 How's it going everybody? My name is John Hammond. It's been a little bit since I posted a video So I wanted to get back into the swing of things. We're gonna be doing some try hack me Let's do the vulnerability room over on the website there So I'll switch to my screen here and we will go ahead over to the hacktivity section where we can look at all of the rooms that are available and Vulnerability is what we're gonna end up looking for so once this goes ahead and loads Take a little bit of time there. Okay, cool Vulnerability is here learn about active recon and web app attacks and privilege escalation So let's go ahead and join room that green button there And once that lets me in and we should be able to tackle this. I do have my VPN Downloaded so I'll go ahead and connect with that. That's just the John Hammond YouTube VPN key Log into the password there now that that is connected Let's spin that up with a new terminal and let's make a directory for Vulner-versity good. I guess I added an I in that whatever So we will need to deploy the machine and that will go ahead and take a little bit of time But we'll have an IP address. I don't know what jot that down here. I'm just to say In that let's let's make that the correct name just for the internet's sake and Let's make an IP address Text file just so I can keep track of things. I ended up aliasing nano to Vim So that's just my convenience as a needed. So that's deployed. Let's go ahead and see if he's actually up Let's ping that still taking a little bit of time. So we'll stand by But that task just to deploy it should be done nice and easily and then we're gonna want to head I want to go ahead and end map the machine. So we use end map Do I have a map installed? I should and map Okay, good. I'm working off of a Cali install right now. So theoretically everything should be working a okay for me So we could use the end maps and tax that they recommend with and map tack SV Typically just out of the norm I end up using a tack SV and tack SC and try hack me is really really nice They actually just specify. Hey, here's a good little cheat sheet or some information with some of the flags The arguments of parameters actually do so that tack SC that I normally do will also scan the default End map scripts because the end map scripting engine or NSE is fantastic So SV will attempt to determine versions and that's gonna be super duper handy Especially if we're gonna be trying to track down some vulnerabilities and exploits. So looks like that ping response came back Let's make a directory and map for some quick work here And let's use and map tack SC because I like to use that tack SV to enumerate versions I will tack on so I can save it in that end map directory I'll just call it initial and the IP address. So now that that is started We could go see what it's actually gonna ask us to determine scan the box How many ports are open? Okay, we'll find that out as soon as we get to the end map results back What version of the squid proxy is running on the machine? Okay, we can assume squid will be in there How many ports will end map scan if the flag tack P up to 400 is used? Well, okay, so tack P up to a number will specify port scan for all ports up to that tack P tack with nothing will go all the way up to port 65,535 and Tack P tack up to a certain number will go up to that number So we can just specify that should be 400 as the total number of ports scanned and Once try hack me. Let's me know. Yep. That's correct. Okay if using the end map flag tack And what will it not resolve so going back? We'll let end map finish over there But let's check out the man page for end map because we can see over here in their cheat sheet They actually don't discuss the tack end flag. I'll actually just search for that with a forward slash tack and Forward slash lets me search in paginated output or less here and that tack end will never do DNS resolution Okay, so we could specify it will not resolve DNS as our answer here good That should submit and now we have our results back So let's kill that window and let's go take a look at what we have here So FTP is open vs. FTP D 3.0.3 SSH is open port 22 probably Ubuntu. Okay, it looks like we have a lot of telltale signs for Ubuntu net bios SMB 445 squid proxy here interesting. Oh, but we also have the version number that it was asking the Apache servers running on quad 3 So how many ports do we have total 1 2 3 4 5 6? Okay, so that's that first answer. How many ports are open we have 6 What is the version of the squid proxy? Let's grab that here 3 5 12 slap that in What is most likely the operating system that that machine is running? We saw a lot of telltale signs for Ubuntu so let's give that a go and What is the port that the web server is running on so quad 3 you can see is running HTTP and that's Apache So we have a version number there if we wanted it, but quad 3 go ahead and submit It's important to ensure you're always doing your reconnaissance thoroughly before progressing knowing all open source Excuse me services can also be points of exploitation is very important. Don't forget to scan for ports at a higher range So always scan for ports even after a thousand. So yeah, let's go ahead and do that leaving that running in the background I'll be aggressive with that. I'll use tack a and let's call it all ports and we'll specify that tack P Tack, so we go all the way from zero to ports 65,535 There we go. We'll let that run so we know that there is a web service or a web server running on Port 3 3 3 3 Quad 3 so we could go ahead and take a look at that. I will slap that IP address in go take a look at this page It says Vaughan University You know nation can prosper in life without education cool very cool. Okay, so now we could start to do our normal Enumeration reconnaissance on this website. You could use Nikto We could do a little bit more end map stuff We could do some other enumeration with Durbuster or go Buster and that's actually what they recommend We're gonna end up using go Buster to go ahead and find other directories or other locations on this website So we could download go broster. They give us a link here. I'm running in Cali. I did have to install it I think from my version so go Buster. I just needed to a little pseudo app to install go Buster and Now we'll end up using it with our dur as our use directory file brute forcing mode And they recommend that here and we can go find our word lists over in users share word lists So we'll need that IP address. So let's use go Buster tack you HTTP That guy on port quad 3 and we'll use a word list with the tack w argument So I'm gonna end up grabbing one out of user share word lists And I think it's dur Buster is what I like to use and there is a directory list 2.3 medium is kind of what I like to use so Tack you shorthand flag you and tack you what does that mean? What? What do you talk? Oh, oh, I forgot the word dirt. I don't know why I do that constantly Okay, so now he's rolling through it. We can see an images directory. We can go take a look at that while we're here Looks like that has a lot of potential pictures in here. Nice dude. That's awesome. That's what we all came to YouTube for CSS JS for JavaScript Cascading style sheets so a little bit more static information looks like that is Being displayed with directory indexing. So that's kind of neat We might be able to track down some other potential files in there if we wanted to of course, we could run necdo Do I have that installed? I do. Yeah, let's run him. Let's run necdo We're gonna need that HTTP PPP Quad 333 good. He's rolling but we also found some interesting thing here slash Internal seems kind of new. So let's go check that out slash internal Nice and looks like there is an upload functionality there. So that is what Trihack me expected us to find we did want to find this slash internal page We can go ahead and submit that and good. That's correct And we do want to end up saying yes, we successfully ran go busters now that task three is done Why isn't tack two done yet? Oh, forget to hit complete up there Okay, good now. Let's go take a look at task four compromising the web server So now that you found a form to upload files We can leverage is to upload an executor payload that will lead to compromising the web server Try to upload a few files of the server what common extension seems to be blocked. Okay? Well, my knee jerk reaction to this we can ignore you neato And we can probably stop go buster now that we found a location my knee jerk reaction This is to try and upload a PHP reverse shell. So if you don't have that installed You can go take a look at PHP reverse shell GitHub is going to showcase one that comes out of pentest monkey And this one is pretty awesome because it's a very very stable and solid PHP reverse cell So I'll just grab this I'll save it in my opt directory because I'm probably going to end up wanting to use this more often I don't think I actually have it in here just yet. So let's make a directory Rev shell, I was gonna call it exploit, but it's really not what it's doing So let's go ahead and copy that Opt PHP reverse shell into this directory and let's modify this here because I need to know my current IP address For this interface inside the VPN. So I'm looking at that ton zero interface and that's a 10 8 26 10 So we'll change that here My IP address and we'll use a new port I'll use 9,001 because it's over 9,000. It's a shout out to you Ipsak. I Love that joke Okay, and now we could try to upload a few files of the server. What common extension seems to be blocked Well, let's go ahead and start to listen on a port So in case this executes 9,001 little extra there and Let's move that PHP reverse shell to just something simple rev shell dot PHP. So that's nice and easy for me to access Let's go to CTF try hack me Involve adversity rev shell rev shell upload that it says extension not allowed. Okay a little annoying, right? So what this is telling me is that let's try that PHP not allow that Try hack me suggest we could go ahead and kind of enumerate what things might be useful out of burp suite Go through a couple of extensions of peer for PHP files and see one of them Maybe will be allowed and one of them might not so obviously we know dot PHP won't work We could try dot PHP 3 dot PHP 4 dot PHP 5 etc. Etc So they're doing this with burp suite I kind of want to change the game and I want to do this with Python because I think that might be a Little bit of fun and we could do some cool learning in that. So let me go ahead and create a little apescript I'll use user bin environment Python if I could type and I'm gonna end up importing requests. Do I have requests? Will that work? Yeah, okay, cool. So let's grab the URL here Let's just change the IP address Make that its own Actual Variable I'm gonna use some f-strings just to be able to put that in place because in case I need to revert this machine or something I will be able to change that really easily in my script I should be using arg parse and like make it a unique tool, but I'm not just yet We could do that if we wanted to so this is gonna end up posting to just itself Index dot PHP with some files in there The type is file. That's the name of it name is file and ID is file Okay, and then we just need to go ahead and submit all that. So let's try to use Python requests to upload a file I just want to showcase the documentation here. So you can see it really nice and easily. I'll go to their quick start File Post a multi-part encoded file. So we have our URL We just defined that and the actually specify files as a dictionary with the file name that you want to end up working with So let's say Our file name can equal rev shell and Then let's say Extensions can be a good list of everything. They already suggested. Let's say dot PHP Let's say PHP 3 PHP 5 PHP HTML that's all that they suggested within Trihacken isn't there PHP 4 is also in the mix Whatever, let's just be nice PHP 4. Okay, cool So what we'll do is we'll say files can equal file because that is exactly The name of the argument that the page is going to end up taking Let's clear that let's clear that So post a URL with files equals files and we need to go ahead and open it in that binary mode So let's try that That's all they're doing. Yep. So let's open and let's say Let's do this over and over again. So let's do for file in extensions Let's change that to ext. We'll do file name equals and I'm gonna use OS So that way I can actually properly join these segments of a file name So I like to use OS dot path dot join file name and Extension so just for sanity check. Let's display that. Okay, so that's getting a little bit messy file name equals that Let's just say file There we go, and we're printing file name when we want to be printing file. Okay, great I do have a forward slash in there because it's using join as if they are directories So maybe that's not what I end up needing to do Annoying. Let's just do File name plus extension Sure, whatever, I guess we don't need OS for the time being but we will end up needing to change that so We could also specify headers explicitly. That's kind of neat Those are some other interesting things we could do with that file, but we are going to end up needing to rename this so Because we have this we can say specify files can equal File open file RB and Let's do a Requests dot post to that URL with Files equals files, so then that should return a response object for us I'll just call that R so we can keep track of it and we'll go ahead and see what it says And it tried to do a few of those but that's the only one that works extension not allowed. Okay, so Now we know that the dot PHP one because it's trying that first was getting that extension not allowed so we can say if extension not allowed In R dot text we can print Let's just say extension Not allowed we can say and Otherwise we can say Seems to be allowed Maybe and let's go ahead and rename that file to the original file. Let's just call it Hmm, how do we want to keep track of the previous file name? This is peculiar and we could just do a simple sh util I think to move a file or Python rename Rename a file. Oh Rename, we'll just straight up do it. Oh s dot rename. Is that a thing I can do Oh s dot rename Let's just say old file name original file name equals Rev shell dot PHP Let's just say new file name equals Let's also set that old file name equal to that old file name Yeah, we don't even need original file name then That variable isn't necessary for it because we're just going to end up updating the old file name after each new one So rename old file name to new file name and then after we've gone ahead and tested something Let's rename or let's reset the old File name to be the new file name. So it's changing it automatically over and over again let's go File is not defined. Yep, because now we are new file name. We don't need to print that out anymore PHP is not allowed. PHP isn't allowed. PHP is not allowed. PHP is not allowed. But Phtml seems to be allowed Cool So our script simply just determines it and brute forces some extra files in there without using burbsuit Which is kind of cool. Maybe that showcased a little bit more logic and some quick dirty development in python Wanted to uh bring that to you guys in case you had any interest Simple script simple loop just looping through those and keeping track of the old file name renaming it as we're working through so What we've done now is we have actually uploaded this something as a rev shell.phtml so We can say Okay, yep, we've gone out completed it We're not going to use durbuster or burbsuit because I just don't particularly care But phtml might end up working for us. Let's go verify manually pht rev shell Success. Okay. Good enough. We know that that one does work so We downloaded the php reverse shell. We've already done all that Now we've set up the listener and we've gone to it. We've accessed it. So it is in eternal upload I will clean this up a little bit and start the listener one more time Um, so now back over on the upload page if I check out uploads, there is a revshell.phtml there So let's go ahead and activate that. Okay, great. And now I can see that shell came back to me. Awesome So, um, this is kind of an unstable shell. So what I'm going to do is I'm going to use the python taxi import pty pty.spawn bin bash technique Now that will get me a shell and I'll control z to foreground that and I'll use stty raw minus echo And now I won't be able to type anymore, but I'll specify fg whack enter a little bit and then export term Equals x term. So now I can control l and tab complete and use my left and right arrow keys, etc, etc So now that we have a shell on the box, let's see what's next Yep, we've gone ahead and gone our connection. What user is running the web server? Okay, so let's just run who am I? dub dub dub data Is that what it's particularly asking for? That's just running who I am. That's not the right number of asterisks. So that must not be right. Um, let's go find out who the users are on this machine. I see a bill user. Okay And his home directory is in slash bill. So let's head over there home bill And he has the user dot text file. If I check out the running processes, what do we have here? So Apache Bill is not running anything Root is another option and root is actually running Again, seemingly no Apache. That's all dub dub dub data as it should be Um, maybe we'll just specify bill because that's the user that owns that machine Okay Click submit Okay Good, there we go. Thanks. Thank you. Thank you notifications. I get it now. What is the user flag? Well, we are in his home directory. So let's check out user dot text and we have this little hash here So let's slap that in there and that is the user flag Awesome. Okay. So now that task is done. Now we're on to the last one here Privilege escalation. Okay. What do we have now that you compromise this machine? We're going to escalate your privileges and become the super user root in linux SUID binaries or set owner user ID upon executing is a special type of file permission given to a file It gives temporary permission to the user who runs the programmer file with the permission of the file owner Rather than the user who runs it for example the binary to change your password has a set uid bed on it user bin password And this is to change your password It'll need to change the rights to actually access the shadowers file that you do not have access to But root does so it has the ability to do that So you can find it with the s notification on the lstackl So if I were to use lstackl on that user bin password It is rws and you can see that s specifies. Okay. This is a set uid binary On the system search for all suid files. What file stands out? Okay. So we could do this with little linux find set uid We could just kind of google this and they'll This is a pretty well known thing find in a current directory user root perm That perm 4000 is really the best thing to end up using because that'll specify those files that are set to 4000 So I'll do that. I'll do find in the root directory with perm tag 4000 And I'm going to actually redirect the centered error to this because there are going to be a lot of things that I can't Actually access and to dev know so it's going to take a little bit to search for this Okay, scrolling through a few more of these Bin su ncfs mount panc6. That's kind of normally typically system ctl That's peculiar. It's kind of odd Okay, I don't know what that did or why that did that If user mount, okay, so it looks like we have a lot of options. Um bin system ctl I'm kind of curious about because I don't I don't think that's often something that is set uid Let me try and run this on my machine and let's find out. So find root We'll do that same perm 40,000 for that one. Yeah And we'll redirect the standard output to nowhere Center error. Sorry. So some of these might have Set uid binaries in here. Okay, so no system ctl is not normal and that's I just wanted to use my machine as kind of a baseline because maybe Uh System ctl. I haven't installed. It's a thing. Okay. Maybe system ctl is our Candidate for a potential privisk. Let me go scroll back down here. So let's try him This file stands out. Bin system ctl is not normally one that is a set uid binary. So now we've got it through this far Are you able to exploit the system for the escalate your privileges? Well, if bin system ctl is a set uid binary We might be able to use that for privilege escalation. We can go check out gtfo bins Because this is a fantastic resource for a potential privilege escalations where some binaries that might happen to be on a system You can do things like get a shell run a command to get a reverse shell read files download files, etc Etc. So let's go take a look at system ctl and because it's running with Suit or set uid if it runs with the suit bit and it can probably be exploited to access the file system escalate or maintain access escalated privileges If it's used to run sh you can admit it with tack p But they give us some code here an example that creates a local suid copy of the binary and runs it to maintain escalated privileges To exploit an existing suid binary skip the first command and run the program using its original path Okay Okay, so yeah because it's existing it because it already has a set uid bit We could just copy all of this so it'll create a temporary service file where it will execute Some commands so bin s h taxi h1 it so it'll just execute there We could do this we could control this maybe it'll give us a reverse shell or make um This is a good technique that I like to use where I like to change Bash to be a set uid binary So I could actually use bash tack p and then escalate my privileges to become root Temporarily like if I check who I am right now. I'm just dubbed up data I don't have any kind of effective user rights, but if I were to modify this here's a Quick paste in here Yep, I copied everything that we needed to oh, let's actually grab that uh make service syntax and let's execute um ch mod plus s on bin bash So if I don't run this, let's check out the rights on bin bash right now. It is only executable There's no set uid binary bit So if I were to try and run bin bash tack p, which will allow me to keep permissions and privileges I'm still dubbed up data that doesn't that hasn't changed anything for me So let's try and use this here And we don't need to use system ctl. We could specify that as bin system ctl That's not going to use the period as the current directory like a relative location. I want to actually use the Full one It's the full path. So now that Bash will be executed. This command will be ran as root. It'll make bin bash a set uid binary So when I run bash tack p, I can effectively become root. So let's try that slap this in ran it created the sim link great And since it has ran with that enable tack tack now Now let's check out the rights on that bin bash Great now you can see that s here just as we discussed and it has a Set uid binary bit. So I could simply run bash tack p And now I'm root check that out It still thinks I'm dubbed up data dubbed up data, but my effective user ID using that tag p permission those privileges that I can retain I am in fact root So now I can go check out the root directory and I could grab that root flag because I have permissions to access this Because I am running effectively as root with bash tack p all because we were able to make that bin bash some Set uid binary that I could run Abusing this system ctl that we were able to execute because that was a set uid binary. So that's kind of cool let's go Collect some points here and finish this up. Let's go back to our shell. Let's cat out that root dot text file And let's go slap that guy in So we can finish this room All right, congratulations. You completed the room. That was Vulnerability from try hack me. I hope that was kind of cool. I hope that was kind of fun I just wanted to showcase some other techniques I think using python to roll through that kind of hammering the service might be kind of cool Allows you to have a little bit more flexibility on what it really does and how much more you want to add For some other file extensions. I also hope you like that bin bash the set uid technique I like to use that because if you already have access to the machine and you can execute commands just make bash Tag p actually work so you can escalate That's a quick and easy pre-desk You don't need to like fumble around getting your reverse shell maybe in a small Attack vector like we had because we could only run seemingly one line Or I guess we could modify that service to do whatever we wanted to but I think that's quick and easy So hey, that's that. Thank you guys so much for watching. I hope you enjoyed this video If you did please do press that like button if you didn't Press the dislike button twice so I know how much you hated it. I don't know Love to see if you could leave a comment hit the subscribe button do all those things the youtube algorithm Love to see you on patreon paypal discord. There's a link in the description of the server tons of cool people in there a lot smarter than me Um facebook instagram twitter linked in and all those other social media things Okay, thank you guys for watching. I'll see you in the next one. Take care