 Hello everyone and welcome welcome to a long-awaited video I put out a little promo for this thing last week We had a cool little event in the try hack me discord having a little Designing dungeons conversation with the little creator here. So this is it here. We are we're doing the year of the jellyfish room on try hack me and so I am Not expecting this to go all that well. I'm gonna fall down a lot of rabbit holes I'm gonna bang my head against the wall for a little bit and it's all bundled up in a video for you to enjoy Watching my suffering. So here we go. I'll get to my computer screen here. This is it. I am in try hack me I'm on the website and I'm opened up the year of the jellyfish room So year of the jellyfish is part of an OSCP voucher giveaway Which is generously donated by Fawaz if you root the box before 6 p.m UTC on the 30th of April 2021 you'll be entered into the prize Drawing the chosen will be the winner will be chosen by raffle at that time stream announced on the try hack me discord server So you've got to jump into the try hack me discord server and see what's going down see all the memes see all the laughter see all the gifs and Maybe ask for some help if you're playing this if you're working through it But no worries at all. This is all for fun. We're all here to learn, right? So That's that's the stakes though. Everyone's been having a lot of fun for Some some try hack me giveaway here OSCP voucher a couple notes though This box deploys with a public IP address So think about what that means for how you should approach this challenge internet service providers are often unhappy It's very generous of you. They're often unhappy if you enumerate public IP addresses at a high speed Hmm Okay, it goes without saying any signs of cheating will result in an immediate and permanent ban both from both the competition and From the site and try hack me community oof Oof can we get an F in the chat ladies and gentlemen? And of course don't stream or release right up to this blog until after a week has gone past We should be in the clear We should be good to to do this thing now because you know the time has elapsed so let's do it I've got the machine to store it up. I got my little p address here and I guess let's do this thing. I don't know what I don't even know what I'm getting myself into so Got a terminal Connected the VPN, which I apparently don't even have to be so year of the jellyfish also known as yacht jf or yacht jif Let's get a read me Going because I'm sure I'll have a lot of stupid ideas that I'll probably want to keep track of that's large text Year of the jellyfish if you guys don't know obviously I'm gonna be a little more rambunctious I'm gonna be a little bit more crazy. I'm gonna be a little bit more John Hammond than usual Because if this is gonna be a raw video where I'm just diving in April. What day is it today 28? Does the day I'm recording? 2021 let's get the IP address in here And let's start the show I'll make a directory for nmap and you know what my isc might get my isp My internet service provider might get angry at me if I Were to scan this box, but That's a risk. I am willing to take. What is that line? Is that like from shrek? It's a lord far quadruple. He's like that is some of you may die That is a risk. I am willing to take 21 ftp 443 https port 80 for a classic web server http 22 for ssh discovered port 8000 What else we got we got anything else? Little aws instance here looks like And now it looks like it those are all the ports that found either I'm I'm I'm skeptical because like I know murray merlin oracle the one that puts it together is going to throw some curve balls in here So maybe there are some other ports to scan. I'm going to stop that uh nmap scripting engine and Just go kind of all out And we don't need those things anymore And let's throw it into like an all ports file. Let's go all ports And I guess let's do it. I guess risky business Screaming out across the internet. Uh, what's the ip address? Do I still have that here? Yeah. Yeah um So it's gonna redirect me to https, right? So, uh I'm gonna assume. Oh wait. It obviously needs a domain name. Of course I'm saying https because we saw port 443, but it looks like it needs a kind of name entry for robbins pet shop dot thm Okay, uh, let me start another little terminal boy And I will discovered port 22222 Add this in a nano Add this into your set. Rehosts with nano Um Oh, shoot. What was the ip address? paste that in Ta-da now going the web page Certificate warrants. Okay, and that's totally fine. Probably like a self sign certificate Totally cool. Take me there. Anyway Living on the edge. Welcome to robbins pet shop. I should take a look at that certificate though Um, so i'm gonna click up here connection to the site is not secure Can I see the certificate? Why can't I zoom in on that? I want to make that bigger I want to make it so the people can see it. Gosh details Let's see what we got here. Hopefully your eyes Can like squint on that I'm just gonna scroll through here um Whatever information might be present in this certificate In case there's any new information that would be worthwhile like other domains Oh In fact, yes certificate subject alternative name. I wonder if nmap would have actually carved that out in my nmap initial It didn't write it because I quit the program Great. All right, so we have monitor beta And dev as some sub domains in here Let's keep track of that. I suppose And then let's also grab all of these to, uh be put on Other lines, uh, and add them into our et cetera host file Someone yelled at me someone was in the in the stream chat last time It was like john, you know, you can just kind of put them all in the same exact same line And et cetera host i'm like, you're right, you know, you find It let works right spaces. Yeah, i'm pretty sure let's just let's just grab one And then ping it. Yeah, okay. It gets the ip just fine Pinging is not going to want to respond though. So that's fine So now we have some other sub domains we can take a look at but first let's dive into robin's pet shop It's the best pet shop in bristol With the happiest collection of animals for sale beat a cute little guinea pig a puppy and adorable bunny rabbit Or your first goldfish. We have the pet for you This is a big goldfish now. I zoomed in a lot. He looks kind of sad not gonna lie he looks a little He looks like he's not all that happy to be here Fred the goldfish Honey the beagle puppy And credence the communion. Oh, there are a lot of these you can you can get a giraffe Does anyone does anyone have a giraffe an alligator? Please don't ask please send help I'm having fun already as you can see we have a wide array of pets available Be warned some may come with unexpected medical expenses Goldfish bites. Yeah. Yeah, that's that's the that's the least of our worries here come and visit us at any time I clicked the link they didn't lose Did I Did I just can is my end map did my end map scan kill it? Did my end map scan kill it? No You know, I learned my lesson We learned our lesson real quick Do I what do I just wait it out or reset the box or get a different IP address? All right, we're off the races bright and early. Uh, let's revert the box I'm gonna you know just I'm gonna do that Not a big deal And we'll wait for that to happen and I'll switch out the IP addresses and my set of host Okay, we got a new IP address a new box is up. So let's switch out That in the et cetera host file And let's hope that that will behave a little bit better for us. I I probably should have read the instructions, you know, like I mean I did but I just kind of totally ignored so I learned my lesson The connection is not private. Yep redirected me just fine. Let's go All right, let's not Send a mass and map scan across all ports now. Did we even get anything from that? Honestly We saw a new 22222 But what is on this page? Is there anything worthwhile other than these animals? The contact page Feel free to contact us anytime. There's an email address Are there any is there anything like hidden in these web pages? I'm just gonna quickly view source I'm just gonna quickly control you to see if there's any Hidden things I see an assets page so we can go visit fred the goldfish personally Assets pets. Oh, okay some directory indexing How about an assets? just pets Anything else we could do like nito and Go buster, but then we just run into the exact same problem So I could switch to like some vps or something maybe But if there's nothing else immediately as a telltale on the site then I want to go look at some of the other ports We knew that ftp was a thing I don't think I have anything out of the M-map files. Yeah, all ports and initial are are gone So what did we we saw and I mean we can do this again, but we saw 21 we saw 80 443 We also saw an 8,000 obviously 22 And a 22222 Oh, and we can check out these other domain names too let's I want to see the ftp real quick just to I don't know spot check that In case it's like a dummy anonymous login I doubt it It's also this is an up-to-date version of vs fdp d So Probably don't have the users We could just try a simple ftp username again empty no pass, but I don't think yeah, that's not that's not gonna get anywhere Okay, maybe that'll come in handy later Uh 80 and 443 ssh. We don't know any user names. What's on port 8,000 That's still using htps. So let's try and switch that to htp The site is under development. Please be patient if you have been given a specific id to you Uh an id I haven't been giving an id How do I get an id? Anything Nope, please Subscribe nope No one's handing out any favors. I want a box where there Please subscribe is like a necessary part of the box. It's like a password or a key or something Um, what is on this quad 2 thing? Or quint I guess is it because we're wait, this is six That's sick. What yeah, how did that happen? No, I'm sure it was I'm sure I just typed it wrong ssh Not gonna be that helpful. Let's look at these other domain names. Let's look at these other subdomains Um Deb it sounds kind of good not gonna lie Uh, is there gonna be like any development files? So it redirects me to htps again totally fine That brings me to the exact same page Okay What about beta does that bring me to a specific beta fish? beta Yep, take me there. Please. Oh, it just brings me to 8,000 again. That's not helpful What was that last one? monitor monitor are Let's go to that Okay Take me there Oh What the heck is this thing? Pet shop is online It took me to local host. That's weird jellyfish jellyfin is on 8096 I just see the tooltip down there Is that a thing? Is that a real port? 8096 I didn't see that from nmap Not that nmap was really all that useful considering it broke everything jellyfin What is this? I don't know what username or password What is jellyfin? There's a server id That's not something that I could use on like port 8,000 is it I'm really really doubting that But I'm just gonna try it. Nope Okay monitor I can turn on and off Is this like a thing? Oh it is Made for the community It's like an open source thing What does it do? Nothing else in here just a little javascript It's seemingly to do like the actual display What is this? Monitor is a web front to live display the status of any web app or service If updating to version 1.7 from any previous version before updating backup Screenshots very cool very slick Wow Oh, it's php There's something we could take advantage of there Are there any like issues known issues? Like security things like things that I can exploit maybe A lot of feature requests Um security security advisors nothing new The thing had a version number on it that didn't it yeah monitor 1.7 0.6 Are there any change logs in here? 1.7 0.6 m. This is 1.7 7d back in 2018. So this might be old Yeah Okay, so this is the version 1.7 0.6 Are there like exploits? You know what I should just I should just check Searchploit, which I do have in my which I do have in my path here So I'm going to search sploit Monitor Yeah uh Authorization bypass and remote code execution unauthenticated that sounds kind of nice What do I do with this thing? Uh, let me take a look at both of these Searchploit. I'll just use tack x to display that out. Uh, let's use tack m Because I want to get my syntax highlighting. Please Just bring the bring the file over here and we'll open it up in sublime text authorization bypass Specify parameters in a format python tog URL user login using oh, so we Wait, how's an authorization bypass if it takes in a user password and stuff Allows creation of administrative accounts by abusing the installation URL Is that URL like still a thing? assets Configure it Let me go there that slash assets config installation register Not a thing I don't know if that'll work my guy Yeah So you could like create a user But that's not going to help us. I don't think of this one because that It just genuinely doesn't have that that php file right now. There's a link here What is this other one do? Remote code execution unauthenticated, which is good because I do not have an account to bring that down 48980 This is the exact same one Is it not What what did I just know there's a difference? They they looked very similar. I was I was a little weirded out. I'm sorry I didn't mean for that to just be complete nonsense. I they looked almost identical Remote code execution unauthenticated um It needs a target URL and lhost and l port so it calls back to me. Yep It tries to go to assets php upload dot php does that location exist It does it gets like errors Okay Data user image is that a thing It's going up a directory. So it's not in php anymore. It's data user image Thanks Thanks So this this file exists. There's nothing to it. I'm sure it's going to be processed server side, right? Because it's php So headers These look pretty fine Can I like pretty print this or something so I can see what those headers are actually doing? I don't really care that much, but this is kind of hard This is kind of annoying to try and make sense of and read Whatever, this is totally unnecessary. I just kind of wanted to be able to see a little bit better And data is a street straight up mess But it is uploading a file shell dot php With an underscore in the mix Image type gif god fuck. You know what word wrap? Where you at my man? Okay, it includes a gif header And then a php exec bin bash calling back to an ip address. Yeah Okay, a shell script should be uploaded now. We try and execute it. I mean That file exists. So maybe that one has maybe that was worth a try. I'm gonna move that to 890.pi exploit.pi How about that by the on three exploit.pi and I need a target url and lhost and l port Oh, this this machine is on the internet so I will probably need To either use my vps like a virtual private server or use ngrok Let's use quad 8 and then i'm gonna i'm gonna use ngrok if that's totally cool ngrok tcp quad 8 good And now I have this ip address and port So if I just for kicks just to verify Sanity check if I were to try and netcat to that I do see that connection come back. So ngrok should be behaving for me Yeah So when I run this exploit I need the target url Which i'm assuming it's just going to be the root of monitor Just like this And checking out the exploit again it actually yeah Does it add it adds a forward slash so I don't want that trailing forward slash there And then oh it needs the space For the port So if I try and run this Oh, oh, oh, it's getting an ssl error because of the certificate so We make a post request and a get request So we can just tell them to totally ignore the certificate Uh verify should equal false Don't bother verifying the certificate. I know this is just a fake internet game So it's not real nothing is real. Uh, why is it still dying? Oh Uh, I need to be writing the exploit scripts. I just accidentally saved a copy of my old 48908 It whatever those numbers were so now verify verify is false. Uh trying that command again Uh shell script should be uploaded now. We try to execute it. It's warning about the certificate. That's totally fine No, can I like proxy that or something? To like see what the response is I mean, I guess I can like view the page is it in is there is there a Is there a file created though? data user image No, I don't know data user image No, no new files um It tries to get the page But I I want to view the response as we try and print it As as we try and upload it or post it, right? So that's the post request If we do print r.txt We can see the response and You are an exploit How did you know My user agent is that My user agent like isn't python How does it If I post to it Stupid stinking certificate You are an exploit. That's just curl I didn't set a user agent there. Is there like something going on like tracking me? Oh, there's a cookie There's an is human cookie and it's set to one I am human I am I know you people don't want to believe me. I see all the I see your comments Is human that should be one? um And then let's supply that Along with it. I'll grab that same syntax for the get request And Now how do we look? It didn't It didn't Give me that you are an exploit error, but it says it's still Not something that it wants to upload um What page was that? It didn't put it there did it No Is there's like some weird stuff going on? Like Well, will you upload a gif quote-unquote like genuinely a gif if I add that gif extension? um I'm gonna try and download it. So we have to we have to switch it in that path as well Go back to my python It uploaded Oh That uploaded Yeah so That uploaded but it's not very helpful to me because it's not running. It's not going to execute php um Does it Is it like checking if the the presence of a file extension is there or like if it has a gif in it What is this what is this server doing that might um No That one failed. What is the server doing to try and limit and constrain what I could send it and what I could give it Like is there filter evasions? Is there some some like blacklist for data that I have to send it? gif dot php Can it work with like other like php 3 maybe? No Gif dot php 3 is not an image or exceeds. So that one failed just as well Let's try like phtml Will that work? Oh Shall gif dot phtml is an image file uploaded We requested it, but we didn't get a callback It exists Is my tunnel still like happening? I want to see if it gets the callback Click on it What is happening? Page isn't loading for me. I mean, it's probably like trying to call back, but Is it not like the ngrok? Let's try without the ngrok um Let me just get to Like a server that I can control Uh, let's get into shared memory And listen on claud 9. Oh, sorry. I need netcat Now when we try this connection, please call back to John Hammond on quad 9 That should request the page Is it gonna want does it need to be like a Like a stupid like real port that's obviously not stupid. That's genuine Does it need to be something that like would actually probably allow outbound outbound traffic Like I'll listen on port 443. Ah Oh, it's running a website. That makes complete sense. Let me maybe that was what was wrong when I tried to use ngrok Let's Just for the funds. Let's see if we can get ponkat in here That might be good And everyone can whine and complain Because every time they see ponkat it's doing horrific things But sometimes it's nice, you know Let's listen on 443 Can I sue to that? Well, let me Oh Gosh, that's gonna be that's gonna suck All right screw it No No ponkat sue on that cat tag lvp 443. Yeah. Now ngrok that ple ngrok that Yeah So Now I am Six dot tcp dot ngrok i o 11559 Send that in No shell Put it uploaded What are the contents of this file? Now it's going to try and request it and it's going to be hell Let's give the vps one more time. I'm going to sudo netcat tech lmvp 443 That's already running I don't care Everything please die. Okay Um Let's try that now What's going on? No, no, no, that's just random people scanning my computer. That's just genuine traffic from Bad actors Oh, it wasn't uploaded because it already exists No, it didn't make any changes because they already exist. I should have read the error message Um Import random please Import string So let's say file name can go ahead and equal Like random dot choice Of string dot ascii lowercase for underthing in range of Random Dot random I think five to twelve that's totally fine So let's all put that together And then let's make the data Go ahead and define that as the file name With an f string. So that's pulled in And let's do the exact same thing Over in the url that we request So oh and I never even requested the stinking extra html thing The other or the other like a little file extension here. It was never going to do anything gosh All right, so what I did is I just hot patched the script to use a random file name each time rather than that Constant one because it was going to end up trying to override itself and it wouldn't let it So now it just has a random script name And it will hopefully actually get the same file that we've uploaded to request it So I guess Yeah Gosh darn it how much time do we waste on that? um Well here we are With my random file name That's a good one augwebex sort of however you want to read that I am just data though and I want to make this a stable shell So oh, sorry. Do I actually have python? Which python please? Nope, which python 3 I do a python 3 python 3 uh taxi Import pty gosh I hate unstable cell shells so much and you're not going to be able to see this because I can't clear my screen import pty pty dot spawn arrow keys bin bash Close parentheses Do it Control z stty raw minus echo fg hit enter a few times export term Equals x term. So now I have a manually stable shell Sort of Are we in a docker container or anything? No Um What can I do? What home directories are there robin? Oh, sorry. That's a directory She has nothing in her home directory Where is this? Flag that i'm supposed to submit Is there one flag one Where is that jellyfin um robin mckenzie She doesn't have a flag What's in dub dub dub flag one? Let's do it a One down cool Hey, I've got a streak One flag submission. I'm truly sorry. I'm truly sorry Um, now we need a prevask. Can we get into robin? Well, she has nothing in her home directory Uh, we could run like lin p's to enumerate. We could try to do some stuff manually, but Uploading something is kind of going to be a pain God, I so so I so so wish Punk app would work well for me because it's just so much easier like I could up dog stuff, but I guess we could do that. I guess we can up dog stuff Let me copy Um a rendition of Lin p's over here and Let's try and up dog that in this current directory so that I can ngrok tcp 9090 or I guess that should be I mean that would be HTTP on 9090. Well, let me do that Do I have things to actually access those do I have curl? I do. All right. Let's get to devs hm curl that on port What port? Oh, it doesn't have a port seemingly Can I download lin p's dot sh? Uh, just throw it into lin p's Dot sh I guess because curl will go ahead and put it on center output. I mean it got it You know what you can't complain Okay Let's see how we do I don't know if he'll be able to find anything But it's kind of worthwhile to run and we can get a go about and do our manual enumeration if need be um What do we got? It is a virtual machine That makes sense Pseudoversion is that an old pseudoversion? I feel like that's the I feel like that's the one that did that get patched I don't know useful software lxc Are there like lxc and lxd containers going around? I'm not in that group. I'm just dub dub dub data I'm a real low privilege user right now So I don't think I'll be able to do a whole lot Unless there's anything like egregiously stands out. You're like, oh, yeah ftp's running you could dump credentials if you were root But I'm not root Mmm socket snap d on by root I don't usually see that That's that's not something I typically see Would like lin p's output. It's not really all that useful. It's like an error message, but that's weird And that's all I got of lin p's Okay, I guess that's all we're gonna get I That's weird To me I want to look into that I'm open up firefox now. Okay. Thanks I guess If you load the page uh socket files for snap though That's a snap I know it's not like anything that's immediately useful because it's just an error message, but it's still really weird to me What else could we do? Because we could do like we could go through gotmilk's privilege escalation Since we don't really have anything out of um lin p's And maybe ponkat would be able to track stuff down, but again, we'd have to have that working applications and services What applications are installed? That might be fine Ah That just read it all out and bin and user bin, but lin p's would have found that. What about d package? snap, of course There's a lot of libraries. Okay. Okay. We're in lib land I don't like it And that's it It has the version though That sock thing is still throwing me off the socket thing like with snap part of me wonders if that's a thing I've never seen that in lin p's before but it's not like It didn't know what to do with it What is snap? I mean, obviously, I know what snap is but what's that version number? Is that a thing? Let me uh Search sploit snap Oh Oh, oh, oh, oh, oh, oh search point snap and that version number 2.3 2.5 is less than the one that's dirty sock Oh Like I always I've always I've never actually done like a dirty sock exploit thing. I've known it through Maybe it just sounds so similar enough through dirty cow and obviously this was kind of a big thing when it was kind of Found out. I remembered it being in the news and all um Search sploit tack x on that Yeah, yeah, yeah, january 2019 And the version number is lower. So this thing should be vulnerable Create an account at the ubuntu sso. Is that for real? version 2 There's a lot in this What about this one? What's the difference between that one and this one? Uh, let me copy that down search sploit tack m 4 6 please Oh, this is the dirty sock version 2 Oh, it has the snap like pre-created And it installs it snap dot snap Oh That must be Why this box needs to be a public So it could actually Like reach out If it does need to get stuff from like the ubuntu Like is that am I understanding that right? What is this post to let's do it? Let's sing and do it. Um, let's get back to the victim. Um, I guess I could download that since it has now Ben it's put in The location that I'm serving with up dog And it's the 4 6 2 3 2 1. Let's just move that to Dirty sock dot pie Yeah And Let's try and download that cool got it LS I guess let's do python 3 dirty sock has to sleep for five seconds Has to sleep for eight seconds snoozing Come on The suspense is killing me Okay So I can su to dirty sock the password dirty sock. I'm dirty sock. Is that root? Oh No, but I can pseudo Do you need a password? I know the password Oh That's cool That's super slick dunzo dunzo I like that one I'll be honest. I haven't done Dirty sock before and I and I need to google that and look into it a little bit, but that is that That's a good box. Um I'm sure Like like if uh, if those other subdomains had other stuff in them, I would have fallen down that rabbit hole for a long long time But I felt like between monitor having those Having those immediate version numbers that you could look up and check through searchploit That was good to kind of keep me moving and the the privilege escalation I feel like I I feel like I cheesed that because like what lin peas did which like wasn't a Which wasn't a a specific message like hey, this is vulnerable. This is exploitable But it just gave me that weird error and I was like, I feel like I've never seen that before I feel like I don't I don't normally notice that With socket files, especially from snap. So I don't know why But that like triggered me and I started thinking about it. So I just kind of wanted to look at it just a bit more, but Going through got milk's privilege escalation guide is certainly a good thing to do Uh, if you don't have anything with lin peas or if you want to try other enumeration scripts I don't know if uh, like smart lin enum Or whatever xyz.py file that you can use for other automated detection for privilege escalation, but It it surprising to me that lin peas didn't actually like trigger and see that on its own Maybe that's something that we could I don't know have better detection for When we're starting to script us to do this a little bit Um I don't think that was too awful I don't think like I didn't spend it Insane amount of time on this That's it though Cool all right, um This was a lot of fun. Thank you, murray. Thank you merlin oracle for this box. This was Very fun and very slick. I really enjoyed the goldfish and everything else in the robin's pet shop. Uh, I don't know Maybe if robin had a little bit more if there were other users This was cool. This was a lot of fun. So How many people have solved this at this point? Does it say 2000 users are in this just about So jump in the discord Are the write-ups available just the one by murray? Oh and that I mean it says hey, don't share write-ups until after it, but Nice This was cool. This was fun. I don't even know what jellyfin was there for I'll be honest Uh, we went in a lot of different places. We we tried to look under every stone while we could but That was fun. That was good and I enjoyed it. I hope I hope you did as well I hope I didn't stumble or go back and forth too much. Um That was cool to see dirty sock. So I think that's it. I think that's the end of the video I think we did it Thank you so much for watching everybody. Thanks so much for hanging out. Um, hey I hope you enjoyed this sort of thing We had a kind of a cool conversation between murray and I in the tryhack me discord about designing dungeons and how making this activity making exercises trying to create security training like that. I don't know it takes a lot of thought like Exploiting and taking advantage of breaking stuff is one thing But when you're trying to build it and when you're trying to make the environment that you have a Structured play through of how you want folks to get through the The room or the machine or the challenge That's a whole nother. That's a whole nother ball game. It's a whole nother can of worms So absolute credit goes to uh merlin oracle and of course serious props to foie gras for being willing to donate an oscp voucher But the way to do that the way to get in the way to party is to be in the tryhack me discord So if you aren't in there already, please do jump in you can see who won this thing You can see if you won this thing if you solved it and there's a lot of great shenanigans going on So it's all part about it's all part of being a part of the community That's it Thanks for watching this video everybody. Thanks so much for hanging out with me. I hope it was fun I'll see you in the chat as we're going through this live. I'll see you in the comments Love if you could like the video, please maybe press that subscribe button. I'd be super appreciative So thanks so much for watching everybody. I'll see you in the next video. Take care You