tell me how there it is Yeah And I I respond oh also you put the uh google chrome Um no internet thing on there. Yeah, you said you said tell you how to what? Place cat with poutine And one of my favorite things deface the web server with the google chrome no internet dinosaur game It's a great game. Oh, it's hilarious I didn't know you could download a static version of that how to fix dot nine Seven one kind of hole in the box Get a lonely island reference there Parameco exploit I tried to weaponize and get right a little bit more, but it never seemed to work I kind of I kind of felt bad after later when I was like screwing with them a lot about like Like how to fix it and then we found out later that was actually kind of our fault and I was like, oh, yeah Oh, yeah I tried to send a lot of apologies And that'll be very very visible Because they had someone come in the room and ask us so someone of the one of the organizers It was either you were too embarrassed. I yeah, I was super embarrassed I I wouldn't talk to them like we so he somebody walked in at one point and the one of the organizers was just like, uh Is one of the teams just shutting down the machine every time they started up and me and john looked at each other and we were like No But I think I know what you're talking about We were like, we didn't mean to but it might have just completely destroyed their box And so he said, okay, we're gonna we're gonna let them know that it's fixable, but Like what's going on and and I was like if you need me to come fix it I will but I need physical access and he was like no We'll let him know that it's fixable and it's something there But we'll give him a little time to see if they can fix it and otherwise we'll come back so They time passes we let them we let them kind of figure it the work for a little while I think it was probably 45 minutes later an hour or something And the guy comes back in and he's like can you come here and so I looked at john I was like, I'll go So I walk into this big room full of these blue team guys I'll sit around these tables and I walk up and I'll be like hey So I'm your red team. I'm red team. Um, we didn't mean to I'm sorry, but what's going on? So show me this machine and for some reason every time it booted It would just die And I guess at some point in during boot process in ubuntu It runs ls. No idea why it would ever do that during the boot process, but I wonder how or Where that happens. I don't know. Yeah But every time it booted it would die before it could even finish booting up because I assume it's running ls what we ended up trying to do was actually There was no Console like direct console on that on that machine on those virtual interfaces they had So we ended up having to detach the hard drive from that vm attach it to another linux vm Mount the hard drive in the other linux vm remove the bin ls replace it with the correct bin ls And then unmount it and attach it back to the original vm But that still didn't fix it the machine still didn't boot. I don't know what happened They ended up getting points back for it, but I was just like I'm really sorry, but I don't I don't know Like We messed up ls, but we didn't do this. Yeah. Yeah, that shouldn't have happened So we're trying to run Eternal blue again, I think so. I think I'm just trying to get back some footholds, but Because like you said, this is kind of our burn at times. This is the end of the second day Yeah 430 the second day Someone sent along all these credentials that apparently came from either the organizers or the people that had set up the infrastructure um but I try to work through some of them with rdp I try to work through some of them with ps exec, but none of them seem to work So that's that's kind of what what that fiasco is here, but That just straight up didn't happen. So yeah, even even trying ps exec which is Uh outlandish outlandish land for me. I don't I don't know as much as I should in that regard But eternal blue soul is kind of our magic gun. Um, obviously, I think that should be something that's on your list To immediately patch or immediately put together when you got a blue team going off smbv one. Yes It's not useful for anything registry week I don't even know why it's on like why would that even be ever be on? Yeah This is when we started to I don't know if it's you or I thought I think it was you originally that was like, yeah You let's put let's put everything that they try and cat into kaosay Yeah, so I made a script that if you run cat with a file name It was a script that took whatever the contents of that file was and gave it to kaosay So to be fair would cat the file. Oh, yeah, it certainly was it was just inside of kaosay's bubble Hilarious. Um, so it was great. Eventually it ended up being kaosay piped into lolcats actually And that's so funny There's a point very very soon where I visibly make the message of the day On their machines as they log in a kaosay that says i'm really sorry Yeah I know it's coming up soon More fdp That fdp worked basically till the end. Yeah. Yeah, I think it's just because they something either didn't realize completely Completely out of mind. They were like, oh, we fixed the password authentication. So we're good golden But that was a good way in so we're still playing with this fucking. Yeah squirrel mail, man Popped up out of nowhere and and there was a squirrel mail exploit that should have worked But it wasn't working properly. I remember as a ghost. I played with it for a while and I think you played for a little bit Just realized your your name for this director was just force The force is with you so moving through The report again to try and explain what we're doing and how we're doing it Um, and we did the exact same thing having the command execution that we already had Those machines that aren't that hadn't exploit specified for them. We're like, well, we kind of we pieced it through already Which we were very pleased with So Yeah, starting now to again write to people or try and get some conversations I don't know what I don't know if that's them or not because that's their blue team account. Maybe that's us I don't know. Yeah That's so funny also when you were playing a red team exercise Some things might just break or not work and you don't know like did I do that? Or was that dumb They just kind of or sometimes they blame you for something. You're like, no, I didn't I didn't do that I didn't Doss your box. Well, that one was I didn't fork bomb with the ls command So an interesting thing that I did that I think you're seeing here um is Every time I think it was every uh If every few minutes or something like that, uh, I forget what exactly I did but it would call back out to me Oh, no, it would recreate the files So I replaced bin slash bin slash cat and slash bin slash uh ls on one of the machines and then every it was a cron job that every like Minute or something like that it would Put those files back again Because they kept trying to fix them because not having bit cat and not having ls is really annoying Um, but every time we put those fake files back Uh, it would also print out to wall Like some message with cal say it would just be like cal say to wall of like some uh, uh fortune message Yeah, yes, and so you'd see like every two minutes it would oh, there's your I'm really sorry. I'm sorry Um every like two minutes you would just see a cal say pop up with a fortune Oh Yeah, this comes soon enough because we started to install low cat Oh, and I just We were just playing I just sit here and play On like game for a little bit. They hadn't fixed it yet. Yeah. Yeah, like well I remember we kind of we we kind of like just sat around and got a little little bored. Yeah Why aren't they why aren't they kicking us out? But um What's your high score? I I played this for a long time another exercise that kind of was restrained on internet access So for like the the morning briefs in the morning meetings Uh, we I would sit there for an hour and just play Like 32,000 some crazy number. Uh, when I I was out of training and we also didn't have internet Uh, it is a similar thing except I figured out how to edit the score I was like inspect element and found the javascript to edit the score So it says that I had like a hundred thousand points or something like that. Oh my gosh That's awesome Floppy bird, this is where I start to like do floppy bird. So did we ever actually get it to work on our machine? No, I don't because it's like not it's not like we would know Yeah, you wouldn't be able to see so for anybody doesn't know, uh floppy bird Um is well floppy bird is a game obviously if you never see floppy bird google it Um, but there's a under your rock There's a I guess you call it a port of that to literally x86 assembly That you can write to the bootloader of a disk and then reboot the machine and that machine is Completely screwed. Um, but the nice part about that is that goodness is that you have A floppy bird game to play so it'll reboot it destroys your os But you have a floppy bird game to play in your bootloader and you hit spacebar. You can actually play the game It's really funny. Um, somebody did it to us at uh pros versus joes. Yes In the Delaware Delaware, yeah, you played Yeah terminal parent I just said that in bash rc and they're their hosts like you can't you can't break out of that. It's so funny I'm really sorry Cousy looks so sad when he says i'm sorry So I hope that that was kind of fun, uh, I hope that was a quality Training environment for the blue team because I think I don't know I hope there was enough learning that we were able to provide and the same morale I think a really cool thing was uh, the learning during it cool. Yeah, but then also afterwards they had the kind of dinner thing We actually had to sit down with the blue team that we were red teaming for and kind of they asked us questions We asked them questions like hey, what did you do here to do this and they asked us? Oh, we saw this we couldn't get you out here and they would ask us questions That was a really good back and forth. I think at the very end of the day Yeah, um, it was really quality time for learning all your basics This is where this is where I think you start to do it Is because you had you had pulled like a list or Yeah, so I had a list of things. It wasn't just the fortune command I had pulled a list of different funny sayings that would just pop up. Yeah um, what I was trying to do was to get uh Cousy with that fortune through wall cats chew every terminal, but interestingly wall removes all of your uh Like escape sequences. Yeah. Yeah, so I had to find a different way to do it And I think you might be doing it as well Um, so what we ended up doing what you'll see us kind of figuring out here Is instead of calling wall since we had root access we just opened dev pts slash every single pts that's open um And just sent it directly to their terminals Just bypassing wall So it actually worked really well. It was really funny We just sent all these messages directly to them and at this point so many things have been burned I'm not even sure how much they saw of it. Yeah, um, but we just sent it to all the terminals It was pretty fun It's hard to imagine what they would be what they would be thinking Like because I know especially when I play on the blue team side, but you just like Put your head in your hands, man. Yeah, I just feel like I put put my head through fan Especially when everything starts snowballing like I lost this machine. We lost this machine I long into this one. I can't call ls cat or anything Like I long into this one. I get a terminal parent. Yeah. Yeah, I'm really sorry. What do we have left? This is where it is. We're like, are you guys doing all right? How How are you guys doing This is where you were testing because you can see your format string in there. Yeah Yeah, and your quotes are starting rolling through everything in the universe is either a potato or not a potato And we started to google like how do we get wall to keep rsa sequences? So I jumped the gun a little bit earlier No, I mean, you're totally fine. It's a good good explaining because uh, the eventual solution that we find is that writing it to Terminal. Yeah, directly to the pts. It was just two toothpicks Dilithium crystals I can't wait to see these just to pop up in rainbow on your terminal with no way for you to stop it. I can't wait I don't know how how quick it is, but yeah We're testing your patience Reading terms and conditions. Yeah, that's so good I found those by googling like reticulating splines There's something like that because I wanted all those like sims type messages. Yeah quality And it just goes just everywhere I like hope they saw it. Yeah, because the colors that locat gives are different Yeah, because I was calling locat every time. Okay, so it was random, but you're getting the same message Yeah, which is I think is funny So I would I would generate a phrase and iterate through all the pts's and pipe the phrase to casay to locat So locats would pick a random color even if it was the same phrase and pipe it to all the different terminals This was a technique that I thought and I thought of and found really really fun I would cat Dev you random into their terminal. So their their their terminal just gets I'm literally So if I see someone log in I just like span garbage at them And I was very very pleased with that and that is all the footage that I have for cyber force But it was super fun. It was cool C matrix the only way to end a video We're lead hackers and stuff dude. Of course That was long, but sweet. Thanks. I hope you had fun. Thanks for watching the internet