 I want to introduce you guys if you haven't heard of it before to try hack me calm So let's jump over to my screen here. I want to show you guys this try hack me calm is an awesome New I think it's I think it's new I think they got started just a little bit ago But it's an incredible learning platform for cyber security and hacking and penetration testing and CTFs and all that stuff It's very very much similar to hack the box and that there is a network You can connect to and you'll interact with all these different machines and computers and systems and enter and work with them Some cases try and break into them try to hack it right try hack me and it's it's honestly I feel like there's a lot of really cool stuff in this and I wanted to showcase it to you I want to do one room. That's what they call some of their Activities or some of the other other events and exercise and things that are just happening within the site within the platform It's really cool. So here we go. If you first register an account You can just go to try hack me comms the registration button up on the top right and it explains to you kind of the concept of this Rooms rooms are kind of virtual classrooms that are dedicated to different cyber security topics and things and a lot of times They can be certain penetration testing or web app hacking or any other security oriented thing It's just a way to learn. It's a vessel you might think of it as like a box and hack the box or Essentially a CTF because you'll have some challenges or tasks and assignments given to you within each of those and you'll have to find the answer Or the flag whatever the case may be so you can just go view some of the rooms and jump in them And you can see other hack activities that are going on That's the tab to go find those things and honestly a lot of these are community oriented So if you wanted to create a room or some training pipeline, you could do that In fact, honestly, I feel like I might want to sometime in the future. I think that'd be really really cool There is a I guess commercial rendition of try hack me There is it obviously a free edition of it where you can go ahead and access it and use a lot of the training platforms for free There are free rooms, but there also are of course some pro or kind of that that subscribe your People that have a subscription can have access to the VIP server and access other Rooms or specific things one of the really cool things you can actually deploy your own Cali Linux machine or a virtual machine You can access in your browser if you don't spend the time creating that environment on your own or whatever the case Maybe you just don't have the material the hardware or whatever That's I think an awesome thing and you actually can access it in different ways. So I'll show you that super duper soon Subscribing is only $10 or I guess what is that eight? I'm so bad at these currency symbols eight pounds. That's what it is Eight pounds a month and it has the following benefits the pro content the Cali Linux machine and paths is another kind of like Here's a pipeline for you to learn specific things or specific subjects And of course you can even control the machines in your browser or spin them up a little bit faster So it's very very cool. It does require you to have a VPN connection Honestly, that's not new. You've probably seen that in hack the box or in some CTF. So it's very very cool And we'll get right into it. We'll dive into it. I'll show you that open VPN stuff Getting into your access page Let me actually pivot to my other logged in page because I actually have my account and then I have the account that I want to show you guys Some of these video tutorials in so this one that I have is with that VIP or subscribe to thing I think you should do it. It's it's it's totally worth it and I didn't want to have all my answers already filled in in the boxes that I'm the rooms that I've gone through So I have that other pain so I can show you we're going through it in a clean slate But let me show you that Cali machine again This is only something that you could spin up if you have that subscribe rendition of try hack me subscription only room It's worth it But I think this is a really cool perk if you're using the Cali machine You don't have to bother connecting with the VPN because the machine already lives inside That try hack me network and it's surrounded by all the other deployed machines So it has a 2020 version of Cali Linux, which is awesome. That's the one I think using What is it? It's xfce that they jumped into, isn't it? So if you hit the deploy button just that green little cloud up there, it'll go ahead and start it up And this is really cool. All right. I'll let this initialize while I read Some of the things you can do with it. You can access it through rdp So if you need that graphical user interface, you have credentials there And you can go ahead and ssh with it, which is also awesome in that case. I think you Probably do need the VPN connection so you can access it. Yeah. Yeah, you would need to or can you just ssh straight into that? Let's find out. I'm going to learn to just a learning video, man We'll do that once it boots up And it tells you a little bit about what the machine is built with how much ram it has etc, etc And hey, don't do anything bad Play nice, right? No lack. No legal activity You can of course access the 2018 version if you're more interested in that, uh, I guess gnome Yeah, the gnome desktop environment So I'll let this uh finish initializing and we can jump into it But honestly, I think that's super cool how quickly they can do this. All right So now my machine is started. I can see my kali cursor and if I move just out of it It looks like it goes back to my regular cursor. So that's kind of cool. It's fully in the browser nice and easy And you can see it's just it's just kali It's just kali you can interact with in your browser. That's awesome If you want to hit that access in a browser, you can pop it up in a bigger window But seriously, look at this ls. Who am I doing things? Hack the planet Check it out access and browser now you get a full screen one. So it's like you're really using the machine without needing to spin up your own virtual virtual environment Very very cool. Let me see if I can necessitate into that. I think that would be a cool thing Root and try hack me. So let's try that Do I have that ip address accessible to me without being in the vm? In the vpn. Oh, let me grab that password again Yeah, and then we just jump right in. Oh, that's awesome So that is the kali machine that you can just spin up if you have the subscribe version of try hack me All right, let me pivot to uh, my other browser here that I want to use this to go find and track down the Basic pen testing room. You can take a look at some of the other rooms that they have It's awesome that they had they actually had an advent of cyber thing. Like, you know those 25 days till christmas um, cracking hashes learning about metasploits the kali linux one showdan owasp juice shop Alfred some wire shark stuff reverse engineering dvwa Look, I think they just have a really cool collection here Basic pen testing is the one I want to jump into so I'll click on that and I will Join the room Just that green button. Okay I'm not going to use a kali linux vm in this case because I want to show it to you As any player could anyone that is um Using this with the free account. So we would need to go ahead and deploy this and access our Open vpn configuration file. Okay spun up now And now let's go to that open vpn configuration file page Let me go ahead and download this. I'll make a directory for this. I guess Let's make a thm directory Download this Save it into thm All right Now I can pseudo open vpn Oh, I'm not even in the directory. What am I doing? I'll enter in my password so I can pseudo just fine with that and now I am connected. All right So I'm using terminator. So I'm going to move that up to the very very top with the split screen And I'll amp that up so you guys can see it Now if it'll refresh that page to tell me, hey, you are connected when I check out that network information sweet um Let's go back to my rooms now because basic pen testing is a room that I am in and I can access it with just that We have the ip address. So let's go ahead and take note of that I'm actually going to start to take some notes. What I like to do here is just sort of read me for each of these that I work through Let's call this basic pen testing I'll say the ip is just this And then let's start with scanning. Okay Can I even ping the machine? seemingly no Just a little bit more time I'm still connected There we go. All right, he's up now All right, let's do some nmap scans to start with. I'll use nmap tack sc tack sv For default and save scripts Or default scripts. That's what it is and show the version numbers and I'm gonna output it into initial Let me go ahead and create an mmap directory to do that in first. Now. I will run that command tack o n and nmap Initial so we know we're up against for this box. I should actually supply an ip address. There we go Okay, now our nmap results came back. Uh, looks like we have a lot of information here I saved that in nmap Initial so let me go ahead and open that up and we'll see what we're working with here. We have port 22 open So ssh we could connect to it remotely also has port 80 open. So it's running a website Has samba open Looks to be linux. Okay host is called basic two and It seems to be all All right, so what I like to do is actually just kind of keep note of these. I'll just have like a Open ports section We saw 22 we saw 80 we saw 139 and we saw 445 Yep, okay, so now we can go ahead Let's actually go ahead and interact with that website that it has up and running Let's see if I can open that up in my browser I'll create a new tab and I'll jump in there. It says undergoing maintenance. Please check back later I'm gonna control you to view the source or just right click and view page source It says uh check our dev note section if you want to know what to work on our dev note section I don't know where that might be We could try to go to like slash dev or something. Okay, that's not right. Oh, it does tell us this is an apache server Running ubuntu running on ubuntu. So uh because we don't know what other paths might be in there Let's go ahead and run a tool that we could actually hide try and brute force these locations I like to use durbuster. I've also recently just started to use go buster So let me do that. I'm gonna use go buster and it tells me hey We need a wordless and we need a domain name to actually work with so I'm gonna use go buster With the same wordless that I would give to durbuster I'm gonna use go buster with a wordless that I would use for durbuster directory list 2.3 medium and the url should be It's that 10 10 10 180 10 10 100 There we go Okay, now durbuster is gonna run and we'll let that go for a little bit of time I like to do some other enumeration. So because we knew that 445 is open for smb Well, we can go ahead and start another scan. Oh, it actually just found a result though It found development So let's let's let's pivot and just go see what's in development. I got a 301 So I might have redirected somewhere or something. Let's see Slash development. Oh We have some uh directory listings here now. We can see these text files dev.txt and j.txt Let's see what dev is since I've been messing with that strut stuff and it's pretty cool I've made a real web apps yet I'm using version 2.5.12 because other versions were giving me trouble. Is that the one that's insecure apache struts? Okay, maybe we could use that Uh and hyphen k smb has been configured. Okay hyphen k And I got a patchy setup. We'll put in our content later Jay, what are we even being asked to do? What are what are kind of the prompts inside of this room here? We can go see it says deploy the machine and connect to our network. Okay, we did that We can get completed We can just kind of mark these if we did them some of them don't need an answer No answer needed find the services exposed by the machine. We did that with nmap. What does that hint say? Does it tell us? Oh, yeah use nmap. That's awesome One of the things I really really like about try hack me is about how open and transparent it is with your learning Like even if you score the top year they'll willingly give you write-ups like community written community like Produced if you want to click on that if you got stuck on something if you wanted to there's no shame And this the whole point is to learn the whole point is a practice And I think that's awesome that try hack me is is open about that Okay, let's get back to it What is the name of the hidden director in the web server and turn name without forward slash? Oh, we just found that That is developments which we can go ahead and submit Yep. Oh, and let's mark that other one is completed to user brute forcing To find the username and password Okay What is the username? What is the password? Okay What's the name the other user you found? Find any vectors for prevask And what was the final password you obtained? Huh, it this is good because it also the asterisk that it shows you is like the Kind of length so you have an at least an idea of what it's looking for. That's kind of cool So let's get these usernames. We found developments and it looks like there's nothing else that we could particularly look through Um, what is that j.txt? We didn't see him. I've been auditing the contents of it set reshadow To make sure we don't have any weak credentials and I was able to crack your hash really easily You know our password policy, so please change it for j and k huh Okay, so let's go try and figure out what those users might be We know we have other ports we can enumerate and access we could just brute force random stuff on ssh But that wouldn't help us much. Let's try and jump into the smb or see what we can access with that When I do that I like to use enum for linux that should already be in your path if you're working in Cali I like to just go ahead and use it from my op directory because I want to bun to here And I'm just going to grab the ip address again 10 10 10 100 I don't want the http nonsense in there. I use tack a to do everything in enum and I go ahead and pipe that to t So I get an enum for linux log file and I can save my results We'll go ahead and let that run Okay, now our enum for linux scan had finished I'm going to go ahead and open up that log file that I saved it to because the output from enum for linux is kind of hard to look at Uh through the command line there. There's a lot of noise and nonsense So some of the stuff we already kind of tracked down. It's running samba We know the basic two host name Let's keep scrolling through just some shares we could access ipc looks like again. That's private anonymous Hmm. I don't know about that one We could check that out if we wanted to See what other users that might have tracked down Nobody. Okay, we'd expect that A lot of these Some kind of groups Oh, and there we go Enumerating users using that specific sid and we found a linux user k and a linux user jan nice Okay, so that would help uh answer some of those questions that try hack me had for us If we go back to that page. Let's say what is the username? Well We had jan Go and submit that I guess we can yeah, we can mark that as complete too and it asks for the other Username other user you found so let's let's put k in here Good And now what is the password? We don't know that yet. What service do you use to access the server? Oh, that's gotta be ssh then access the server Answer and abbreviation in all caps so ssh It needed only three things. Okay, that's the correct answer Oh when we could probably try and brute force just as it said brute force the username and password Since we know what the username is jan We could and we know it's a weak password from reading that dev note We could go ahead and actually hammer this with hydra. So i'm gonna do that I'm gonna say hydra if you run it'll give you a basic example usage Of that command there. We could use hydra tack l with jan Uh tack capital p to specify you a password list. I'm gonna use rock you I don't know what I was typing just there and then we need to specify the protocol and what we want to connect you So it's 10 10 100 and it was 180, right? I promise. I'll remember this eventually it was 180. I got it All right, now we will let hydra go beat this machine up If you don't know hydra is a password guesser or it'll it'll brute force By trying to connect to a service with given credentials So you could specify a user file or a list of user names that you would want to try and a password file Just what we did there if you use a capital l that allows you to as an argument or a parameter specify a user file Or just a username with a lowercase rendition of it same thing with password If you want to use a lowercase p you could use a one static password And it could loop through a list of user names or one specific username, etc And then the protocol that you're going to connect to ssh or ftp And I think it has support for some others I think it can even do like Web stuff you can do like a form post, etc Really cool things with hydra But that is what we can use to try and run through rock you dot text and attempt to Spray that service and guess passwords until we could try and log in with it Okay, it looks like we got a credential looks like hydra was able to successfully brute force and actually log in through ssh With a password with the username jan So it looks like we have found that jan has the password armando armando I don't know. I don't like to pretend All right, what is the password we can go ahead and submit that armando Submit and there we go that answer is correct. Okay, so we could at that point log into the machine now, right? So let's go ahead and take note of this Let's say Found credentials or we should we should actually note how we got all those answers uh Questions and answers hidden directory on the web server That is forward slash developments Found via go buster And let's get another one here the username jan and k Found via enum for linux And then password j armando armando found via hydra With ssh. There we go. Okay, so found credentials. We have j and armando That's all I've been saying armando and that's not how you say that whatsoever because there's an o at the end. It's armando All right, let's ssh into that machine. We can ssh to jan at 10 10 100 180 Yes, we want to do it and armando is the password. There we go. All right, and we are logged in to jan to it Basically, let's stop this stupid go buster. We don't need to don't need to do that anymore. We're logged in Uh, and let's see what we got Okay, seemingly nothing in their home directory or less history. Let's check out what that is Oh, we can't okay. It's owned by root And we are not root and only root can read and write to it interesting Um, let's check out It's a password just some manual kind of bumping around tomcat tomcat nine is in there K is in there. We see that okay Can we do anything with? Pseudo to your privsk. Nope. We cannot run sudo on basic two. Okay well We can't read it set reshadow Can we see any other users home directories? Let's move into k We can move into k. Oh, she has a pass dot back file. Can we read that? No We cannot she has a Vim info file cat Vim info. No, we still can't read those. All right. Well, uh, to speed up our enumeration process Typically when I get on a machine, I like to run lin enum or now kind of the new one lin peas Um, I can show you that lin peas github one of the privilege escalation awesome Sweet scripts These are hilarious. I love that image And uh lin peas lin peas will let us do this in linux. It has a sch script We could just go and run and it's pretty pointed. It gives you nice, uh highlighted color output as to What things could be used as a potential privilege escalation vector, etc, etc So I have that currently just in my, um Opt directory with lin peas and lin peas sch We can go ahead and actually scp that over though. Let's scp it because we have jan's credentials through ssh jan 10.10.100.180 and we need to specify the file that we want to bring over so lin peas Lin peas and let's go ahead and put it in devshm If I like to Put things in devshm for shared memory. It works well for us Okay, it looks like that copied over. Let's go check out devshm And there it is. All right lin peas. Oh Let's take l. Yeah, okay, cool. Let's mark it as executable And now let's go ahead and run lin peas dot slash lin peas and I'm going to t that to a file So I have the output lin log dot text and let's go Okay, so that's going to run through a ton of stuff It'll make our lives a lot easier because uh, we won't have to Do that manual checking all on our own And once it's done, we can go ahead and take a look through it. Actually, let me just scroll up now So you can get a good idea as to what this is doing and how So lin peas gives you a little legend or uh, what you're actually going to be looking at with the colors that lin peas gives you in its Output for things that are red and yellow that is very very much likely a privileged escalation vector for things that are in Red, you should take a look at that because you could if you explore it do some manual stuff with it You could probably find a route or vector in that so Strolling through We know the operating system kind old version of sudo. Maybe we could have used that Path looks okay I'm looking for those red and those red and yellow things A nice quick easy easy hits that lin peas helps us figure out. Oh, it's interesting. We have a lot of a Pearl and python in here We have gcc. All right. So things running as root Those are things we should check out There's a weird one running at root nmbd That's kind of after a patchy Which is peculiar I wonder if there's other other like local services or open ports only locally to this machine Services Oh, there we go. Yeah in the active ports You can see we only have one thing listening locally and that's noted in red for us here. Hey, here's a here's a local Loopback address only port that we could access 2005 we could explore that Super users is root. Obviously users with consoles or jan and k which we found All users jan and k and root My sequel Nothing there Oh Looking for ssh files port 22 for ssh Public key authentication is on Use pam. Oh, and they have a private key for k So k's ssh directory has an idrsa file which we could use to log in as that k user I wonder if we could actually read that I was just in home k. So let's take a look I'll let's take a lay we could move into ssh And we can read her private key. All right, let's do that. Let's cat that idrsa file. There's a lot here Begin rsa private key. I'm gonna go ahead and just store this In a new file. Let's say nano k idrsa Let's paste that all in here. Just a quick nano file and then we can mark it as Only read only by us because that's how idrsa and private keys like to be used for ssh So ssh tag i with that k idrsa with the k user at 10 dot 10 dot 100 180 Enter passphrase for the private key. Okay, so this private key has is password protected What could we do to figure out what that password is? Enter john the ripper, right? So john the ripper if you don't know has a cool tool that comes with it ssh to john and you've probably seen a lot of these between like Jwt to john or zip to john for other things that john can still crack Let's go ahead and say ssh to john with our Kd idrsa and now we have that hash that john the ripper could understand But not just the original file So we have to run that tool before we give this this this file to john the ripper to run and work with So i'll call that uh for john Dot text or whatever doesn't matter now We could go ahead and actually run john the program itself with that for john utility or that for john file Because we just saved all those hashes and a thing that it could use um I should specify a word list here and because where you can use rock you Let's let's actually do that we can use tack tack word list equals And I have rock u dot text, which is a big long dictionary file of common and known kind of uh I don't know often we use passwords So okay, it found it right away. It found beeswax. That is apparently the password for k idrsa so What is left in our command here? Oh all we need is that final password you obtain Let's let's go Let's go get that now that we have a new user. Maybe we have a little bit more access. So ssh tack i With k at 10 10 100 180 and we'll want to use the passphrase beeswax All right, and now we're logged in as that k user so we could ls check out our home directory now we have access to that Pass dot back file. It's owned by us. So let's check it out And here is a really long strong password that will follow as the password policy that looks Like exactly what that last question might be asking for and it is all right Okay, well we can mark those other ones as completed and boom we did it We completed the basic penetration testing room in try hack me so I won't uh, I won't go through I guess like rooting this machine or doing anything with it You might be able to drop some like kernel exploits or explore some other private escalation Venues like like that weird port that we saw locally. Maybe that has some good stuff for it I just kind of wanted to make this video to show you guys try hack me And I'd really like to do a lot more videos for A lot of these stuff. I think a lot of them are fun. And really you can learn a lot. Obviously, this was kind of a beginner Basic a room here. You can see kind of the difficulty there but I think there's there's a lot that you can do with this and I really like all the variety in the different kind of Rooms that they offer. So I hope you guys go check out try hack me If you haven't please go do if you're willing to kind of drop just a little bit to get that calli machine Maybe that'll come in handy and the speed to work with the machines actually really really does Help when you're trying to scan things or spin up the virtual machine You could see it took me a little bit to go through a lot of that so Go for it. I really hope you guys enjoyed this. Thank you guys so much for watching If you did like this video, please hit that like button if you didn't Don't do anything Rewatch it again until you like it. Just keep watching the same video until you decide you like A comment would be great to see. I'd love to hear your feedback constructive criticism subscribe. Maybe Um discord patreon paypal Instagram facebook linked in I don't know. Thank you guys for watching. I'll see you guys in the next video. Take care