 Hello everyone, my name is John Hammond and welcome back from the try hack me video today I'm going to be showcasing the lazy admin room it is a free room So you do not need to be subscribed to access it. I'm joined the room here, and I've spun up a machine The prompts here are what is the user flag and what is the root flag? So it's not a guided sort of hand-holding procedure that try hack me does in some of its other walk-through rooms This is more of a challenge oriented room. So I've gotten started created a directory for ourselves. I'm connected to the VPN I've also gone ahead and made a simple read me where I've got my IP address set up as a variable that I can reuse And the tasks and stuff so we can take take our notes And I've also gone ahead and started the nmap scan with nmap tack SC tack SV tack on nmap initial So it looks like we have SSH open on port 22. We also have port 80 open So it seems to be hosting a web server. So what we can do is we can go ahead and go access that server I will grab the IP address one last time go fire it up in a web browser If Google Chrome will let me go to that address bar and we're reading with just the simple Apache to Default page so it doesn't seem to be anything here. We could scroll through the source But nothing particular jumps out at me. So we'll start our regular enumeration techniques. I'm going to go ahead and end map HTTP colon slash slash our IP address. I think it needs tack H I don't know why I'm fluking on that idea looks like it does so let's go ahead and tee that out to Neato log I'll also get started with some go buster so we can go ahead and enumerate. Okay, what does this web page actually have for us? So we need our URL. Let me grab that IP address. Just nice quick and easy Great now. Let's go buster tack you HTTP That IP address go ahead and use a word list and I'm going to be using the directory list that Durbuster typically ships with so, okay that immediately found a slash content and We can go view that Nope misspelled content there and it says welcome to sweet rice Thank you for your install of sweet rice as your website management system The site is building now. Please come late Roger if you are the webmaster go to dashboard general website settings and uncheck the box site close Open your website looks like this will link us to The documentation or some things to do when sweet rice is installed sounds like sweet rice is a Content management system or CMS. So I'm gonna view the source here. It's kind of messy I want to get an idea on what version number that the sweet right page is Looks like there's some JavaScript dashboard course and 0.54 Not sure if that's the current version of the sweet rice package Nothing else seemingly in there any other links No, no, okay, so no real version number as to what this sweet rights installation actually is No other pages that go Buster found anyway, let's go ahead and do our research on sweet rice I'll go ahead and start up a search exploit So I can look for Sweet rice, okay looks like there are a couple options here remote file inclusion Multiple vulnerabilities looks like those are just text files They might be explaining what the process actually is arbitrary file download and arbitrary file upload again Not sure the version number 0.53 0.54 which we saw in the JavaScript might Tell us that okay. We know that's at least a potentially real version number not just something arbitrary We saw in the JavaScript Cross-site request forgery cross-site request forgery in PHP code execution that does sound peculiar Okay, let's take a look at what that is search plate tack x on that path Looks like what we'll do Reading through this in the sweet rice CMS panel adding an ad section will allow an admin to add PHP code It can take advantage of the CSRF vulnerability or cross-site request forgery and allow the attack to execute PHP code on the server In this exploit. I just added an echo Hacked PHP info and you can customize this for yourself. Okay, so it gives us some HTML code and allows us to go ahead and inject it We might need To modify where this is actually showcasing it though Local host is obviously not going to be our target We need to change the IP address and sweet rice might need to be changed to content We can certainly try that Let's let's go ahead and copy this and Work with it. I will Kind of check in our other scans seemingly nothing Let's go ahead and move into exploit and then search exploit tack M So we can copy that and let's move that over to our own like exploit HTML or something Let's go ahead and check out what we can do with this We don't need all these comments here, but we should go ahead and change this specific IP address so that should be what we're looking at. Oh and content as well. So let's actually just completely change that AS type equals add hidden move adds hack and it would put it in what location where would it put this? Okay after HTML executed you can access the page on that location ink adds a hacked Let's tinker with it Because it has the correct URL in there now, we should just be able to open up this HTML document and add it in To our specific page. Why does the text area HTML just muffed with I go hacked and showcase PHP info Let's see if that will actually work for us. Just tinkering just exploring. Let's fire Fox over to exploit and Oh Boy, okay, did it already do it? Do I need authentication doing to access it? admin admin log in failed That did not seem to work Maybe it automatically rent it because it said on load document exploit submit so exploit Yeah, is the name of this so go it went ahead and submitted it And I don't know if it's actually going to be accessible or not without having actually Now without having any credentials it didn't seem to work for us. Okay, so what could we do if we have Arbitrary file read and some of those other search plate options Let's check this out one last time Remote file inclusion multiple vulnerabilities arbitrary file download backup disclosure. Maybe that has some potential Credentials in some of the backups so let's try that search exploit tack x Proof of concept you can access all my sequel backup and include and download them from this directory local host Ink my sequel backup. Is that a thing? Oh We saw earlier ink actually just can't comes off of the Content page in our case because it's not sweet rice on this site. It's content. So let's go ahead and try that ink my sequel backup Is that a directory? Oh, no, it needs the it needs the ink right back to that It needs ink To include right there we go. Oh my sequel backup. Let's try and copy this link address Let's move back and make a directory for backups backups backups backups and Let's W. Get this see what we have here sequel file It is a PHP script weird. Oh boy. Okay attachment as a table Category as a table. I don't care about those. I want users. Do we have some users? Oh Oh Going down. What is that? Global settings looks like a serialized objects here Author title keywords. That's a long string. Oh Admin user is manager and his password. It password is this that looks like a hash That looks like so I'm seeing how many characters is that 32 so 32 hexadecimal characters may very well be a hash Let's go over to crack station and try to see if we can crack that hash So I'll just slap that in here. Yep, not a robot Password one two three classic super cool. Okay, so now with that we might be able to Go ahead and use that upload Vulnerability so manager was his username and password one two three was his account What is the user flag? What is the root flag? Those are just the tasks I need to finish Let's go back to access our exploit Firefox exploit That's gonna go ahead and submit it but we need to log in so it's manager and password One two three fired off that succeeded Did that work? I Don't know Let's go find out It put it in content and where did that exploit say would put in ads hacked dot PHP Let's try that ink ads that hacked on PHP. No, let's try and run that again now that we have that session created within our browser And I killed Firefox when I did that so that was lame. Let's go ahead and do that exploit one more time Log in Okay, now that I've backgrounded Firefox I should be able to Firefox exploit one more time They go ahead and submit it and now I've created that page. Okay. Awesome. Now. Let's go see if we can go ahead and access it Just for our simple proof of concept, right? We wanted to see if it would load that PHP info page and it does Okay, awesome. So we could potentially leverage this to remote code execution. Let's go ahead and Copy our PHP reverse shell over in here So let's just call it like rev shell dot PHP. What I'm gonna do is I'm going to modify that to include my IP address as the attacker which is 1080 38 currently so That should be the correct IP address and let's listen on port quad nine and Now let's include all of this inside of that exploit rather than running Their little PHP info proof of concept. Let's include this whole thing Okay, so now we have that whole reversal in there let's change this to rev shell and That's all that it needs seemingly so it's not not longer going to be put in the hacked page But the rev shell PHP page. Let's go ahead and try that. We still have Firefox open and running So I can go ahead and use that Firefox exploit one more time and That has submitted and created rev shell dot PHP. Okay, great. So now let's start up our listener Oh, that port is already in use. Why is that port already in use? What am I doing something else? What are you doing? How does a SS show me processes is it supposed to pseudo P kill net cat Maybe I already have something up when I was just testing things Our just already in use. Well, dang it. I already made that as a prompt. I don't have net set installed And I don't know the syntax for SS off the top of my head. Let's go learn it Let's go figure it out SSC process name. Maybe it is tacky TLNP probably the same syntax TLNP Oh PP to show processes, right? Crap 999 e What is that? That's totally not what I'm referring to. That's totally not what I need All right, let's just friggin change the port Quad 8 who cares So now we can go use that and let's change it to just shell rather than rev shell because I'm apparently just making mistakes in this video great now let's Firefox our exploit and Because he's logged in this will has that session now we have a shell great Can I please listen on quad 8? Please pretty please. Okay, awesome. That's good. So now that that's created Let's go over to our ads and go to shell PHP and that will execute and give me a shell over here Okay, awesome So I wanted to use this video as kind of a vessel to showcase some of the Pty upgrade elevation techniques So you've probably seen me before use Python taxi Import Pty Pty dot spawn bin bash, etc. Etc. I found this resource net sec And I want to showcase it to you because it has kind of needs some some neat tricks Not just doing this within Python, but also doing it with other commands So Pearl some syntax here to execute bnsh same thing in Ruby and Lua You can also do this. Okay, if you're in Vim or vi and NMAP those will be able to break out and get you a shell The Pty is super duper helpful one cool trick that I learned just recently is actually using the script command. So Did's that not like that I Guess he's just still spawning sessions. Okay user bin script should allow me to use QC and Start bin bash and save all that output to dev null. So now you can see dub dub dub data thm Shell I've spawned a Pty without using Python So in the cases that you don't have Python available or you don't know if it's using Python 2 or Python 3 this user bin script Tack you see spawning bin bash and writing up to dev null will give you that this technique does still let you use that foreground or background the neck at connection and then run your STT raw minus echo so you can foreground the session again and Then gain your auto completion tablet auto complete and command history and left and right arrow keys So that is very very nice as well. And again, you're not using Python. So that's a good help Okay, now that we're here we could go ahead and look around the file system We're start to do some enumeration because we have our initial access. So let's go ahead and try and upload Lynn peas again, I'm gonna use my poor man's pentest framework. So I can just simply Upload that guy nice and easy Good good I'm already in that directory. Let's make Lynn peas executable and let him run a lot of stuff rolling through. Oh Boy, okay pseudo entry. I should just ran pseudo attack L just to see user dub dub dub data may run the following commands here No password to run pearl with a specific script. Okay peculiar Can I see what that script does? Home that was in it guy. Can I see his files? I can oh, there's a user text file. Can I read that? Yes, nice nice. So that's going to be the first flag that we need Go ahead and keep note of that and submit it on the page there we go and Let's see this backup.pearl file. So cutting that out It's running pearl. Can I write to that? Can I write to pearl? No, I cannot But it seems to run SH on its et cetera copy dot SH, okay What is that guy? Whoa someone else Someone else was someone else here already What is it? Why is it creating our verse shell? Can I write to that? I can write to that and it's running his route owned by root. So maybe it's running his route Oh, I mean, I'm gonna run it as root when I use pseudo. So let's go ahead and modify this nano et cetera copy dot SH and Let's nerf that guy's Reverse shell and let's put ours in pentas monkey reverse shell cheat sheet Let's slap in the syntax for Simple netcat. I mean, I guess we kind of had it already From this guys. We didn't need to do that. But hey, I am my attacker at 10.8 38 and let's put it on port 777 Cool. Okay. So now let's get another shell ready and waiting for me Tack Ellen VP can't see because of my microphone. I shouldn't be looking at the keyboard anyway So catting that file out now we have our reverse shell in place and if I run it as root Thanks to our pseudo tack L We should be able to go ahead and pseudo user bin pearl call a pearl script which in turn it calls a bash script Whack enter and now I have that shell here. I'll go ahead and stabilize Python taxi. Do I have? Python 2 or just regular Python my prompt I do. Okay, so let's stabilize that shell quick and easy for us We could do the same thing with that Script technique that I just showed but now that we are in root. Let's go ahead and grab that root dot text file. Okay All done nice and easy That was kind of cool. I hope you I hope you like those techniques Abusing the sweet rice CMS Finding out some of those credentials because of their backups that we were able to look through and then using that PHP code execution to add an advertisement into the page So very very cool and search exploit totally Really really sped up our research for us because we're able to go ahead and find that vulnerability and It's already well known. So that's that I also wanted to kind of use this video to showcase those spawning a PTY or TTY techniques Because I was able to open nano with that setup that I had I was able to potentially run SU if I needed to I know if you're just a regular kind of reverse shell without stabilizing anything then it's gonna ask you Hey, you need to be in a full PTY you can do that just as easily with these commands that you see me run often That new trick that I learned the bin script user bin script tack you see bin bash dev null and Exporting the terminal variable and using stty raw minus echo to get your foreground lots of lots of good stuff So okay, that's all that I wanted to cover a good quick and easy Linux room to showcase some of that stuff Thank you guys so much for watching if you did like this video Please do do the YouTube algorithm things press that like button comment Subscribe hit the bell That's so weird to me Hit a bell. You got a real a real life bell that you're just like whacking repeatedly Whatever Thank you guys. I hope to see you in the patreon if you were willing to support PayPal donations I'm so so grateful loves you guys on discord server link to description Twitter Facebook Instagram LinkedIn all the others. Thanks for watching