 Hello everyone, my name is John Hammond and welcome back to another video in order to be taking a look at the WGAL CTF from TriHackMe. So I have this over up on my screen here. This is a free room so you don't need to be subscribed in order to access it. It says simply have fun with this easy box and the only problem is that we have our user flag and root flag. So once our machine spins up, we should just have an IP address to muff around with. I'll clean out some of my notes from a previous video. Looks like that shell super broke so I'll reset this here. And let's make a directory for WGAL CTF. I think that's how you say that. I have no idea. Let's create a simple readme file for this so we can keep track of our notes. I will go ahead and export that IP address here, slap that into my shell. Let's see if I can ping that machine if he's up already for us. Still taking his time. So let's go ahead and build out our tasking things just to have this here. User flag. That should be one and two should be your root flag. So let's burn through this here and see what we got. That machine is still spinning up. So let's take a little bit of time anyway. We can go ahead and make our end map directory to stage that and get that ready. We'll also grab that export IP command and we will start to end map tech SC tech SV tech on end map initial. Let's run that on the IP address and let's kind of hang tight until that machine comes up for us. Maybe it's also just actually not kind of, I don't know, showcasing things. We can just go access the web page itself and see if that is alive. Nothing at the moment. So we'll stand by. We are still connected to our IP address or our VPN. Are we not verify? Okay, it looks like it's good. I'll just hang tight and wait. Stand by. Okay, it looks like he is responding now. So how's that web page look if I were to refresh this guy? Still taking his time. Let's fire off our end map scan regardless. See if he comes up soon or if our end map scan dies as well. Okay, so now this web page seems to load. It's weird to me, because it's an Apache to default page, which we see all the time, but it's weird that some of the notions here aren't like some of the files here aren't filled out. Let's just view the source here. See we have a lot of CSS kind of default stuff. Items are commented out. Jesse, don't forget to udate the web. Is it? Okay, so update the website. Jesse, that's a peculiar name. Let's start some other enumeration on that. Let's go ahead and need to attack each HTTP on that IP address. He's going along. Let's start go buster as well. Oh, is that end map scan done? Didn't find 80 but found SSH and some funky ones. So I guess I'll rerun that. Let's grab this again for this new shell down here. And let's do some go buster. Let's do go buster attack you on that IP address. I'm going to specify my word list for opt directory listing. Let's see if we can figure any of that out. Site map. What the what? Okay, it's worth seeing if that's a thing. Maybe there's some other information that we have not seen before. Site map. That gives me a 301 and redirects me somewhere. So let's see if that page loads unit template. What the heck take on your biggest projects and goals. So this looks like a whole directory. This is a this is a folder thing. Let's actually restart that go buster and see if we can figure out anything else inside of site map. And I'll bump around in here works goes to work HTML services. Okay, so these are all pages. Seem to have anything interesting contact info. That looks fake info at your site, your website. Go buster found images. Good enough. I'm just going to slowly poke through these about UNAP. Is this actually a video? Let's see. Oh, that's a thing. That's a real thing. That's got timestamps and everything. Let's not play that on my YouTube channel. Dorothy Murphy. No one else and Adam Moore. What are you doing, dude? That's not how you drink drinks about. Okay, the page does not change when it's services is still saying that thing shop. HTML contact HTML. Can I be used contact? Maybe we can muff around with that form too. That's an option. CSS JS, automatic backup data. Let's check. Is there a robots dot text file hidden over and any of these sometimes it's supposed to be in the root directory. But it's not always. Is there a dot get directory in there? No, but like, is it BZR or what is it for bizarre? There's some weird stuff in there, fonts. So you're just getting stuff at the moment. It works as grid. Let's look back at our other enumerations because we still have necdo running and map finished. Looks like it found those other options that we have. We can still run Derb because go buster is good to have that, but Derb also has some other worthwhile dictionary files like some of the stuff that they share for Apache. These are really cool. If you go take a look at these, it'll have some other files like that might be more likely on a web server. So they have one common, I think it's called cat. And that's in Derb word lists, common dot text that has some good good stuff. So let's try him. I'll do the same go buster tack you on my p address, but I'll use the word list from common and see if he finds anything else there. Okay, so HDA pack. Oh, let's do that in the site map because we know that we have some stuff in there, but we did see the ht password. We can go take a look at that ht password. I cannot read that. What about ht access? Maybe still no. Okay. Oh, what the what? There is a dot SSH directory, seemingly within site map. So let's try and navigate to that if it loads. Whoa, okay, we have an ID or a save file. So that's a private key. Nice. Sweet. So we could try. We don't need really you need to anymore. Let's just make that ID RSA file. We know that username was Jesse, right? Let me check page. I thought it was Jessica that I misread that earlier. Where to go? Jesse, Jesse, Jesse. So that's the name. Okay, so let's actually move. Let's call that Jesse ID RSA and let's make that 600. So it is an SSH key that SSH would be willing to use. Let me grab. Accidentally nerfed my shell just a moment ago. So SSH tech, I Jesse to Jesse at the IP address. See if that connects. Oh, and it logs me right in. Okay, awesome. So seemingly no flag. Oh, that's a lot of stuff. Find grep flag. It's in documents. Cat that flag out. There we go. Let's slap that in here. There is our user flag. And we could go ahead and SSH copy some stuff over. So scp tech, I Jesse at that. Let's move Lynn P's over into Jesse at let's grab that IP address. This guy in dev SHM, see if that will work for us. Okay, copy it over just fine. So dev SHM, let's try and prevask. I'll run Lynn P's and see if we get any good stuff. Whoa. Okay. I already felt like I saw some potential prevask techniques in there. Stuff in my path is potentially writable. I am pseudo. I'm in the pseudo group. What is in that? Whoa. User Jesse may run the following commands. No password on W get. Okay. Let's go check out GTFO bends and see if we can do things with W get. W get file upload. So it's pseudo. Fetch a remote file via HTTP get. Hmm. Can only file download and file upload. So we could get a root flag, but we could also get a root password. We could set a root password and that might be kind of cool. Let's do that. Let's, let's see. Let's see if we can pull that off. So, okay, you can stop that little Lynn P's. Let's take this et cetera password and let's fake a root password we could use. Let's create a simple new entry or let's modify the root entry and it's that root password right here with our own password that we want to supply. So we could do that with Python. I'll get to a regular shell that's on my host. Let's go ahead and Python import crypt. And I think it's crypt dot crypt and the password that we want to use. So I'll just say please sub as our password and let's copy this string. Yep, yep, yep. Let's paste that in. So let's call this a password file. So let's get back to the victim. Let's try and actually make a copy of et cetera password to et cetera password dot back. And I can't do that. So let's put it in devshm. So we have a place we can write to. So if we could download files, we could host our new bad one or new bad et cetera password that has our custom command or password for root in there. And we could overwrite that so we have our own password set for us because we can sudo w yet. So sudo w yet looks like it works. Let's go spin up a server on our attacker machine. HTTP dot server port 8,000. I believe I am still 10, 8, 9, 1, 1, 12. Yep, yep, yep. Let's get HTTP 10, 8, 9, 1, 1, 12 at port 8,000. Let's grab that password file. And it needs to have tack capital O to where it wants to store it. So let's put it in et cetera password and it wrote it. Okay, so let's check out cat et cetera password on the victim. And now we have our fudged password for root. So we could su to root with please sub as our password and now we're root. So now we have a root shell and we wouldn't need to, we could have just exfiltrated like, okay, grab the flag with getting the file and sending it to our own machine. But I think it's much more fun to actually get a root shell. So that technique just clobbering et cetera password with our own set password for an account will help us do that. Cause we could write to et cetera password which is pretty cool. Let's go ahead now into root and grab that root flag. Cat root flag. Thank you, thank you. And we're done. That's that machine. So pretty cool, super nice, pretty easy. I'd like that W get previsk. I hope that technique is kind of neat for just clobbering that et cetera password entry. Again, the other option is just exfiltrating that flag out, but kind of neat to get that initial access with finding the username and finding that directory in the flag or in the website. So that was very, very cool, I think. Hope you guys enjoyed this video. Hope you guys enjoyed this room. I thought it was kind of neat. But again, just wanted to showcase it to you. If you did like the video, please do press that like button, comment button, type things in and hit enter. Subscribe button, you know, the picture of my face and all that stupid stuff. So thanks everybody. I'll see you in the next video. Take care.