 Hello everyone and welcome back to another video. My name is Jon Hammond and let me tell you a little story before we dive into this video. So a couple of weeks ago, I think it might be a week or two. I don't even know. Time is the thing. The hack the box, cyber apocalypse captured the flag was going on and it was a week long game and it was incredible. There were so many people that were playing. I think they had almost like 10,000 people that played the game. There were a ton of fantastic challenges and I really, really wanted to jump in and play and get some content, get some videos recorded to share with you. Now I am human and also really bad at a lot of things. So I wasn't able to jump in and I was super duper bummed. So I reached out to hack the box and I was asking like, hey guys, I would love to kind of get some videos recorded, get some stuff for cyber apocalypse because it looked like an incredible success. I'm kind of jealous that you guys had such a stellar game. I'm not going to lie. And they said like, hey, John, it's totally cool. Like if you want to record some challenges, we can like spin up the game again for you. And I'm like, what? Thank you. Thank you. Thank you. Thank you. So I have a little bit like a slice of the cyber apocalypse capture the flag kind of spun up for me and I'm super duper grateful. Thanks so much for letting me do this guys. So crewed out in credit, all goes to them. But I have a couple of some of like the most liked challenges or the people that the challenges that people said were their favorite or they really kind of loved. So this is after the game, I will admit. So that is the situation. And I realized like, look, there are probably a lot of these challenges that I also wouldn't be able to solve on my own and I'm understanding of that. And I want to be transparent and about that. So with the disclaimer, with the honesty that this is after the fact and I want to showcase some cool stuff for you. So in the transparency, I do have access to write ups. So I will still be learning and experiencing new things that I haven't seen before, but I also wanted to bring that to you and share that I will be maybe checking a little bit of write ups in there. So don't hate me, please don't fault me. But with that out of the way, now that I have a two minute introduction, I want to jump in and I want to showcase a couple of these challenges. So hopefully there'll be a lot of videos that come from this, but let's do it. I have on my screen here, check it out. The Cyber Apocalypse and JH Party. Thank you, thank you, thank you for letting me do this guys. The first one I kind of want to get started with, I'm going to stick around in the web category for a little bit of time. I want to check out this CAS challenge or C-A-A-S. So I'll click on this little info button here to view the challenge info. And it says Curl as a Service or CAS is a brand new alien application built so that humans can test the status of their websites. However it seems the aliens have not quite got the hang in the human programming and the application is riddled with issues. So it has a kind of container and instance portion, right? That we can go ahead and start up on demand, which is awesome. Glad everyone has kind of their own individual instance and a downloadable part. So I'll go ahead and spin up the Docker instance. There we go. And it gives me in just a moment an IP address with the URL that I could go ahead and grab and click on and copy. So now I can go access that in my web browser and here we are kind of at the interface, what we're looking at here. This is Health Checker 9000 where I can verify the status of a host by specifying an IP address. So this is kind of a simple challenge before we dive into a lot of the other stuff, but it looks like I just have a prompt that I can run Curl maybe. Like if I were to just type in anything, a legal character is detected. What the heck does that mean? Anything, A? It's probably gonna be expecting like a URL or someplace to reach out to with the Curl command. So we can keep that in mind, but we go ahead and need to download these files here that we can kind of see what this challenge is doing, what this application, what this service is. So I've gone ahead and done that. Created a directory in my home directory for Apocalypse, which is really nice to be able to type in. Don't normally have a reason to type in Apocalypse into my terminal, but I have downloaded in a downloads folder, the webcast kind of archive here. So I'm gonna go ahead and unzip that and we'll get to see all the files that we have here. They're all inside this webcast directory and it looks like I have a Docker build script, challenge folder, config folder, a Docker file and the flag. Oh, we can just go ahead and cut that out. No, it's just a fake flag. Okay, just kind of for test. But we can see the Docker file and how this instance, how this container was kind of built. I'm gonna go ahead and open that up in sublime text. I will hit control shift P to set the syntax to bash. So it has a little bit more syntax highlighting and color. We'll come and grab this image for the instance from Debian, slim, having a www user. Looks like we're just installing packages for this thing to run and go ahead and install PHP dependencies. So we are gonna end up using nginx as a web server with PHP on there and configure it with specific files, get the challenge files in there from the directory and the flag looks like on the application, on the actual target and remote service, the flag is gonna be located at the root directory. So the very, very top of the file system, just the forward slash. So the path to flag, what we wanna be able to obtain and retrieve to prove that we solved this challenge, we need to access slash flag. Looks like permissions here and we go ahead and expose port 80 to run nginx. So that is that. Now, because we have these files downloaded, we could check out what's in config, but these are just gonna be configuration files. So I'm not exactly interested in that right now. I kinda wanna see more of what is in this actual challenge and what's the source code. So we'll check out the index.php looks like set up a time zone and auto load registers with controllers in PHP, okay? And models. So this is kind of that model view controller setup where you have controllers kind of displaying the logic or at least containing the logic for what an application might do, models being kind of abstract ideas and entities for objects and things you might end up using, like the concept behind it and object typically how it's stored in a database if you're using like an MVC or model view controller layout, but the router object is created and then we set up these routes for forward slash being the homepage and that looks like it brings us to the curl controller index and API which we could post to API slash curl with the code controller execute. Great. So then we do that and we just route for these specific URL routes. Great. So we're more interested in what really goes on in the controller and model then. We could take a look at that router.php if we wanted to but this is kind of just gonna be the functionality for knowing what page to go to and how. So not extremely interesting in this case. We know that that's how we're gonna get from page to page but we should check out those controllers and models here. Again, we could check out static files and the views to display them but it's just gonna be like how this page is portrayed in the view and static files that it might be pulling in images or things. We're more interested in the logic behind this so we'll go check out those controllers here. The curl controller looks like it has a function index which is what we would go to on the homepage. It renders that view that we just looked at momentarily but the execute function that we know is kind of being routed to that post on slash API slash curl. It will take in the argument IP that seemingly will pass along to the program and we will determine if it's been supplied and then we'll go ahead and create a command model following that where we go ahead and execute based off of this command model and return out some JSON encoded data that's returned from that. Okay, so that means that we're interested in what this model might look like. So let's go back, hop into the models directory and now we have that command model. I'll go ahead and sublime, open that up. All this does is take kind of the URL that's supplied from that IP argument or what we passed to the application and it looks like it uses curl, the command just like that. Adding in or appending and concatenating here the escape shell CMD. So looks like it's going to try and escape special characters out of something that you would pass to the command line. Like you could find that in PHP documentation if we wanted to actually Google that. We could see what it does but escapes any character in a string that might be used to trick a shell command and executing arbitrary commands. So I guess we won't be able to use things like a semicolon to add in another command or ampersand to call something else or even add new lines to kind of create a new command following that. So that gets in the way of some things that we might be able to do but it is still adding in like syntax to a curl command and it will simply exec or execute it from the command line. So that means that we have control over what's happening after curl, like the syntax. We can kind of specify arguments or what curl will end up doing and any other parameters or any other functions necessary. So now that we know when we've kind of verified this is in fact calling curl we can just try like a dummy site. I'll go to HTTPexample.com and now I can see okay it has returned out the contents of that page. I could curl my own website, I could curl something else but I'm kind of curious, can we get this to actually contact and reach us like us as the attacker, right? So I will go ahead and set up like, what should we do here? Let's go all the way, all the way back and see if we can just maybe make it dummy site. So I'll create a dub, dub, dub directory and I'll echo this is from John in like index.html. We'll just redirect that out, super easy, right? So at that point I'll probably use like a Python 3 HTTP.server. So we go ahead and host this. Now keep in mind I'm only hosting this locally. It's bound to every interface. So any other machine that's kind of in my network would be able to access this but because I'm kind of working on my home computer it's not gonna be publicly accessible out on the world because I'm behind that or my router isn't gonna forward this out to the open and public internet. To solve that problem because we do wanna see if we can get the target and remote servers to call back to us. I'll go ahead and just tunnel this out with Ngrok. You could do this without using Ngrok by just using a VPS or like a virtual private server maybe something you spin up in Linode or DigitalOcean or anything else you might wanna do out in the cloud but for our sanity check I'll just go ahead and use Ngrok in this case. I'll use Ngrok for an HTTP server on port 8000. So then it will funnel out and now I have this address redirecting to my website. So I'll go ahead, grab this URL and I'll check it in my web browser and it returns, hey, this is from John. So now this is publicly accessible out on the open internet thanks to Ngrok. Ngrok does have a free tier so you can do this on your own if you'd like to but going back to the service I'll try and enter this here and it returns, hey, this is from John. So we know that it is calling back to our instance. If I go look at kind of our server logs here we can see that tunnel and those requests that come through. So what could we do now if we could have Curl call back to us and maybe we could get some data from it? Well, since we have control over the arguments of Curl and really what Curl does we could try and just read the man page and see what could we have Curl do that's particularly interesting. This is where that concept and idea of RTFM or read the manual really comes into play here because you might immediately know just off the top of your head what you can do with Curl to be able to do something else that's a bit more interesting. In our case, we know that we specifically want to access this flag file that we know is at slash flag with the root of the file system. So what could we do to get the contents of a file included in our web request that we end up sending back to ourselves so we can see the contents of that file. In the Curl man page we could just scroll through this thing and read the whole thing if we wanted to. I realize this is pretty lengthy. If I scroll all the way down here what we're up to like 3,706 lines maybe. So there's a lot in here. I'm gonna try and just search for things like file or upload. I'll use the forward slash to be able to run a search in this kind of paginated output with less or viewing a man page. So if I search for file I can hit N to hit the next display of that or the next finding. And there are a lot of entries for file. Something that it kind of notes at the very, very beginning of how you use Curl. You can specify these locations and things you want to reach out to with a specific URL protocol or schema, right? HTTP for the hypertext transfer protocol, HTTPS when you add SSL in there, FTP and there are a lot of others we could use. In fact, we'll dive into that maybe at the very end of the video but I do want to showcase something before we get to that quick cut. Let's keep looking for places that we can use file. I'm scrolling through and I want to probably find something that's not gonna end up maybe reading from a configuration file or checking out certificates that we might supply. Searching for file is kind of tough in here because obviously a lot of command line arguments and parameters might be just using files that you would supply on your local system as stuff that Curl could use. So maybe upload would be a better thing to search for or just again scrolling through this until we see something interesting that is really what we gotta do. Just kind of a lot of reading in this case. Supplying cookies, there's a lot here that might not be immediately useful for us but I do see something now adding in a file name. It looks like this will make Curl load data from a given file. You will encode that and pass it in to a post request. Okay, so I might be in a interesting worthwhile part here. I'm gonna scroll up. Oh, it looks like I can supply like data binary, passing stuff in. Yeah, if you start the data with the letter at symbol the rest should be a file name. Data is posted in a similar manner as tag D or data. Maybe that would be worthwhile. Can I just do that with that tag D or tag, tag data argument? We can try it. Looks like tag D also is kind of defined here and you could also use tag F or tag form. Oh, and there's another one scrolling through this. Tag, tag data binary, also referenced our upload file with tag T. That sounds good. Upload is something that we knew we kind of wanted. So if I scroll down to that tag T, do they give us a better example? I guess it was called tag, tag upload file. Did they showcase that? Yeah, this transfers the specified local file to the remote URL. If there's no file prefaced. Oh, so that syntax will just take a file immediately following it. It doesn't need that at syntax kind of there. That might be useful for us. So let's try a couple of these, right? We do have our Ngrok service still listening for our own local website. But if it were to try and post to our own website, maybe it won't be able to retrieve that data because post might not be a supported method. We can try it. Let's use that curl, I guess, tag, tag data binary at symbol to specify a flag or file location. And we know we want slash flag and we need of course our own URL. So I'll grab that from Ngrok one more time. Let's try and paste that in. Oh, that got an illegal characters detected. Did it make a request? It didn't look like it. Let's try that tag F argument. Is that still giving me illegal files or legal characters detected? Does this need to be in quotes or something? We'll just kind of experiment. We'll just try stuff. Maybe that at sign is something that it might not alike. Let's try that T for upload file. We'll enter on that. Still nothing coming through. Huh. Is it the Ngrok URL that's making a mess here? Or is it because of our illegal characters in that escape shell command? Let's try without quotes. In fact, let's reload this page to see if we can just clean it up. That still gets me illegal characters detected. Hmm. What else could we do here? Part of me wonders if using the web interface is kind of getting in the way. We know we are making a post request. So could we do this with our own curl command, really? Let's try and find out. So I will try this with curl with the URL here itself. And we know this was going to post. All right, I think it was API curl and we needed to make sure that this was a post method. So I'll use tack capital X to specify the method type. We'll post to it and we'll specify tack D for the data there and we'll say the IP address and we'll just use kind of our example.com proof of concept again. Okay, looks like it comes out here with a message. And that's all in JSON, so I'll pipe that to JQ. So now that displays it out. But we wanna try and reach our own IP address as we were attempting to do, right? So we'll copy this and we will change that syntax to now reach our IP address, which it retrieves, good. But let's see if we can add in those arguments that we knew that we wanted. We wanted a tack T and a slash flag to upload a file. Mm. So our server finally got the kind of request but when it tried to put a flag, it didn't really wanna do that. So our little simple HTTP server or HTTP server in Python won't know what to do with a put method that it might be trying to use here. If we were to actually just use that tack F syntax to upload for a form and we had that prefix for an at sign with the flag, would that behave? Looks like that didn't return an error but it also didn't seem to do much. Let's try that tack tack data binary. There we go. And that also has an unsupported method we could see here. Post also failed. So let's switch this up. We'll use a netcat listener to see if we can just retrieve data out here. Rather than hosting a full blown HTTP server with that Python simple HTTP server solution, let's see if we could do this just as easily with a tiny netcat listener so that way we can see the contents. So running that same structure, I'll use the tack tack data binary with the at sign prefix for that flag file and that comes right through. Nice and easy. Okay, we could have very well done the exact same with tack T or that upload file. And again, that doesn't require the at symbol prefix. I'll start listening one more time. Let's see if that will return. Looks like it did. File retrieval as a service. And that was one technique, right? That was one trick that we could use. That was kind of calling out back to us with a little bit of a troubleshooting to see what was going wrong. Maybe trying to do it through the web interface just wasn't interacting with us well because of all the spaces that we might have been using. So curling it kind of on our own to access the webpage is a worthwhile venue just as well. But using all that, push the file back out to us with upload at using those arguments. But remember that we're specifying the schema for this protocol here with HTTP. We could just as easily try and read some local files by using the file schema for that protocol. So rather than HTTP colon slash slash, we could look for file colon slash slash. And then kind of any absolute path on the file system that we'd like. So I will view like it's at rehosts as a proof of concept or it's at repassword if you'd like. But you know, hey, we know we just wanna see the flag file. So we'll use that file schema and just literally read from file flag. And that's it. That's how we solve that challenge in a nice quick and easy, simple way. So that wasn't an egregiously hard challenge. Just kind of understanding what's really going on. Taking a look at the code certainly helped us do that. But I'm sure you might be able to see just kind of at first glance, oh, that's what this is doing. It's running curl with our arguments passed in and supplied. So we could take advantage of that. We could use curl to retrieve data that's useful from that target system or even just read local files like with that structure of that file schema. So that is that goodness. I was talking way too much for this sort of video on such a simple challenge, but that's that flag. We could go ahead and submit it, you know, before we sign off, let's go ahead and bring this back. Let's see if I can submit a flag here, paste it in, and cool. I'm finally back in action, right? Even though I missed the game, we're still getting some points here. 1,000 points on the board. Yeah, go me, right? All right, everybody. Hey, thanks so much for watching. I appreciate you tuning in these videos. Forgive me if I am a bit long-winded and verbose. I still kind of want to be showcasing the whole thought process and troubleshooting and everything. So maybe if it's a long video for something as simple as this, I still hope that is worthwhile. But thanks again to Hack the Box for letting me do some of these videos. Thanks so much for you tuning in. Please do all those YouTube algorithm things I would love if you could like the video. Maybe leave a comment below. Let me know what you think. Do you like this format? Even though it is long form and verbose, and subscribe, that'd be great. That'd be excellent. Thanks so much for watching, everybody. I'll see you in the next video. Take care.