 Hello everyone, my name is John Hammond and welcome back from the YouTube video We're still looking at some try hack me rooms in this video was super duper requested by dark or d4r CKH So shout out to you my friend this video is for you. We're finally taking a look at the Tartarus room This is a beginner friendly room It's titled a beginner box based on simple enumeration of services and basic per-legislation techniques So I've spun the machine up here And I already have some of these user flags and root flags submitted here So please forgive me on that, but I'll showcase how we can get each of those so I will hop on over to my terminal where all the good stuff happens and I will cd into ctf try hack me and I believe I already have a directory for this recording Yep, so let's start off with the read me if we want to do to take good notes So we could start off with an nmap scan What I'm going to do is I'm going to use rust scan because everyone is all about that lately I'll set a batch size of 500 and I will slap in that IP address and we'll see what we get looks like we have Port 21 open or FTP port 22 open for SSH and port 80 open for HTTP or a website with that said we have a few things we can go explore I'll fire up that IP address and we have a default Apache page So we could do our usual test to check out robots.txt see if that's a thing Looks like we do have that and there's dark again great So we have an admin directory that is not supposed to be admittedly found right at the start So let's check that out and there we go. We have admin durr and this is directory listing for credentials.txt Okay These look like potential passwords. Let's store this. I will W get this guy Just to download that and what is that user ID? Okay, these might just be names for users So maybe credentials is a list of passwords while user ID is a list of user names. That is worthwhile I don't know where we're going to end up using this Maybe we can try Hydra because we have SSH open But we should do some other enumeration other than just kind of our manual robots.txt So I will start a little Niktoe session. I'll Niktoe this guy Tee him to Niktoe.log. Niktoe just a simple web scanner attack each to specify the host and I'll supply in the HTTP prefix for this URL I'll spin him off. I'll move my Rust scan because I'm sure he'll pass that to end map and do some good stuff with it But let's also start to run some go buster. So let's go buster durr attack URL So that you there to specify that and I'll use the word list from my Directory list medium that typically ships with durr buster I would get let that run and we could also specify some extensions if we really really wanted to but well that is enumerating Let's go ahead and take a look at some of those other services because we know we have SSH open if I were to try and netcat to that guy just to grab a simple server banner Looks like we do have open SSH on Ubuntu So we have a good idea. This is Linux and we kind of had that same thought and we're looking at an Apache Ubuntu default page There's nothing else in this source code here I hit control you just to view the source on the web page And I don't see any hidden comments or any other gimmicks that they might be trying to trick us or fool us with So let's take a look at that FTP URL or that FTP port. We could access Let's get connect with my simple command line client FTP here and We'll see if that ever comes back There we go Or not connection timed out is the box still up or did I hose the thing box is still up? We do have FTP on there. Don't we? Yeah, we go. Okay Okay, looks like I'm running VS FTPD. That is a later version of VS FTPD So there are some pretty well-known vulnerabilities for VS FTPD or the very secure file transfer protocol Damon But a lot of them are very very old if you see dot like one one dot three dot five That's normally a big one to check Anonymous it might have anonymous access enabled and we might already be able to see that if we've kicked off End map which we have so Russ can found these three ports very very quickly And now he's going to give that to end map to do some actual enumeration with the Aggressive flag and very very verbose and those specific ports. So I really really like Russ scan. It looks like he's already finished cool and There is Anonymous access enabled and everything that we already found Nikto found our robots dot text here. Sorry. That's humongous Robots dot text contains one entry which should be manually viewed Anyway, let's get back to our FTP enumeration If we're logging in as anonymous We don't need to specify a password so I can just slap enter there And now I am connected and I can run LS to see the commands I have here or the files on the file system. I do see this test dot text. We can go ahead and get that as we would and Simply looking at here at that test dot text file. That's the classic VS FTPD test file Grr. Okay. Annoying. I did that also in peak hill, which is my room on try hack me Where I just left that file there also a shout and call back to peak hill Don't forget when you're working in an FTP client to check for the hidden directory So you can do that with LS tack L a or that a to note all files and we see an interesting one That has three periods rather than one or two So that symbol for one period or a dot means the current directory two periods will refer to the parent directory But a three periods is not normal. That's not actually a thing in usual computer speak So they might be trying to hide something interesting there note that that is a directory You can see that D prefix there to specify. Hey, that's going to actually be a folder So let's try and change directory or the CD command into that location. You could run LS again. There's nothing there Don't forget LS tack LA and now we see more interesting things like another dot dot dot So very very clever very very tricky. Let's go ahead and CD into that again. We can see that as a directory So let's hop over there and now LS Now we've got you got good eyes dot text and just for our Safety LS tack LA and there's no other excess files. So looks like you got good eyes is what we want to work with So let's get that now that we've downloaded that file We have this you got good eyes dot text file on my local system. So let's cat that out and This looks interesting because that forward slash might be indicating that that is a web Directory or a location we can access on the website. So I see super secret in some leads speak Let's go check that out and This looks like a login page Okay, very very cool We know we have credentials previously from when we found that robots dot text entry So maybe we could try some of the credentials here, but it gave us a username list and a password list So maybe we have to try and brute force some of these Here so You could do this with Hydra if you wanted to I really don't like doing that primarily because I Dislike the syntax for Hydra and because trying to determine and figure out whether or not it properly got a new page Or it successfully authenticated or not is really frustrating and annoying So what I'm gonna do is I'm gonna look at the source code and see how this actually works And then I'm going to write the script to log in to all this and brute force this web Login page with Python. So stick with me. I hope you don't mind Let me open up my terminal and I'll start a like web brute dot pi file and I'll bring that down. I don't need to have some of my CTF challenges visible there So let's go ahead and start with a shebang line user bin environment Python 3 I'm gonna be working with online web stuff. So I will import the request module. I'll go ahead and create a session I'll use an s object or a variable to capture that session and for good practice I'll go ahead and close it and leave that at the very end of my script here So we know that we're working with this URL and I'll specify that as a string variable But this post request this actual form submission is going to a very specific page That's going to the action attribute in this form HTML element. That's going to authenticate dot PHP And it's going to post to that location. So rather than using super secret as the URL We actually want to make sure that we're using based out of that current directory going to that authenticate dot PHP page Let's go ahead then and now take the names of each of these variables that this form is awaiting to accept So I see username and I see password and it's also good practice just kind of include the submit value as well so let's go ahead and try maybe we could just to simply define a login function and Maybe you know what it changed my mind Maybe we won't need to use a session because if that's going to be logging in potentially one of these will actually get a hit We don't need to capture that and keep it. So forgive me that I guess we don't need to do that We'll just use the regular requests module and let's continue our function though Let's get a username and password that we could simply supply here And then let's do an are four requests object to do a requests Dot post to that URL which I will move up so we can actually have that variable to find already And I'll include the data here that we're going to post that'll just be a dictionary object So username is simply what we will pass the string variable is going to be the key here because that's the data Variable that that form or that web page is actually going to expect this Without quotes username is going to be the variable that we pass in to this login function I'll do the same thing for password Password that will again be what we pass in and I'll grab that submit value as well Just for good practice that will be a constant or static string there Okay, now we have an our object so we can print that Or just return that I suppose actually and we can print it later outside of that login page but now let's just try to print login with John and Please subscribe or please sub cool. Let me fire that off. I'll hit control B and we got a response to hundred Let's actually grab the text of that page and see what it's going to return to us because that might tell me oh Incorrect username ooh That's actually some good info because we could go ahead and actually check what the username is before the password If it's going to tell me just that first detail that my username is right or wrong Then I don't have to like test every single one of them I can just start enumerating all the usernames and Then I can start enumerating passwords after I've found the correct username. So Let's go ahead and open up these files. I'm going to kind of collapse that page and let's get Little open function here user ID is the name of that file that has all of the usernames in it And are to read it as a string. I'll use a little context manager here. So I'll use width With open user ID read in with just a regular reading without bytes I don't need to use that b prefix here because I just want to pass in a string I'll use h and I'll use h dot read lines Or I'll just use h dot read it because that way I can do some simple list comprehension To remove out all the new lines and properly read that as a list So what I'll do is I'll just say usernames equals h dot read H dot read will return a big long string of all of the Content in that file. So I'm actually going to end up splitting that on new lines And I will actually go ahead and strip each of those. So I'll do a line for line in This this is some list comprehension. So some inline python H dot read it'll be the data that we're looking through We'll split it to get it into a list format Then we'll iterate through each of those For line in and then we'll create a new list with that variable line being our iterator But we will strip out Maybe any access new lines or stuff that just happens to be in there So after that I should be able to print out usernames And now I have a big long list of all of these here. It looks like I do have an excess so That empty string can also be kind of easily removed if I just do if line In the list comprehension So that line if that line actually exists if it's not an empty string It'll go ahead and include my if line at the very end there will make that go away Okay, we have all the usernames now. Let's grab all of the passwords. So with What is that credentials dot text? Is that right? Yeah, I think so. Ls. Yep credentials dot text cool. Let's grab passwords Okay, so because we know from our little test earlier just with our simple login function We can determine if it is the correct username or not So let's start by hammering usernames first and just passing in a bogus password So let me do a for username in usernames We can go ahead and try and log in. Let's actually get a response variable And then let's print out with a simple f string so I can say username With the username variable passed in We'll get this response There we go And let's try to run this And I have a print f accidental. Okay. Let's uh do this in the terminal So you have a better look on it actually. Let's do python 3 web brute username dark incorrect incorrect 32 diablo all those enox incorrect incorrect All of those are seemingly incorrect. Hmm Why is that? Oh Because I forgot to change the variable that we passed in it is not going to be john anymore It's going to be our username classic good sanity check. You guys should have told me You guys should have yelled at me like why why didn't you let me know that I was wrong there? You probably did Running this again. I see an oddball. I see this enox user gets an incorrect password. So we know He is probably the correct username because all these others are returning incorrect username and that one Got passed that layer of logic. So enox must be the right username Now, let's try that with the correct password Or try and brute force a password so for password in passwords plural We can specify enox and then the password that we're looking for. So username enox password Password can be passed in I can type I promise And let's see how that goes Let me try and connect to that incorrect password incorrect password incorrect password, etc, etc That's going to Change the screen. So let me go ahead and clear that for you Good brute forcing. I know hydra probably could have done this just as well. But oh Okay, we actually got a hit It was able to log in seemingly with the credential enox and password 1234 Good to know. Let's take a note of this. Let's just actually if we were to have our readme.md We would go ahead and keep track of those credentials. So Let's get that done Save that and now let's go ahead and log in Now that we know that enox and password 1234 Okay, now we have an upload page where we can upload a file Hmm I don't know what kind of file we might be able to upload But we could certainly try anything the most fun thing to try would be Some php code to get code execution, right? So let's go ahead and copy over our opt php reverse shell And Let's get that into this current directory. I'll actually move that to I guess rev shell dot php. Let me check out what my ip address is ton zero And I am 14 11 So let's modify this rev shell And use That ip address so it will call back to me with my reverse shell and I'll listen on quad 9 9 9 9 9 or quad 9 I don't need to say all those nines if I've already said quad. That's the whole point of saying quad So that is now something that I could upload And let's start to listen on things Let me close out of some of these shells that we don't need anymore And go buster doesn't need to keep working. Let's go ahead and I guess start ponkat. That'd be fun ponkat um source environment bin activate ponkat does weird things with the um With the php reverse shell though, let me try it. I'll show you. I'll show you what I mean python tack m lp And I used quad 9, right? python tack m ponkat. Sorry Now that he will be listening tack lp Now that he will be listening. We're really doing well for this video guys Let's upload our reverse shell that should be in ctf try hack me Tartarus Slap in a rev shell upload that Rev shell has been uploaded now. Where is that going to actually upload to? It doesn't exactly tell me where So I guess I can kind of start guessing is that in Simply rev shell dot php. No Is there an uploads directory? No, is there an upload directory? Where did you go? Where did you put this thing rev shell dot php? Super secret All right, let's try some durbuster on this location Because apparently we need to go buster dur http u word opt directory wordless. Please crank on that found images. Okay What is in images? There is an uploads directory in images and that has my rev shell. What is this pod cat? Thank you try hack me. Thank you You're the best rev shell out php click on that. We should have our call back coming through ideally No failed to demonize did I have the right port in there? Did I do something wrong? Did I do something wrong again and you guys didn't tell me? Oh, no, no, no, no I use the bad ip address I am listening on ton one right now I'm a fool So, you know what the problem is guys to be honest the problem is I've been trying to do More videos for you and I put in my hack the box address Don't tell anybody don't tell don't tell try hack me. Don't can I your stinking log back in please? What is it? You were home dot php? Yeah, okay cool rev shell do it Uh, are we still listening? No, we aren't now. Let's get back to listening Let's change these preferences or this profile to be black So it looks like I'm on the attacker machine and it's super cool and stuff images uploads rev shell Whack that and there we go. Now our connections coming through. Okay It's going to take a little bit of time with ponkat. Uh, we are working on ponkat by the way We are trying to make it a little bit better because obviously some of the stuff is a little bit slow and funky and weird Also, it's not very extensible if you want to pass in more arguments for a specific thing that you're trying to do like running a module with real specific I don't know variables and parameters and options that you want to specify Um, like maybe doing enumeration or a privilege escalation with crontab stuff because we're trying to make it better We're trying to improve it. So we thought well, originally we didn't want to go with like a metasploit like methodology and retrieving information or supplying information So we didn't and now we're reconsidering that. Um, what is this database doing guys? Did I not specify? Oh, I didn't specify a config file. So it's also probably whining about that Okay, okay, okay, let's No ponkat. Sorry Gosh, I hate doing that in videos and then everyone's like, uh, didn't do it. Let's uh, Try and stabilize our shell. So let me verify. Do I have python on here? I do Do I have python 3? I also do so it doesn't matter which stabilize shell I really use uh two or three Um, that script that I just ran comes from my poor man's pentest framework So if you're interested in that sort of thing, I have a talk on that on my channel Um, but let's see what's going on. I am dub dub dub data The apache or engine or hgtb daemon service or the user that's going to run the web server And that's a low privilege user. There's not going to be a lot going on right now Uh, so I need to do some privilege escalation and try moving to a better looking account I could do manual enumeration. I could do stuff with ponkat to do enumeration I could run lin peas. I could do plenty of things Let's take a look at what we have and it's that repassword first Just a good idea for these users. So I see a 32 user and there's dark again fantastic. Is this your room, buddy? I don't know what's going on So what can this account do? It's always a good idea to check sudo tac l It would be very very weird for dub dub dub data or a web account user to be able to run commands with sudo In this case we can so good for us right our attacker point of view That's great. I will take code execution when I can get it. Especially as another user But Maybe that's not normal on a web server. It shouldn't be right So 32 this other user that we saw and it's a repassword can Be used we can access dub dub dub data and use his account to run Var dub dub dub gdb or specifically this command without a password as the 32 user so gdb has gtfo bins or has code that we could simply run to uh Execute commands or do malicious things or read files or write files or upload files or peculiar stuff So if you go to gtfo bins dot github.io There's a great resource for all these linux local binaries and common utilities that can be used with certain Privileges or permissions to do other things like escalate potentially So this can spawn a shell and it will run with this syntax gdb I think it's I don't know what the nx is no execute or x or some command it can specify Yeah, ex looks like it's specifying a command But let's go ahead and try and slap that in with our sudo syntax I'll use sudo to specify a user with tack u 32 will be the user that we're going to use And we will have to use this specific command right var dub dub dub gdb Get that exact location in and I'll paste in gdb with that syntax now if I whack enter You can see gdb has started for me, but down below I have a dollar sign prompt Which is not what gdb usually does so if I run id I'm running as that 32 user So we've executed sh or started a shell. Let's actually sort of bash So I have a better prompt here. I can check out who am I and I am still 32 So that works just fine. We could go into 32's home directory. Looks like he has a note dot text Hey 32 the other day you were unable to clone my github repository now you can use get took a while to fix it But now it's good Incredible Where is my user dot text? Am I supposed to have a user dot text? User flag should that have been double the data or is that going to be dark? That might be dark Um, let's check out what we can do as this user once again simple sudo tack l just to verify Looks like he can run as dark This user been git so Once again Git is a gtfo bins that can be used and abused ponkat can do this um ponkat does weird things because the privilege escalation enumerate Enumeration technique that it uses actually finds the set uid bit first on that binary rather than running it as sudo so It tries that and then it doesn't properly get it We're still working the bugs out, right? That's the whole point of it. We want to release it kind of in development. So showcasing what it's growing and what it's learning to do. Anyway, you don't care about that stuff. Sorry for my tangents dark As the user that we want to run user been git And we'll slap in this syntax. Uh, let's try this one. You could use this one because this one is actually setting a variable It doesn't really work And initially especially if we're trying to use sudo with this But git help config will launch the default pager Which is usually less just like kind of that explains It is less and you can tell because of our paginated input or output I can use up and down arrow keys actually get stuff So I can use the dollar sign to try and run a command and I will simply run bash There we go. And now my prompt has changed and I am dark. I am the new user I've once again done our horizontal privilege escalation If that's the proper word for it, whatever Dark let's go into his home directory. Do we have user dot text? We do have user dot text. All right Let's slap that in get those points and Win try hack me just in general Win try hack me. What is this cleanup dot py script? Looks like it's a python script, right? So let's cat it out. See what we got here user been environment python import os import system Mm-hmm. How is this ran or is this ran? Looks like it sudo attack l can I invoke that? Oh, I need to know his password and I don't know dark's password But that's annoying Okay So maybe that cleanup is ran by cron or something All right, we could check this out if we were just looking in et cetera cron tab. Let's see what we have here I do see a weird entry. It kind of slid on the radar because it's not at the very very bottom It's kind of at the top. So it is minute hour day to the month month day of the week user And it looks like we have Every day every minute of every hour, but every minute divided by two So every two minutes it will go ahead and run cleanup dot py now cleanup dot py is in our home directory It's in this dark user's home directory that we have access to So since This cleanup script that is ran by root is in our home directory Oh, and we can actually write to it and control it, right? Then we could make it do Whatever we want, right? We could very very well change this os.system command to actually Run another command like get a reverse shell or Copy the root file to a file location that we can access or what I really like to do is mark bin bash As a set uid binary. So that way it will able it'll be able to be invoked by us And we can keep the permissions of root and that root user that actually owns that binary And we could actually use that to do some privilege escalation So if I actually monitor the sticky bit or the permission set on bin bash You can see right now. It's currently just regular rwx But after our half a minute hits after we get to minute 54 or the A multiple of two and even number every two minutes, right? That should trigger And because it's running as the root user root has the permission to add that bit to this binary And then we'll be able to use bin bash tack p and keep our privileges as root So we got five seconds four seconds. We got a little countdown. Let's see if it does it fingers crossed And there it is. Okay. Awesome. Now we can go ahead and run Bin bash tack p And you can see my prompt has changed with the middle of hashtag pound symbol octo thorp and I am root So I can hop on over to the root directory here Grab that root dot text and that box is done. So very very cool very fun A couple of gimmicks that I think we've seen before in previous videos. So forgive me. Hey, we're just I don't like to be doing the same thing over and over and over again on different videos, but Dark can really really ask for this. So hey, I hope you enjoyed I hope this video is everything that you wanted. Maybe you learned some tricks with that python gimmick. Maybe that Bin bash tack p you're setting the set uid bit on Bash is always a fun trick to do But just some good stuff and fun doing some manual enumeration As we need to thanks so much for watching everybody I hope you enjoyed this video. If you did, please do press that like button. Maybe leave me a comment Please do subscribe. You know, I'm super duper grateful. Thanks for watching everybody. I'll see you in the next video I love you. Take care