RED TEAM HACKING | CyberForce 2018
Skills:
Defensive AI60%
Key Takeaways
Participates in a Red Team exercise for a CyberForce competition, showcasing attacks and strategies
Full Transcript
all right hey hi hello what is up Internet oh hi I have with me hello I'm John Hammond and with me is the one and only mr. Caleb Stewart hello so what I have for your faces is some footage of cyber force which yeah was it was a game that we played months ago in New York I drove five hours north to party in New York so we have 8 hours of footage of when we played this and one was the whole thing yeah a normal speed yeah no passports no popcorn I'm actually speeding this up to I don't know if you saw that good ol 500 ok 281 times percent there's no way that's gonna actually happen my computer's not cool enough to do that but I don't think I'm sure that look at that parrot yeah the terminal parrot that is some foreshadowing right there so yeah we're gonna be just showcasing this at breakneck speed to hopefully showcase some of the cool stuff in there the event was two days oh okay sorry say what was yeah yeah we are we're red teamers in this case this is a blue team versus red team game for some undergrad schools and universities testing their cyber ninja warrior skills and their leanness and their cool stuff so I'm probably gonna have to like skip through some things here we got to be the red team for West Point yes so we're Coast Guard kidlets and we were like yo west points here so we told the organizers like I want that team well that was team or something like that however we asked them really hey can we request a specific team they're like um I know ones I guess I don't know like I guess it's okay I was like I want that one so I don't think I'm sharing too many trade secrets here they or any at all really it's a we're it's a red team exercise so it's kind of subjective and how there's grading right or how they actually score so there are staged attacks and like things that you want to try and actually accomplish throughout the day and I want to move quickly through this but this was actually prep time I don't know if you can see the clock up on the top right there but this was actually just trying to see what we can see see what we can access and then try and get a little bit of inventory for tools that we won't run or memes that we want to have and that actually is a good portion that I hope I pull it up really quick as I start to start to Google what are some quality means that we can throw in here that's one thing if anyone is not super familiar the red team is gonna have access way beforehand we weren't allowed to actually physically affect anything at the beginning but we had access before the games even started before the blue team was even there it's actually like met not mess around things but just to see everything and have an idea of how it all worked and then that way we could kind of hit the ground running as soon as it started if you look this is when I just had I just bought my Dell XPS 15 so I still need to like pull some tools in you can see me in solin Metasploit I think you can see me some grabbing some Empire or Python 2 etc Python 3 stuff and there it is pull up the inventory Red Team yeah yeah these are hilarious especially seeing them at the breakneck speed is a beloved egg I like it yeah exactly I need to build up an arsenal or like have a repertoire of things I can throw in when the time comes so the game 9 o'clock in the time in the morning we still just in prep and just kind of scanning the staged attack started I think at 10 o'clock something like that I saw the schedule blow by yeah yeah I remembered there were some timezone difference because we're playing against different teams across the country for our specific spot it it terminal parrot it's your favorite it is one of my favorites so this is in two two days so the first day that this is the video right now I like a Google Empire and the TV show comes up the first day we're actually trying to get our footholds and get our initial access the second day is when really we can start to kind of be trolls and beer annoying so yeah you see me a swollen Metasploit here again I'm gonna skip along to make sure this isn't too boring but I think showing you does that partly yes what is like 10 o'clock it's and then the 11 o'clock it so we can sort of do some stuff talk about some of the attacks that we're on there but it is just the fireworks and me running through things at breakneck speed here pip classic and classic cable not being able to install pip 2 verses pip three versus virtual environment versus your own versus that parent directories my apparent user but I did want to work with Empire I told myself that I would and I actually learned it just now like just recently that you can use it for Linux stuff like you can have that Python launcher and yeah so they had originally they had made PowerShell Empire one man someone I don't know the exact like developers who exactly was but someone was like hey this is really good so they had a fork of it I don't they call it a fork but uh almost kind of a remaking Python that was called like PI Empires and like that and then they were ended up being merged together to become just Empire it's not like Empire with a live I think that's how I doesn't it yeah and then at some point they got merged together and now it's not technically PowerShell Empire anymore it's just Empire I like this because this is talking about some of the pan backdoor stuff and you actually just wrote that yeah so I just wrote a little a little pan backdoor guy so we're a little module for Pam in see that basically will allow you to login it's in a user with a specified password just threw it up on github if anyone wants to check it out I guess we can post I think that's awesome I think that will be absolutely very good tool for these Red Team engagements in fun games so me learning a little bit of empower before the game gets started I like their own moments you can very clearly see lit you know might lock screen comes up and you know that I just like got up to cover my path and resume this is the waffle young yeah they did provide food which is a lot of fun they kept coming in asking if we had enough I'm really worried about whether the red team had enough snacks you need to have food for all the nerd hackers so what we ended up doing was actually trying to coordinate inside of a Google Doc that will come up soon enough yeah it got very messy but I don't know any other do it you can see it starting off with some nmap scan so we can get started scanning there are a lot of raspberry PI's that we're filling the network because I think they wanted to have like this industrial control system theme but without having really feel it yeah there was some there was a that one portal that we'll see later yeah it was industrial virtual system theme but the rest but I really didn't feel it yeah there were a few things we logged into that's a common thing I think in some games are exercises that try to have that and just use a Raspberry Pi to simulate it but it's still a computer man yeah I'm the other day they were all computers just the right the industrial controls and stuff just tips over if you poke it too much I like googled FTP I got some pretty pretty good stuff there I don't know if you can see it spit it out that's usually what I do I order my maps can make Google all the service names you know yeah what is FTP what is NetBIOS well so this is 10:45 so we should be should be off of the yeah we should be starting and I think that's when these scans are okay to roll Oh wasn't the first like our even after the game started wasn't a schedule attacked like the first hour after right I think there was there was that issue with the time zones were like oh we're an hour otherwise and well the first one that they started was like a pre planted it was a pre planted like Network like vine shell running on port in 999 oh we couldn't get to it I think our team hot dot good on dumb for noticing a an odd port oh I love this weaker into the channel army fun stuff it's fun stuff there's plenty of morale so they had a web site that we had to break into and they were very clever the team that we were working against was very kind of smart in their protection of this because they I can't okay I guess I can't sing their praises too much because the basic Gotha was good but not a silver bullet by enemy well so what the basic law was good they didn't tie down a different entry point because we had access from a different way and we could bypass their HDTV base basic off because of a different role ability wasn't I forget what exactly it was you'll see it come very very soon the first thing that I started to do in running through stuff was get the Raspberry Pi because they all had their default password of raspberry like rasp berry and then I immediately add a fake user add it in sooo doors and just keep doing this process over and over and over again you'll see me do that way too often but as with every exercise and routine thing that you see people will just say oh you have the full credentials and that's and it really is I mean in all honesty in like a real world scenario I think that's pretty the default credentials or weak credentials are pretty realistic for like here's how what a realistic scenario I like to try and add user names that look somewhat similar to others so you can see I had a p1 so it looks like an eye there was a default blue team account on all these machines so I added a blue team with a 1 instead of an L and then I would add just add that to the sudras group make it so they could run without any password etcetera I'm a big fan of logging in and will and I don't know if you'll see it on because it's about to happen yeah so we would I would always log in and I like to go in and take whether the LP the game's user and pulling a room might be closed either the either LP the game's user want some of those default users www wonderful photos it's one of those or all those users I don't like to take those and either add SSH keys or add passwords adding passwords is a little more noticeable if someone's checking like Etsy shadow but if you can add SSH keys into their home directories like games is slash user games I think is the home directory for it you get an SSH key there and then I'll actually go through and I'll replace user s been no logon and slash bin slash false both those binaries remove them and replace them with pin bash which you see happening there yeah what I started to do was symlink bin bash so this also the simulator didn't like that so this immolate works but if they have any kind of script that's going through and looking for oddities it'll notice a symlink whereas if you actually remove yeah it's a good thing good where if you remove biddin false and remove user Ben nope no logon no login and then replace them with Ben bash the only way they'll notice that's the wrong one because it's still a binary the only way they'll notice it's the wrong one is if they would actually either run it or actually run some kind of diff of the original file a new one we should actually do I think with D package I was gonna say yeah someone we tried to do for the pros vs. Josiane was used like D package some and like your package managers know how to do that yeah they can figure out C but if you don't do that then it looks completely normal so what I would do is I would add an SSK SSH key for those default users like LP and games and mail things like that and then replace user s been no login with bit bash and then if you looked at Etsy password it would look completely normal and like oh cool my accounts are locked down but I can still log in as those users and then some other things you can do you can add different users to sue doors which is a little more noticeable but at least gets you user access to the machine I try to chmod 6000 up there I don't know those are my favorite things there are a lot of hilarious stupid things that happen in this and I'm very excited type some 300 miles an hour yeah my 70% of the keys that I hit on the keyboard or the backspace key so you guys know you you YouTube fellows won't see that first hand oh I know too I sit next to that's sure it constantly is the next scheduled eternal blue yes yeah and I started running it with the eternal blue underscore Windows 8 which I realized was wrong for regular win eternal blue there's the PS yes they never forget about the PS exec cuz they're different the irregular eternal blue one is the one that has the possibility of crashing the machine but you don't need a named pipe whereas PS exact you need is pisses ik you need a named pipe that you can access but you have no chance I think close to 0% chance of crashing the machine so there there's differences but I would say if you if you know there's a named pipe there that you can grab the PS exact I would say as PS exec is probably the better one but one thing that I see myself starting to do is looking up shells with a Z which I heard about at pros Jose and I don't know if I properly understood like what it really was or what I wanted it to be because I mentioned this to you earlier just in like passing or casual conversation that intellectual sophisticated people have is that I want to have something that will like no I need I need a range of ports listening for incoming reverse shells and I want to be able I want to like smartly handle it is I'm Claire cropping up no it's just me apparently going to the bathroom again yeah I drink a lot of monster it's true a problem a problem no it's fine maybe I'm Claire he's crapping out I can't tell no we're going oh we're moving okay adding some stuff to it said her host file I think probably just sink holing maybe oh no I was testing again with shells so shells I wanted to be able to like know and recognize when I'm making reversal like connections but it wouldn't do that in the way that I wanted I think I need to get better or just understand more of empire or Merlin or even cobalt strike if if I fork out my arm and legs that would be an option because I want something good like okay here's a callback that happens let's catch it and keep it for me in the background I maybe I misunderstood shelves but I never got it to do what I what I wanted it to do I have never actually touched it yet oh I'm already talking about it and I still never gone back and look at it I saw this JSON configuration files it looks like my solicit lis talking about here's how it's going to be working but like I don't want to have to care about that I just want some command that calls back to me and then knows what it's doing so I I think I just put a side table to be able to have something like that that you're gonna need a more intelligent payload to go there right right now your payloads consists of just a call back so they're not intelligent enough to really know what's going on you're gonna have to kind of move up in the world to a better more sophisticated payload that's true I need to be and I try it for a little bit with some Raspberry Pi stuff but crops out a little lock screen lock screen this is me actually going to the bathroom always lock your screen it yes yeah might bring some burner laptops especially or like a laptop I don't actually use this in my personal laptop if we go to like DEFCON yeah yeah you can see and you've probably seen in a lot of other footage over my terminal or my terminator screens just has a thousands of different sub terminals in there it gives me anxiety yeah I hope there's a picture of me on one event where I had oh I wasn't using terminal terminator and I had like 47 little different gnome terminals everyone died so I hit alt tab at one point and focus on it and was they had my screen explode with the newest hilarious yeah Oh God so I know there was some weird thing we were trying to do okay this is when we're still trying to get around that basic off yeah what another stage exploit comes through when we're able to use some other passwords that I've been pre planted in like vulnerability prior access stuff we're able to get into some to some accounts like you had mentioned LP games male and some of the others that had passwords that you would have expected like you don't normally consider LP games nobody and male user accounts but they had passwords that were staged so I think is the takeaway as a blue team player has changed the passwords for literally everything and disable the accounts that you need to be to save right like even if you don't think or consider it to be an interactive user anything that's a user can be an interactive user movies oh and the deep package some really good yeah I have that in a pros vs. Joe's repository because we patched it into the linen linen em script because I like to use red team tools in a purple team sense where I'm gonna use them as a blue team member to find out where my security holes are so we put it inside of alanine um the reboot user Lyneham script that you might see often like hacked a box attempts or stuff like that so this was a lot of googling initially but we found an FTP that we could log into with the default creds and I think we were able to put some web shell maybe if we use the FTP yeah but I think that pointing us to that oh there are still default credentials that are being used here so we were able to do some stuff with that and at that point we had access and almost FTP access file download was successful and then we're allowed to use some of the weak login attacks yeah so dub-dub-dub data was an account interactive and it didn't have a password so we could sudo add our own new accounts and then you would figured out well we can find the HT password file that's controlling that basic HTTP off and then we have access to the HTTP we add in another account so they had their own account and they were using that to get in and out and I just added another account to their HT password file so unless they ever they've never opened the Asian bastard file so they never noticed that we were even able to get into it you set your no log in there yep you added you can see you're typing in Google Docs for a second which i think is cool that was there on another computer gooblat oh yeah there it is Jason so that's where we had one of the other really cool and fun things was they had a VNC connection that was visible in in originally blocked behind basic auth but it was rolling in a different port so we were still able to access it and find it and I started to do something interesting because you could just squat and like watch them you can Terminal squad and just see what they're doing because I think that was their only access to the machine at least as that HMI for their industrial control system Raspberry Pi thing so we started to explore is there anything we could see in there is there anything we could poke around any files would get access and you might have been you were the one that found that VNC light file or something that would actually still display the video in the VNC connection yeah so so they said it was Spencer's report so whenever you saw it through behind the page that was actually basic oft it was just an iframe for a different mission for a different port so that page was behind htaccess but you could just go to that directly to that port you'd still see the page so they did a good job blocking access to the main website they just didn't realize hey our service is being served on a different port it has a difference yeah so we were still able to get to it so I guess it wasn't a different port oh yeah was it yep but this is a funny thing and I hope we come to it soon because I was like man this is this is the only vector we have is just watching the movie and when we sat there for a while oh yeah because because this is not only a view we we could interact with it we could click in it we could change things we could type the problem was that was our that was probably as they were on it as well the minute they saw us change something they would know we were there so we stared at it for a long while yeah I kind of waited I lurked in the background as a ninja watch and see it are they not using this right now are they not gonna have eyes on it if I try and summarize it quickly at easy and they started clicking on yeah I quickly add the user to the sudoers file and then I think someone closes the terminal that I'm in real quick so I'm like oh someone spotted me and I try to create like a little reverse shell connection and I feel them holding down the backspace key you can see me like literally fighting someone a bit other end of this bein a connection [ __ ] you I knew it was gonna be in there I was like I'll just leave that yeah so it was funny you we were able to add a user and we were able to add it's the pseudos group however we weren't able to think they had only SSH private key private key that's what it was so they enable private key authentication so we couldn't log in with the password so we had a user with a password that was added to the pseudo group but we couldn't log into it and have a key so that was kind of our issue we're like well [ __ ] now they know we're here and we can't had a key to this user so we'll come back to that a little later but that was kind of a fun will back-and-forth with us on their machine for a little bit yeah and we did get the user in and I think soon enough I start to like try and stage some oh yeah we a soda Mason that's a yeah we we can use you can use a I figure out the commands because I wrote I was like over your shoulder with it you couldn't paste into the VNC connects yeah xte so we used xte to paste in this flight as as if it automated typing in the the string and then hitting the enter key because I couldn't paste into that VNC connection yeah so hilarious and dumb and stupid but literally me figuring out okay this is how I press the Enter key with this program staging the little little reverse shell syntax so then in the end of this what's basically gonna happen is we're gonna have xte simulate on our the host end our late ackers machine simulate typing out an entire command to add a private key to this user and then pressing enter we're gonna sleep before it starts that and then we're gonna like say sleep for five seconds and then go over that VNC connection click on the terminal and then X key is just gonna go and type it all for us in like half a second before they can even close the terminal oh and I don't think they even knew happened I think it kind of just happened and they had no idea and then we were in their machine yeah yeah I think it happened really quick I think you might have been the one that actually finished the scroll was I yeah so there might not be real footage of it but we got into the HMI and now we're just okay quick at our users put up some persistence and this is like poor man's solutions to persistence by adding some hiding users what I've been trying to do recently is add a cheesy reverse shell command as part of a cron job or putting it in bash RC just trying to hide it in an automated place that will run like well consistently without user interaction and we'll add a time schedule actually executes well something you tried to do which I think is gonna happen soon died I think was actually a good idea this is what this is getting close to it and it's actually hilarious I think it was a really good idea it just didn't we're good too you can see it's starting to happen what you were trying I don't know if you want to explain it yeah because I am to it I started starting to put it together up in the top left there I have this notion that like they're gonna run some commands pretty consistently you know what like the LS command so here's an idea how about every time they run the LS command let's have it start in your reverse shell and call back to me so I try and create some users and make enough persistence that I know I've got places login to but you'll see me start to create a new bin LS script a script that will eventually be a wrapper for what I would want to be an LS command so I do this for a bit and then I say I want to see if I can get it timed right they create all these crit all these accounts get a key in there because I know this is happening very very soon I'm getting this thing in here and then I say sudo nano bin LS and I create a reverse shell command and I call LS inside of the script like an idiot I made LS 1 and backup LS so then I start to make a connection and I've got my listener going and I've got LS calling back to it and calling back to it but then I see cannot allocate memory job control turned off come on fork process and I realize I just recursively called the LS command and repeatedly made shells call back to me so I unintentionally fork bombed this box and this snowballs are the oh yeah so so the funny the funniest part to me is is the fact that I did you stop it oh yeah yeah you're right that's the crazy so so you would think that this is this is a problem but you'd reboot it in the machine would act normally until you'd open all right no left until you read with the Machine and then it would act normally until you ran VIN as LS again you'd think you think that would be would happen yeah interestingly though even after a reboot it did not the footage is here where I try to send messages like I'm so sorry I did not mean to Doss your machine that was actually an accidental Doss yeah that's probably the funniest thing that happened well yeah on the same along the same line some other things we did just as kind of a red team kind of taunting the blue team you'll see it some things that we did along the same lines were things like banal or been such cat yeah I don't want to talk about it when it comes to because it's it's it's very funny to watch but might the most painful thing when I did that was knowing that I made the backup Neri like I actually had the script that would normally do what I intended and then didn't even think to use it here we're trying to do some web shells I think we tried to move into so we tried to get FTP right X yeah that's what it was I think it looked like FTP was working but we didn't know what directory was writing into does this is the one of the cool things because we had about the half-time games you know I think getting close to the end of the day where or halfway like we're submitting the vulnerabilities and things that we found but we do take notes and we do submit something that has I wanted to say a little bit more formal or intuitive this is an explanation of what we did and why we were able to do it because you guys did a good job you're doing smart and clever things but we still were able to kind of move around it yeah I think it's a it's a consistent thing whether it be CTFs or blue team exercises or whatever it's always like all these really really cool things these really obscure vulnerabilities we're gonna fix all these and then you forget the little things you forget that oh I'm just gonna go and check these things manually instead of oh I ran my script and it looked fine like don't forget to just use your eyes and do it manually because there's a big deal what I get into day two yeah okay almost a uploads trying to send some stuff in there some days it was two days what yeah got a hotel he's a good stuff it's all just one big blur of one that's one one big thing yeah yeah honestly bolt so many private keys yeah we had the idea or you had the idea like let's all use one kind of consistent private key as it as a red team or as the individuals that are there that are doing the pen test which is smart yeah I think I think it makes it easier that way like know whether you create the account I created the account it doesn't matter like oh we all have the same private key on slack let's pull it down and then again we just go with that right so I do this stupid thing for the longest amount of time where I try to put a meme on their website weenie too long it trying to put a single image on there and it wouldn't worry know you it's just HTML hey what it was it was just HTML and I'm like wTF is this some Django template thing that's like ruining my life right now because image source should straight up do it poorly it's still pretty yeah I got it it like I can't get this to stop P kill base64 I bet I remember like you tackled this like you took it from me he's like yeah yeah I felt dumb afterwards like John you're an idiot just put the image in the website right and then I was like I feel like 20 minutes of me trying to do it I was like [ __ ] it it doesn't matter I think it was dangos template and like it needed to know this is the location of the static files for Django but it just wasn't taking it was not having it why something stupid simple - we ended up we joined the server from our machine I think yeah I to do what does not simply I think I had the file extension wrong something something absolutely absurd so close to the end of this day and then the next day the next day is all about trolling the next is all about having fun yeah so there's gonna be some good stuff I thought I was trying to Apache get root mod there's a plug-in there's some extension you can add to Apache like Apache mod root or something where you just neck hat to it you typing get root and find you remember finding the squirrel mail I did we never yeah it just kind of popped up but it was not part of the challenge yeah like they like so they know list of services they had to keep up they in resume there was HMI things there was that website that had the the notes application there's a there's a few other things but about halfway through the competition this squirrelmail server just kind of popped up sorry I feel sorry for the [ __ ] distraction and we we've no idea why it was there and no one could tell us why that was distant did we get access to it I don't remember no I think we taught a lot of exploits and didn't bother you see me here going through it just like manually changing some of the website names to get a little defacement there a Red Team Corp though this is stupid and fun completely all the red team carpet oh this is hilarious I think I added the background background red and it clobbers the whole site and I don't know why yeah okay you don't want CSS you're just not gonna play nice I mean speaker CSS never please no so we get into attack number 10 because the in two days we had 20 attacks all in all so it was cut in half we weren't able to do any of those things or lose kind of notion of the others looking forward I think because the SSH private keys yeah so some of that depended on SSH and we thing which was great like they enable SSH private key authentication across the board which was fantastic not for us but for them it was great so another blue team tip do that yeah cuz I mean at that point there's nothing there's no chance of like bad passwords like I can't do anything remotely not much anyway definitely had a vulnerable version of SSH but I just changed like my terminal background I was doing funky stuff oh actually oh the FTP default login and then we knew that there were default passwords so we oh so that was the thing with FTP yeah they they enabled SSH private key authentication in for their users but then and we we just looking at FTP as the anonymous user looking at it but then we realized FTP by default I think it's V SFTP in a D in Ubuntu yeah well authenticate with local users and we're like oh [ __ ] we could just log in as FTP as the blue team user with the default password and it works so they they enabled SSH private key authentication but didn't change the default password for the user which blocked us out with the exception FTP which we can log into without the certificate and then we can write files too for example the web root and then we got a shell I think it's how we did that's yeah also that one does not simply it didn't have true and didn't have nano or VI or vim it had the tech Senator Joe no I think I just dealt with it but I don't know if you people that were watching might have seen me wrestling with that editor like how do I leave what am i doing I didn't even know you did that I don't remember that I probably wind about it at some point during the exercise like what the heck is this editor Joe okay so this is the this is the final report on the end of that day zero one in a tent ax were what we were on the first day 11 of 20 because we hadn't gotten to those attacks yet we just didn't put them in but we were saying like you guys did good like you guys did well and it was very cool to see some of that stuff and I put that down here in the notes you see me bang that out basically cheat if he was good SS each BBQ was good but it's not it's not all the walls are boarded up though and is that just about the end of day one I think so cool you're still sticking with us we can move in a day - I'd be fun got a little fun stuff good times okay yeah this one does not simply a finally looks like the whole website only got image 24 hours later yeah yeah took me all night and they fixed my red team core so trying to see what we still have left for persistence some of the accounts that we created I had not gone away which maybe was a bummer and I think we see that especially throughout today because we get to do a little bit more on the offensive Burnham if you've got an mentality because we already had so many users and kind of foot holes and claws still in there why hadn't they been taken out like why we are obviously active on the machine why aren't they booting us why aren't they killing or SSH connections and that was the strangest thing anything for us yeah and as we get through this you'll see we were loud yeah we were really loud and we were like they knew we were there because they would like they would kill our connection mm-hmm but then you just log in as another user you'd be good for another like 10 minutes then they'd kill your SSH connection but they wouldn't remove the user they wouldn't change the password anything like that they would just kill your session and sounds like okay that's annoying mm-hmm I'm gonna stop me however I mean it was a little more than annoying every we're sitting there and I would bet god damn it command like it login type half the command and they boot my session and then I just log in again I'm starting to look for some silly annoying control things like okay how can I change the bash prompt to be like red team was here and like glitch text or something stupid and sullen go so we can get terminal parrot yesterday your thing was terminal parrot my thing was cows it oh yeah and it's hilarious once it hits there's a lot of good stuff as we start to scroll through this because this is when we just meme control and a nuisance check out where it is so I start to write two different connections trying to talk to people we got my wall goin so I think so it's not you can't see it on my machine because I was running all these but at some point around in here I is where I've mentioned a couple times I'm just really proud of I thought was hilarious the cows ate yeah and that's gonna happen you start to wall show it on my do I show her yours it's like yeah it comes in oh no you don't right we get to see this group running but you'll see it happening and this is hilarious because you're like wall hello dad cuz I had rooted their machine so I was just I was just dumping wall messages to everyone logged in I just like a couple times they responded to us yes they did and that was when they asked us like please tell me how to fix the [ __ ] oh yeah I think was that for or something and they were like what did you do to death for it and I was like what do you mean and they're like it doesn't boot if yeah you'll see what it happens because there's a genuine comp there's a genuine wall whole conversation one of these exploits that had us do was param eco which was cool we could see different files and there were two FTP servers one of which we were able to work in one of the one of the we were not even SSH I think so you said you said FTP it I'm sorry I'm sorry see what happens so I'm adding in terminal parent to the bash prompt and then you see me connect to it and it errors so often like I don't know what terminal pair it is and I think it's hilarious John you're an idiot so I try to setup go get to go environment variables right which I still never get right and don't understand yeah it's really annoying yeah but as soon as I'm seeing more and more go is becoming quite a Swiss Army knife this is like SL but pusheen oh I tried to do that I turned her over right cat with that and again I'm getting to the danger zone when I'm trying overwrite but I wanted to get SL the steam locomotive command on here to switch up their LS command to speak to be a nuisance and I end up tripping over it myself which is hilarious way too often because I just so easily OLS where am I in the world right now and then freaking steam locomotive but seeing pusheen happen is hilarious oh there it is right there there it is oh yeah come on talk to me I'm lonely that was the blue team yeah dang that was you know know that that was them and then I said you should fix dot nine go at this point we didn't know it was our fault at this point we still thought oh a reboot would have fixed that and so I was just taunting them like hey you should go fix dot nine but no it was really broken I want to see when they respond cuz it's it's it's so funny they're like oh can you tell me how to do it and then we said I say the stupidest thing Steve oh c'mon this you literally literally like every five seconds you'll see me run into my own wall I love this technique Python simple HTTP server because we're just trying to pull stuff back and forth of different boxes you're much better at using netcat to transfer files yeah I do a net count all the time just it's simple and easy quick and easy yeah and that's just like redirecting to or they respond because I know what's coming up soon I create pusheen make him into the cat's binary or the kitten something that I did here I don't know if you saw it was SL and putted cats at the same time so the train just goes like no please tell me how yeah and I I respond oh also you put the Google Chrome no anything on there yeah you said it you said tell you how to what it's place kotte with machine and one of my favorite things defaced the web server with the Google Chrome no internet dinosaur yeah it's a great game oh it's hilarious hun I didn't know you get down on the static version today how to fix dot nine set one cut a hole in the box get a lonely island reference there param eco exploit I tried to weaponize and get right a little bit more but it never seemed to work I kind of I got a felt bad after later when I was like screwing with him a lot about like huh like how to fix it and then we found out later that was actually kind of our fault and I was like oh yeah oh yeah I tried to send a lot of apologies and that'll be very very visible because they had someone come in the room and asked us so one of that one organized yeah it was either you were too embarrassed i yeah i was super-embarrassed i wouldn't talk to them like that weak so he somebody walked in at one point and the one of the organizers was just like uh it is one of the teams just shutting down the machine every time they started up and me and john looked at each other and we were like no but I think I know what you're talking about we were like we didn't mean to but it might have just completely destroyed their box yeah and so he said okay we're gonna we're gonna let them know that it's fixable but like what's going on and I was like if you need me to come fix it I will but I need physical access and use like no well I don't know that it's fixable that's something there but we'll give them a little time see if they can fix it and otherwise we'll come back so they I'm past these we let them we let them kind of figure it into work for a little while I think it's like 45 minutes later an hour and the guy comes back in and he's like can you come here and so I look at John I was like I'll go so I walk into this big roomful he's blue team guys I'll sit around these tables and I walk up really Hey so I'm your red team red team we didn't mean to I'm sorry but what's gone so Chevy's machining for some reason every time it booted it would just die and I guess at some point in during boot process and Ubuntu you it runs LS no idea why it would ever do that during the boot process but I wonder how or where that happens I don't know yeah but every time I booted it would die before I could even finish booting up because I assume it's running LS what we ended up trying to do was actually there was no console like direct console on that on that machine on those virtual interfaces they had so we ended up having to detach the hard drive from that VM attach it to another Linux VM mount the hard drive in the other Linux VM remove the bin LS replace it with the correct then LS and then unmounted and attach it back to the original VM but that still didn't fix it the machines still didn't boot I don't know what happened they ended up getting points back for it but I was just like I'm really sorry but I don't I don't know we messed up LS what we didn't do this yeah yeah that shouldn't have happened trying to run eternal blue again I think so I think I'm just trying to get back some footholds but because like you said this is kind of our burn at times at the end of the second day yeah someone sent along all these credentials that apparently came from either the organizers or the people that had set up the infrastructure but I try to work through some of them with our DP I try to work through some of them with PS exec but none of them seem to work so that's that's kind of what the bat Fiasco is here but that just straight up didn't happen so yeah even even trying PS exact which is outlandish outlandish line for me I don't I don't know as much as I should in that regard but eternal blue Sol is kind of our magic gun obviously I think they'd actually be something that's on your list who immediately patched or immediately put together when you got a a blue team different office and BB one yes there's not useful for it in the registry I don't even know why it's on yeah this is when we started to I don't know if it's you or I I think it was you originally I was like yeah you let's put let's put everything that they try and cat into cow site yeah so I made a script that if you run cat with a file name it was a script that took whatever the contents of that file was and gave it to cows a so to be fair would cat the file oh yeah who is just inside of cow says bubble hilarious um so it's great eventually it ended up being cows a piped into law cats there's a point very very soon where I make the message of the day on their machines as they log in a cow say that says I'm really sorry I know it's coming up soon more FTP that FTP work basically till the end yeah yeah I think it just becomes they somebody either didn't realize completely out of mind they were like oh we fixed the password authentication so we're good golden but that was a good way in so we're still playing with this [ __ ] yes squirrel mailman popped up out of nowhere and and there's a squirrel exploit this should have worked but it wasn't working properly I remember as a ghost I played with it for a while and I think you played with it for a little bit this realize your your name for this director is just force the force is with you so moving through the report again to trying to explain what we're doing and how we're doing it and we did the exact same thing having the command execution that we already had those machines that aren't the patent exploit specified before them like well we can't we piece it through already which we were very pleased with so yeah starting now to again right two people will try and get some conversations I don't know it I don't know if that to them or not cuz that's their blue team account maybe that's us I don't know yeah that's so funny also when you were playing a red team exercise some things might just break or not work and you don't know like did I do that what's that done they just kind of or sometimes they blame you for something you're like no I didn't I didn't do that I didn't toss your box I didn't for bomb with the LS command so an interesting thing that I did that I think you're seeing here is every time I think it was every every few minutes or something like that I forget what exactly I did but it would call back out to me oh no it would recreate the file so I replaced bin slash bin slash cat and slash bin slash LS on one of the machines and then ever it was a cron job that every like minute or something like that it would put those files back again cuz they kept trying to fix them because not having bit cat and not having LS is really annoying but every time I put those fake files back it would also print out to wall like some message çal say it would just be like cows ate a wall of like some fortune message yes and so you do like every two minutes it which others you're I'm really sorry for every like two minutes you just see a cow say pop up with a fortune yeah this comes soon enough because we started to install lolcat oh and I just we were just playing yeah I just sit here and play my game for a little bit they hadn't fix it yet yeah yeah well our brief we can't we we kind of like just sat around and got a little little bored yeah why aren't they why are they kicking us out but what's your high score I played this for a long time another exercise that kind of was restrained on internet access so for like the the morning briefs in the morning meetings we I would sit there for an hour and just play thirty thirty two thousand some crazy when I was at a training and we also didn't have internet it is similar thing so I figured out how to edit the score I inspect elevate I found a JavaScript to edit the score lets so hold it that I had like a hundred thousand points or something oh my gosh it's awesome Bobby bird this is where I start to like do floppy bird so did we ever actually get it to work I don't know I don't because it's like nah it's not like we would know yeah you wouldn't be able to see you so for anybody doesn't know uh flappy bird is well flappy bird is a game obviously if you never seen flappy bird it but there's a wonder you're wrong there's a I guess you call it a port of that to literally x86 assembly that you can write to the bootloader of a disk and then reboot the machine and that machine is completely screwed but the nice part about that is that goodness is that you have a flubber game to play so it will reboot it destroys your OS but you have a flappy bird game to play in your bootloader and you hit spacebar you can actually play the game it's really funny somebody did it to us at pros vs. Joe's yes in the dough yeah turtle parish I just said that in bash RC and their their hoes like you can't you can't break out a lot it was so funny I'm really sorry [Laughter] Cassie looks so sad when he says I'm sorry so I hope that that was kind of fun I hope that was a quality training environment for the blue team because I think I don't know I hope there was enough learning that we were able to provide and the same morale I think a really cool thing was the learning during it cool yeah but then also afterwards they had the kind of dinner thing you're gonna sit down with the blue team that we were red teaming for and kind of they asked us questions we asked them questions like hey what did you do here to do this and they asked us oh we saw this we couldn't get you out here and they would ask us questions that was a really good back and forth I think at the very end of the day yeah I was really quality time for learning all your bass this is where this is where I think you start to do it just gives you that you had pulled like a list or yeah so I had a list of things it wasn't just the fortune command I pulled a list of different funny sayings that would just pop up yeah what I was trying to do was to get cows a with that fortune through wall cats to every terminal but interestingly wall removes all of your like escape sequences yeah so I had to find a different way to do it and I think you might be doing it as well so what we ended up doing what you'll see us kind of figuring out here is instead of calling wall since we had root access we just opened dev pts slash every single pts that's open and just sent it directly to their terminals just bypassing wall so it actually worked really well it was really funny we just sent all these messages directly to them and at this point so many things have been burned I'm ready to sure how much they saw of it yeah but we just send it to all the terminals it was pretty funny it's hard to imagine what they would be what they would be thinking like because I know especially when I played on the blue team side you just like put your head in your hands man yeah I just feel like I put put my head through fan especially whatever these arts know this machine we lost this machine I long it at this one I can't call LS cat or anything like I'll get this one I get a terminal parrot yeah I'm really so everybody have left this is where it is we're like are you guys doing all right oh he's doing this is where you were testing because you can see your format string in there yeah yeah and your quotes I started rolling through everything in the universe is either a potato or not a potato and we started to Google like how do we get wall the key Boris ape sequences no I mean you're totally fine it's a good-good explaining because the eventual solution we find is that writing it to terminal yeah directly to the pts it was just two toothpicks like dilithium crystals I can't wait to see these just to pop up in rainbow on your terminal with no way for you to stop it yeah wait I don't know how queries but yeah we're testing your patience reading terms and conditions yeah that's so good I found those by googling like reticulating splines cuz I wanted all those like sins Titan as yeah and it just goes everywhere I like you too if they saw yeah because the colors that mole cat gives are different yeah well cat every time okay so it was random but you're getting the same message yeah which is I think he's funny so I would I would generate a phrase and then iterate through all the PT s's and pipe the phrase to cows a tool all castellaw got to pick a random color even if it was the same phrasing yeah this is a technique that I thought and if I thought of and found really really fun I would cat have your random into the terminal so they're they're they're terminal biscuits yeah might see someone login I just like span garbage at them I was very very pleased with that and that is all the footage that I have for cyber force but with super fun there's cool see matrix the only way to end a video we're lead hackers and stuff dude of course as long but sweet Thanks I hope you had fun thanks for watching Internet [Laughter]
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Defensive AI
View skill →Related Reads
📰
📰
📰
📰
What I found when I ran a quantum crypto scanner on certbot
Dev.to · Sachit Madaan
Security Awareness Training Was Designed for Rare Attacks. AI Just Made Manipulation Nonstop.
Dev.to · Sonu Goswami
Parameterized Queries - The Only Real Fix for SQL Injection and What Developers Get Wrong About Them
Dev.to · Nchiminyi — Founder, Kriosa
We MITM our own email, on purpose: end-to-end encryption without touching the mail client
Dev.to · Jim
🎓
Tutor Explanation
DeepCamp AI