VOD - TryHackMe! Game Zone - Recreating a Metasploit Exploit in Python
Key Takeaways
Recreating a Metasploit Exploit in Python using TryHackMe! Game Zone, covering topics such as SQL injection, database exploitation, and privilege escalation using Metasploit and Python.
Full Transcript
for later but is it friday is it friday where all you guys are is it saturday is it thursday i don't know how time works and the other ends of the world um it's friday for me right now you guys might have seen it's about 11 p.m uh starting a little bit earlier than i have been the past couple days because the household was able to tone down and go to sleep a little bit earlier so uh that also means because it's the weekend i get to sleep in even more than usual so i just just stay up late just stream for even longer should be a ton of fun we should have a good time um i see a question coming in hey john i'm kind of new to cyber security i want to know what you look for in employers ooh so that's a totally super subjective question depending on whatever you are interested in what you are looking for um question for employers um so i have gone into remote work life uh even pre-pandemic like even before the whole world went crazy over c19 right um and i i think now that i've found the love and joy of remote work i will never go back to working in an office like i used to have you know i wear the khakis i'd wear the nice uh shoes i'd wear the button up uh i wouldn't wear a tie i was not a thai guy but i remember i showed up to like my first job in a suit because i was like i don't know how to i don't know how this works and then everyone was like guys john you lose the serve but it does have to be um you know like button up and khakis and looking all good and fancy uh question coming in no pizza tonight no pizza night no za so we did have za um we went over to caleb's house tonight um and we went to go see the new chongqi marvel movie super good if anyone hasn't seen it i would really recommend great fantastic movie the soundtrack was phenomenal lots of edm at least the the bus fight scene was stellar anyway back to your question white cyberduck i want to know what you look for in employers uh remote availability flexible time and understanding with life uh obviously typical benefits pto et cetera et cetera um what else do i look for in an employer i don't know i just appreciate them being normal and transparent and like a competent team you know what i mean i want to i want to work with other smart people or people certainly that are smarter than me so welcome everybody i see a lot of hello hello mike kalasen hello the reddit band i might have butchered your name michael i'm super sorry oh it's michael is on twitch dang i should have read that that's what happens when you try to stream at 11 o'clock at night thanks for your service hey thanks so much i super appreciate it i didn't do much i just kind of sat in a classroom i'll be honest but i i guess i had the ribbon and everything i had the i had the participation trophy the dd-214 let's start hacking yeah you're totally right man let's get to let's get to do some good stuff let's do something fun um yesterday we started working with try hackme and i think that would be fun to continue unless anyone wants to yell at me and tell me we should do something else but i would really love to do spencer spencer adolf it's great to see you my friend i don't think i don't remember you don't you dare you did cyber guard and cyber flag i i remember it well you also did my friend what are you up to these days spencer what do you what do you got going on in your life where are you at in the world uh moving to try hack me we should probably go ahead and connect to the vpn and we'll bump around i guess am i already oh goodness i was already in a split terminal uh i was prepping a video today because i was doing some recording i do have a video staged and ready it's a longer video and that's why uh i shared a i shared a oh goodness goodness what did i do i was on twitter and i shared a well fired up oh jeez come on twitter slash underscore john hammond which is me oh light mode sorry uh cover your eyes you vampires i know you can't see unless it's not unless it's dark or whatever um i posted this this poll what's your attention span i'll get out of here what's your attention's been cut off for technical content and video demonstrations how long of a video would you watch because um this is this is a thousand posts goodness uh the video that i ended up releasing is about an hour and a half i think i think it's an hour now and a half hefty hefty hefty boy i can't click on this apparently because i'm not logged in which is annoying also i was on the news today i don't know if anyone uh wants to see it it was kind of cool would you stop do i seriously have to log in all right let's uh let's go to the cam and then just log in i have a lastpass setup so it should be good there we go now i'm logged in incredible all that's all it took what is your attention span cut off oh so a lot of people are saying like the usual 10 minutes to 30 minutes but the thick boy videos are over an hour two hours that's what we're end up doing for the analysis one uh i'll probably release that on monday not gonna lie i was trying to think like what would be the right time to upload a video should you do it saturday morning are more people going to watch on a saturday morning like a weekend versus a monday morning you know it was a weekday uh but i don't know i need to do the editing uh finish it up just uh cutting it's like i had to record in two parts uh because i got distracted and had to do work things but um i need to finish it and then then i can post it but either saturday or monday i guess not saturday at this point because i'm going to do this for the whole night anyway i was on the news if anyone wants to go see you can check it out uh i was on cbs today which was super slick uh really really flattering to be able to jump in and join them as this video is going to play go ahead and mute this no it's already muted um we're worried about you know the weekend coming up holiday weekend are we gonna see are we gonna see more cyber crime as we would have uh between what was the steamship authority ransomware what was the uh obviously department of energy provider i'm not gonna name names in this case um obviously the managed service provider like supplier there was a lot going on so uh we see the trend are we gonna have are we gonna have more cyber crime cyber attacks uh this weekend so we're saying vigilant we're staying ready but it was kind of sweet and uh very very nice to be uh interviewed and hung out on the news so all right all right we should we should hack some stuff we've been bantering for too long guys so uh let's close that one down there and let's get to nfs ctfs try hack me i'm missing a lot of chat though what's going on on the news yeah thanks so much congratulations thank you thank you so much you think there's definitely gonna be more cyber crime this weekend yeah yeah oh the question is this is great john were you nervous so uh yeah blades is saying pretty sure you were on tv here a few weeks ago when you discovered the other virus oh you might be thinking about other ransomware and said yes i i've done a whole lot of other public appearances um being on the radio being in news articles talking to reporters um cbs and nbc etc so really really flattering very very cool but was i nervous i was a little bit nervous this time because it was a super quick turnaround they were like john are you available for a video interview on the news in the next 30 minutes and i'm like uh guys let me do my hair let me do my makeup i need to clean myself up and not look like i'm homeless uh but we have fun uh all right so we're connected to the vpn um and we oh man i still have all this stuff open google chrome oh you're ruining the surprise for the video guidra open sublime is open let's clear this stuff out let's uh get back to chrome let's go to try acme blades the blades do are you someone that i know that's a super weird question but you just said hey now that got john on pl on speed dial they said that they literally said like john this was this was pretty good man you know you weren't all that bad you weren't awful john we would like to keep you on the decks we got you on speed dial uh have you done down the rabbit hole jason excuse me spencer adolph is asking just knocked it out today ah i don't think so are you referring to like the looking glass ones or the alice in wonderland themed rooms because we did one of those on um in a youtube video and that one was wacky but i've been working through the offensive path okay we are connected and perfect um at least that's where we left off yesterday so we finally have a one day streak on troy hackme uh blades please i'd like to say yes i do know you one person but no i just follow you well i super appreciate thank you so much um when you when you literally said john they have you on speed dial now i'm flattered because they they said that hopefully we'll get to do more media appearances pretty soon i i appreciate it i hope i don't make a fool of myself and look like an idiot but you know what it comes with the comes with the territory failure and i are childhood friends i don't have any issue making a fool of myself out in public because i just do it all the time it's literally my job literally what i'm doing right now uh so what are we up against let's do this game zone room trying to continue on the beginnings the basics of the offensive security path and try hack me it's september 3rd right now you know slapping a little date on there we have an ip address ready for us uh can i ping this machine yep okay looks like we got good connectivity let's make a directory nmap so we can just get started with an nmap scan try to see available ports i'm going to use tak sc for default scripts attack is veto numeric versions tack o and output in the nmap format and i'll put it in the map directory that i just created with the file name called initial do it deploy the machine and access its web server uh okay so i'm gonna assume there's something listening on port 80 yes there is what is this where am i what a lorem ipsum a lot of nonsense content here fake stuff who's that girl who's that i'm just kidding deployed and i access the website what is the name of the large cartoon avatar holding a sniper on the forum i have no idea who is that i'm hit control u to view the source would tell me like a file name image01 uh no what the who is this person hitman i it look it might be hit man but that's not what i should be filling in here she's like john play some games dude what are you doing oh agent 47 that looks like it's what it might be now how would i naturally figure that out like we could view the page source and we could look at images but that is an enter gif that is a site search gif and neither of these are images that i want to be looking at we could do like a reverse image search but is it loaded in the style where the files might be yeah yeah yeah images header images maybe that's it are you the boy oh come on get out of here i i clobbered one of the forward slash yeah it's this guy it's this guy so let's save that image in temp oh i'm already in temp fantastic so let's try to do images.google.com and do a reverse image search uh i clicked on the microphone let's upload an image from that temp directory temp and that was a header image.png so let's see if google would be able to tell me who this might be walterwa 2000 or waltherwa sniper is agent 47's sniper rifle okay so agent seven must be the guy and the sniper rifle must be the gun uh but yeah i don't play games i play rocket league i'll be i'll be i'll be totally truthful and honest about that i play rocket league and super smash bros those are my video games of choice i used to play a lot of call of duty when i was a kid but i still am a kid i'm just kidding i'll be a kid until i die yeah we don't we don't need to freaking put that in there what is a section called task one deploy boring boring notes does anyone know and i and i mentioned this in the previous video the previous stream that we were doing there is a utility there is a couple tools out there that will like over on github maybe maybe it's a github try hack me note uh generator or room notes hosted a reverse shell there's a utility that you could give it a room identifier like game zone and then it would pull down and generate everything for you like give you all the prompts give you everything for you to fill in uh this is not exactly what i want to be looking for no no john looking for a third and drop shot i don't know what that means demonstrator says i have a 96 day streak and try hacking right now i got 90 the other day and they held the last giveaway not a position to buy a subscription i was really hoping to get one didn't get one though oh dang man i'm super sorry drop shot in rocket league oh i see maybe i'm not like i'm not i'm not a good gamer i have no idea all the lingo and terminology how do i even search for this thing how do i search for the try hack me um room prep [Music] it's not important i don't need i don't need to go down this rabbit hole but if anyone happens to know what uh tool i'm thinking of where you give it a name and it will just generate a markdown file for you to fill in that would be ideal in this task you'll understand more about sql or sql the structured query language and how you can potentially manipulate queries to communicate with the database so this is a looks like a classic sql injection technique or like the boilerplate vanilla thing sql is a standard language for storing editing and retrieving data in databases a query can look like so select star or asterisk or all from users where username equals sum parameter and password equals other parameter the colons here looks like they got weirdly messed up want to switch low uh your hack reminds it with an awesome game arsenal sounds like a deal man and game zone when you attempt to log in it will take your imported values from the username and password and insert them directly in the query above if the query finds data you'll be allowed to log in otherwise will display an error message here is a potential place of vulnerability as you can input your username as another sql query this will take the query right place and execute it i understand what's up matt how's it going m alpha let's use what we've learned above to manipulate the query and login without any legitimate credentials so the whole gist behind sql injection um if i'm explaining it and some folks aren't familiar you let the program or the application that's offering you this interface this website that's serving these web pages when you give it input you have the back end confused what you provide data right as input you you confuse the application because you start to put in legitimate code like real sql language that would interpret so that's that's what they show you this example if we have our username as admin and our password is single quote or one equals one and then two hyphens here it will inter insert this into the query and then understand that our password has now been negated that we aren't supplying any password but we're using an or with a query with a condition we say or one equals one which is a condition that's always true right one will always equal one constant value uh and that's what makes this thing break the exo sequel we inputted as our password is change the above query to break the initial query and proceed with the admin user if one equals one and then comment out the rest of the query to stop it from breaking gamezone doesn't have an admin user in the database however you can still log in without knowing any credentials using the inputted password data we used in the previous question use or one equals one as your username and leave the password blank when you've logged in what page do you get redirected to well that was kind of a bad explanation uh for me to try and explain sql injection right away but let's try and use that simple inject right there or one equals one as our username password can be literally anything because we've commented it out let's hit enter if you ever run into dc models on rl you've found a friend uh i don't know who what that might mean dc models did i screw up the sequel injection literally gave me the payload to use or one equals one as your username which is what i did it's not case sensitive for some reason is it this password what the [ __ ] does it need does it literally just need password to be empty okay what does it need there get out of here lastpass i think it literally needed the sequel to be lower case what the f uh astral voyager is asking what if they just used a regular expression for the password wouldn't that circumvent sql injections um it totally depends because if you're still inputting the user input variable like right in place within the query you are still going to end up being vulnerable to sql injection by like concatenating the strings for the data uh if you were to check with a regular expression against the password that would still work fine as long as you are uh making sure you use like parameterized statements or prepared statements or whatever other sql mechanisms you can validate and not just concatenate or drop in the variable representation i see blades trying to post a link in nightwolf or excuse me nightbot i'm super sorry nightwolf uh this is a small script for extracting data and creating a markdown file ooh blades this might be it try hack me question crawler this might be wonderful oh you got to use selenium that's kind of janky but you know what i'll i'll deal let's do it let's let's let's mess with it um let's move into this let's get clone that boy try hack me question caller why does gecko driver need to be executable you know what i'm not gonna ask questions i'm just going to arbitrarily run rogue python code that i found on the internet without validating it whatsoever i'm kidding i'm kidding even though i literally just did that you shouldn't do that everyone's like sean how could you do this all right pip three what are you doing dude what are you doing um pip3 occasionally does weird stuff like pip occasionally just does weird stuff when um ipv6 is not enabled so i have a thing to fix it for your fix pip install yeah if you disable ipv6 which i think i actually have set but maybe i don't let's find out yeah okay now he's like sweet let's go my virtual machine does weird crap with uh ipv6 for some reason enter the url for the room okay uh try hack me room game zone slap that bad boy in there enter output name with file path uh test.md this is kind of janky what are you doing what the heck it's already dead it's already not working yeah maybe it needs a dot slash do you think i guess it was asking for a path but local variable style reference before assignment where is style it's literally defined globally why are you using a shebang line like that you need to do user bin environment python blades where did you find this code i'm kidding i'm kidding i'm not absolutely not uh throwing flack at you for this that's just really funny style equals that if raw that's in a function so let's freaking just global that style thank you so much that's super sweet jay malone uh j melon not sure how to pronounce your name forgive me uh it's global style globals globe global blah blah and let's convert that all to spaces because that's what it needs yeah global variables are just frustrating and annoying i know but um we just did the python3 thing enter the url for the room we'll grab that yet again let's do the dot slash test.md see if it will behave hey the chiller instinct thank you so so much did you did you see the interview before i was talking about it just previously because i would be very flattered if you if you just happen to see it on your own this script is not going to work at least not like right off the bat you know what i mean maybe maybe i should read the readme url output file do you think it would behave a little bit better like take it from the arguments maybe dot slash test on md maybe nope still cries whatever whatever thank you for the effort blades oh yeah nightbot is being whiny let me can i post it or was my will nightbot yell at me thank you so much surely sirius i appreciate you posting the link i'm sorry nightbot yelled at you someone needs to put nightbot to bed all right whatever we've logged in we get redirected to portal.php that is what we can go ahead and submit here this is still the task 2. dunzo okay uh let's carry on they're gonna have me use sql map now which is a little silly and annoying but i guess we can do it we're going to use sql map to dump the entire database for game zone using the page we log into earlier we're going to point sql map to the game review search feature first when you intercept a request made to the search feature using burp suite no get out of here burp sweet i don't care about your crap save this file into it save this request into a text file we can then pass this into sql map to use our authenticated user session you just use it tac r to use that request uh dbms will tell you the database management system i might be getting that acronym wrong that tells sql map what types of database management system i said it dump attempts to output the entire database super easy super cheesy super peasy um sql map will do it so let's mess around with sql map um i happen to have sql map i thought do i not have sql map opt sql map nope belay my last i do not have sql map let's grab it from github um i gotta check up on chat petition virtual hack me to require template markdown files for answering questions that would be ideal agreed spencer thanks so much that we can get from this guy if you haven't heard of sql map before it's an open source penetration that's cool it automates the process of detecting and exploiting sql injector floss yeah uh butterfly says hey it was fun competing against your team at red team files uh run team village finals team yeehaws here nice thanks so much congratulations on however you did um how does cbs have worse video quality than twitch uh we we had a zoom interview so you know there's that all right uh we should be get cloning this guy i see a couple followers coming in thank you guys so much for uh doing those twitch algorithm things i'm so used to saying hey do the youtube algorithm things but now i have to say do the twitch algorithm things guys we're pretty close to uh trying to hit an affiliate or partner which selfishly is something that i'm excited for and want right can i run sql map dot pi yeah all right so it looks like we got that all good oh butterfly took 11th place rock solid guys fantastic hooking waffles honking waffles says yeah then we can throw money at you i would be very very grateful but it is absolutely not necessary uh all my stuff is for free but i super appreciate all your support all right we got sql map going we want to get to the site search functionality after we've logged in so let's do that order one equals one for some reason has to be lowercase log in and then on the portal why why is you not i don't understand it needs like the extra whatever search for a game review should be here let's try and use the network tools tab so we can just test something here so we can search for that and see the request come through and now can i right click and copy request headers to get like what it would be because i think i should be looking for like a request.text and yeah it's literally this so we could just pass this to um well we need to i guess get the parameters as well don't we why is that not included in the copy copy as fetch copy as curl copy is hard what is fetch oh disgusting it's no it's it's it's javascript stuff get out of my life i'm kidding i have a lot of respect for you javascript people if i dare call you people so yeah we need to we need to actually include the parameters here so search item should be equal to this thing [Music] how about that uh blades or thousands it's actually something you might want to consider i searched for hacking and pen testing on twitch a few days ago and you didn't appear just did it again you still don't show in the results uh-oh how do we uh how do we modify that there's a try hack me section on twitch what the heck i didn't know what so once we finish this room we should totally um you should school me on how to do those twitch things i'm typing random things right now sqlmap.pi let's do a python 3. we want to use hack r with that request.txt we want to use dbms sequel which makes no sense to me because we literally just used a sql map a sequel light uh syntax not sql map for the comment there and then tactic dump we need the url oh i guess we don't know because we have the we have the request in there so let's let's just use dump and let's see if it finds anything boom here goes sql map lighten it up while that's going i guess we can go to twitch twitch twitch twitch.tv so if i search for like pen testing or hacking hacking hacking esports where am i how did i get to pools and hot tubs i'm leaving fbi open up you guys keeping me honest here what are you doing sql map you're just hanging out i feel like i have to hit enter just nudge you along yeah this is hogging officers like twitch yeah welcome to twitch maybe we should do some hot tub streams that would require me to have a hot tub all right we dumped the database all right this is disgusting to try and look at well we're cracking hashes why are we why are we cracking hashes did i tell you to do that oh i probably did i just hit enter repeatedly um so we avoided using burp suite which is always something that we should strive for in life your goal never use burp speed there we go we have a password here that it was able to find and the user's table what's the hash password that thing why avoid burp i had to watch your video to get the burp basically i mean i probably have uh unreasonable distaste for it i don't i just feel like it's clunky i just i would rather have more control on the command line or with python or something maybe i'm have no foundation behind me raging about it but how do hackers socialize well today i went to the movies um today we [Music] took the dogs out for a walk tomorrow we're probably gonna go it's like a coffee shop to do some work you just you just you just socialize that's it that's all you do uh which movie yeah we went to go see the uh shang chi the new marvel movie super good i was uh i was whining about it in the beginning of the stream not whining i'm literally joking but other table name is post that's what that question was asking for super good it had a lot of fantastic soundtrack they're saying how was the movie i loved it i so i watch black widow and i'm obviously not going to offer any coffee i literally just read michael's on twitch phil's coffee comment and then i just said the word coffee because that pops into my head um i'm not going to drop any spoilers or anything but i think i really like this movie even better than black widow i don't follow the whole marvel universe comics i don't know if anyone else does but the um completed i let me let me end this train of thought the eternals movie the eternals movie the new one that marvel's gonna bring out i like i don't know those characters at all i have no idea all right let's get back to what we're doing we just used sql map to dump the database because of the sql injection vulnerability that we found in this application now we're gonna end up using john the ripper to try and crack that password hash john the ripper is a fast free and open source password tracker it's also pre-installed in all kali linux machines we'll use this program to crack the hash we obtained earlier john the ripper is a 15 year old program old other programs such as hashcat are one of several other cracking programs out there i didn't realize john the ripper was that old this program works by taking a wordless hashing with a specified algorithm and then comparing it to your hash's password both hash passwords are the same it means it found it you cannot reverse a hash so it needs to be done by comparing hashes okay so we could use the roku the word list and try and just let it figure it out right let's create a hashes.txt file and i am running john from john the ripper stored in my github repository so let's run opt john run john tag tag word list can equal up rocky.txt because that's where i leave that word list and let's do it against hashes.txt i apparently don't have optrocqueue.txt that's extremely surprising do i need to download rocky.txt what kind of what kind of cyber security person am i oof don't worry just three minutes left no it's cruising it's going to 15. um john hammond should maybe add a discord uh command for twitch i totally should i need to do some of the nightbot things uh yeah i need to add a lot of commands i absolutely do can i open nightbot like on twitch or is it gonna show any sensitive stuff and i'm asking that genuinely as a question for you as the as a chat uh i an actually truthful answer am i gonna offer any sensitive information by doing that yeah what in doubt second stream early should uh i need to move the downloads rocky.text into opt i just gave you the chat a lot of trust and a lot of responsibility and i'm grateful that you didn't take advantage i'm kidding i mean i am grateful but i'm just meaning oh if you by mistake do the api stream yeah john said it he watched shang chi yes i saw it just today it was super good uh this totally failed what kind of hash did you try we probably need to tell it raw to shoot shot 256. now we could tell this was raw shot 256 by viewing it because it is in hex um and it is 64 characters in length that's a decent indicator you could use like name that hash or um the hash identifier but name that hash i think is literally by isn't that by b yeah it's by b b son who's a great person and i don't think i even have that set up so okay everyone's saying just don't go to the settings page that will leak your user id in nightbot if you could just go to commands custom then you're fine okay uh so you guys can teach me how to do that once we're done this room how do i use this utility oh i can just straight up install it and that's it is there a name that hash thing or do i need to python tag m name that hash module not found rich why the frig do we not have rich totally going to install that thing wait wait what oh i just because i was using python on its own duh um can we just make him a twitch butt yeah that's totally fine this is a vm in a web browser so you have a cali vm to use within a web browser go try out a couple intro videos on youtube nice yeah okay um with that said i i i do want to just go ahead and friggin install this uh globally i don't i don't have that concern so if i were to cat out the hashes that we have which is this guy we could x clip that or copy and put it in our terminal but if i use ntm name nth name that hash now slap that in how do i use this uh python3 named that hash oh tact text that's silly i mean no it's not it makes perfect sense but most likely shop256 agreed yeah every yeah i'm sorry everyone that's jumping in just like john your nightbot is not being a nightbot i am new to the twitch realm to the twitch world so uh i'm publicly making a fool of myself for you all to enjoy and once we're done with this room which hopefully shouldn't take us all that long we can go ahead and set up those commands for you guys wow john the ripper crack that like butter if you could crack butter i mixed some weird weird analogies there um now you have to do mr wesley crusher's like wait a second john are you saying that you've never cracked butter before what planet do you live on man i never took track of the ip address alright so let's slap that in let's use agent 47 yes and the password was video game one two four or video games video gamer with an r i don't know my abcs when i was a kid i dropped a container of country croc and it broke does that count you don't have affiliate on twitch yet i do not i would love to show you the stats uh i think i could i don't know there's nothing sensitive on that is there let's just get to twitch.tv i'll just screenshot a thing hype train i don't know what you're saying yeah stats are fine to show stream creator dashboard i think here we go you're almost an affiliate why won't you tell me the rest path to affiliate and path to partner yeah we could review both of these if we wanted to let's open this in microsoft paint here we go this is what we're looking at ladies and gentlemen oh crap did i kill the stream no you're good it's which makes you click show before you leave your stream yeah so uh reach 50 followers i think we're well okay above that um stream for eight hours we are gonna get super close to that stream from seven different days we're on our way so yeah just just a little bit more average of three viewers i don't know if we're gonna make that soon soon tm soon trademark uh yeah but then we have to get we have to get partner so if i can make it playing with wood on the lathe you can too now that you have a password and username so we're logged in we have to staged in we have ssh you guys are distracting me it's a problem with chat we have a user.txt file right here i need to be able to submit that flag so sorry hydrogram for displaying it publicly i know everyone gets mad at me i know into the music exposing services with reverse ssh tunnels whoa we're going to end up using some ssh stuff all right cool reverse ssh port forwarding specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side tac l is a local tunnel which means client going to you really hard to visualize and kind of get wrap our minds around this if a site was blocked you can forward the traffic to a server you own and view it for example if imager was blocked at work you can do ssh attack capital l 9000 imager.com on port 80 user at example.com going to localhost 9000 on your machine will load imager traffic using your other server tac r is a remote tunnel which means you to client you can forward your traffic to the other server for others to view similar to the example above but in reverse that's kind of hard to process as you read it but we will use a tool called ss to investigate sockets running on a local host you could normally use netstat however netsight is meant to be deprecated on linux so we'll be using ss and then tl tul realistically you can use peanut uh p and u-t that's how i remember literally peanut uh and then you can add an l now or l peanut that'll tell what socket connections are running and that's all you need how many tcp sockets are running well let's use ssl peanut and tcp we have one two three four five if we want to do a sanity check on that we can grep for tcp and then we can do a word count tack l and a good thing i have five so peanut they call me l peanut l peanut makes it sound uh like a macho like like a wrestler i want to say from a specific origin but i don't want to be uh maybe a little too charged in the statement yeah lp not day we can see the service running on import 10 000 is blocked by a firewall rule from the outside and you can actually see that because we are listening uh never mind we can't see that how could you do that we can see this from the ip table list what do you mean do you mean running iptables list iptables how do i just display uh the current rules oh attack list rules or tag tag list imagine that tactic list why oh you must be root you mid-avon is saying i prefer tolpin are you just like used to typing that on the keystrokes or something i don't know so anyway we won't be able to reach port ten thousand uh maybe we couldn't see that when we were to run our nmaps maybe that's why the issue is there however using an ssh tunnel because we have access we can now expose the port to us locally from our local machine run ssh tac l 10 000 to 10 000. odd i'm i'm conf oh because you from our local machine you map localhost uh to the ip on that host when you connect to it if that made any sense yeah yeah ridden house just says i just i just learned using tolpen and you're just used to it that makes sense you gotta do what you're used to but in case you had struggle if you struggled remembering it and just had trouble what the heck can i attack nfs cts now you can use peanut to remember it so there's that game zone ssh tech l 10 000 go on a local host ten thousand he had ridden houses like i'm gonna remember l peanut forever he's gonna haunt my dreams agent 47 video gamer one two four whoa cannot assign requested address is that just because it's ipv6 was that having a problem on strictly ipv6 yes so ipv4 works just fine it looks like we have a webmin uh page here which will very very likely be vulnerable in fact i'm kind of curious what version this is a version of webmin because it looks god old i don't care enough to control after that what's the name of the exposed cms webmin yeah oh well we did just kind of turn off ipv6 on this host not gonna lie we literally just did that we were trying to install something with pip and the virtual machine was like oh i don't know how to network anymore so we just killed ipv6 i literally have those commands saved um because i tend to mess with them oh i do need to find out the version aye aye um if it doesn't like readily display in the um like page here something that i like to try and do is to view the cascading style sheets or the javascript files or other static files to um john can you name more funny security mnemonics yes as a matter of fact i can and this is probably the only other one that i can offer you if you like to use f crack zip to crack zip passwords don't you forget the correct parameters that you have to pass are udp which you could often remember because of udp like the user datagram protocol uh and u can be lowercase p can be lowercase but the d the d is a big case he's a capital one that's your funny security mnemonic from john [Laughter] don't you just love when we do twitch twitch streams everyone now everyone's going on everyone's going on yeah this is the real content that you guys wanted wasn't it uh what okay okay actually what version of webmin is this not gonna lie there's nothing that's displayed in this nothing that's displayed in those static pages so let's check a a http header will that tell me out of 200 mini serve 1.58 but that's the server that's not webmin strictly on its own is it looks about 2008 time frame yeah it looks seriously pretty old you guys are just going off on this joke now what have i done is it 1.580 is that what it's asking for 1.580 wow okay i'm good um i don't know if that's strictly webmin but i mean i guess so i don't know if that's really counts because it's mini serve it's not webman but tada now we can do privilege escalation via meta split using the cms dashboard use metasploit to find a payload to execute against the machine why not just use search splits let's do search exploit on webmin oh god many many things uh okay so we have a file show cgi remote code command execution medisplay module and nothing else supposedly that's stupid we should try and write our own what is this what does this module do all right let's let's copy this over here in this current directory and then let's take a look at what this thing does because i don't want to have to deal with metasploit i mean like we could but there's just no reason do you really think we need to log in do we have credentials are we are we gonna use the same credentials that we were using previously because that would be i mean you know what i'm not going to put it past them video gamer one two four yeah that's apparently it okay so then we just execute a command with a specific request and that's it and that's little yet okay uh it's just code execution in the url it looks like so let's let's try and just let's just try and recreate this if you guys want if you guys don't if you guys are fine with that okay so if you guys don't mind what i would like to do and i gotta be honest this is just me getting to like human john uh stage um i would like to take a drink and then i'd like to go to the bathroom and i'd like to return in like two minutes is that a okay is that cool with everybody is that totally fine i'll put up the like elite watch tack n echo uh oh [ __ ] john will be right back why the oh oh because that needs to be a one yeah you guys want to use some c matrix in that too don't you i got you i got you we we we should start up a new terminal so we can do echo watch attack n this is important like three minutes give me give me three minutes to chill screw you the parentheses weren't letting me have it that's funny all right yeah yeah at this point john you'd already be back quality content all right i'll be right back everybody i'm sorry stand by please thank you i love you [Music] [Music] [Music] [Music] hey everybody you still hanging out with me are y'all still with me john is we can remove that decal thanks so much i was uh i felt i felt subject to the human condition and needed to go to the bathroom so i guess that's what happens when you do a live stream you know i guess what happens when you when you really do yeah you fell in you felt you fell john [Music] uh that's what happens when we do it for real uh catching up on the chat still working through the complete bit of getter module digging into the microsoft blog post that came out yesterday around the solarwinds breach ooh is that any new like threat analysis any thread intel or details i don't know i should check that out i have um the solarwinds dll the one that was backward for the orion breach that's in my uh malware folder um [Music] miscellaneous solarwinds solarwinds solarwinds orion business layer i have it right here i need to make a video on that i really yeah i know we can see you're fine i would be really cool to make a make a video walking through some of that but anyway let's get back to what we were doing so uh there is it looks like from from running search point as we did was was that this terminal was that that was this terminal search plate when we did a search plate webmin uh we saw that there was one result for this 1.580 show cgi exploits however that's just a metasploit module and metasploit is stupid just kidding i love it it's fantastic it's great you should use it uh and rather than using just some off the shelf one on github but let's go ahead and create an off-the-shelf one on github um to make this nice and formal let's go ahead and create a github repository for this thing we should we should keep this all for real you know what i'm saying create a new repository uh we'll just call it cve with the proper cve number um a python replicated exploit for webmin 1.580 uh what was that that was file show cgi remote code execution do it cool let's clone this thing and let's work with it excuse me whoa bump the microphone uh question that came through hey john have you ever done bug hunting i have not truthfully done a whole lot of bug bounty um i just i haven't made the time for it and i don't know if i will anytime soon i think i would like to um in the future like maybe five or ten years down the line but right now uh just not gonna pull it off checking search spit for webmin 5.80 i only saw a metasploit module for the uh file slack show.cgi remote code execution attack on that legacy webmin version this code is an attempt to recreate that in python without using metasploit all right so if we were to end up recreating uh what this metasploit library does realistically it's kind of just a matter of walking through and seeing how it does it and just doing it in python so i'll create a little python script use your bin environment python um and let's import requests because we know that we're absolutely going to end up using that and let's actually import arg parse because we know that we are going to end up using that so arg parse can create an argument parser so we can take in stuff from the command line right as we were using it and that is argument parser as the object that we need i'll call that parser and then let's add some arguments that we know we will need we know that we will need the host um and i think that help is what that would display help the host of the target let's make that our host realistically the webmin 1.580 uh targets and then we need our port uh that type should be oh oh thank you m alpha you immediately immediately found my weakness making me realize uh forgetting the python 3. the port that hosts webmin web web webmin 1.5.0 correct um parser.parse args args and let's just verify that this works please ad argument cool yeah so our host on our port perfect um can i make this default to none is that okay so i can check if args dot r port is equal to none prin let's determine if it's present in our host if args.host um let's do a a colon in that just to verify then we can do a uh host equal wow oh my what am i [ __ ] thinking host.port equals args.r host dot split colon theoretically correct john what's crack-a-lacking um you know just goofing off the qr code on your shirt is a rick roll isn't it actually the qr code evaluates to the string um the qr code evaluates to the string installing malware uh kitten rzx says kitten zizik says you could just do if not ours part port and that's exactly what we should do so yeah yeah an important it's just kind of a fun joke [Music] i don't want that to be required how do i so i'm i'm honestly kind of bad with our parse uh documentation if i set a default why would that not use it i wanted that to be optional do i need to have it be like attack tack required equals false look at you guys you're the best wait wait wait [Music] let's make these optional and then let's use tac p and tactec port how about that how's that look conflicting oh gosh you stupid let's make it target namespace has no argument report because it is now called port and that is now called target and that is now called target none type is not iterable uh that should be supplied args.target oh that actually needs to be required not gonna lie so required can equal true on that yep yep yep okay one two seven zero zero one um [Music] let's import sys so we can use proper assistant send it out centered dot right where's required cool and then let's exit negative one cool security live rating with a party thank you so so much for coming to hang out security live and everybody i appreciate you jumping in we're just goofing off as usual uh blades says a warning went retreat retweeting uh the pen and don't wait for it to autofill understood alrighty happy friday yeah yeah let's get the weekend going uh we've done some decent um syntax work now so let's try a we could we could print just fine i think and let's use an f stream targeting host uh host else let's add an else in here to make that stupid and dumb host can equal args dot target and port nicholargs.port [Music] i think that's fine and we should also realistically add a command that we want to run um so that should be taxi attack tap command the command to run on the target we don't need a default there but we do want to make that required just as well targeting host on port should we have the colon syntax there or should we just display the port i don't freaking know now we need to attack command let's run who am i port is not defined that should be because i have a typo there we go i looked away for three minutes cool so doing this now we could uh we should also probably add a ssl argument attack s tact ssl um whether or not we should use ssl if um let's do if host dot starts whoa starts with http colon slash then host dot l strip does that work http colon slash i think that's work i think that won't work schema can then equal that oh i hate reusing that string over and over and over again but kind of necessary so schema can equal https yeah else schema can equal http go and colon i think that's a-okay yeah oh that should be not required how about that target host that cool perfect so url can then equal schema host colon port slash we need to log in oh we also need a username and password dear god yeah you're totally right kittenzima for schema in thank you for making me a more pragmatic programmer i appreciate you so we can remove the schema and make sure we set that we don't actually uh yeah yeah um i don't want to reuse the same variable names there but i feel like i probably should schema type how about that will that maintain i don't even know nope it won't uh loop scope please dear god does that does that do we get do we maintain the schema no oh no type 145 what 44 schema equals schema schema type thank you back see programming everybody that's why we do this live on twitch and now we need to actually define it will it maintain no because it's in the for loop uh python uh variable scope in for loop um do you guys understand the problem that i'm facing uh i want to maintain this is there a way to do that that i'm just not thinking of am i being an idiot as usual i could use that disgusting scoping library but that seems stupid break so we loop through the two potential schema types using http or https if host starts with any of those schemas we'll remove it from the host variable because really we want to be able to pass in a url if we would like to and we want to maintain this schema whether or not it was http or https so we can use that variable to build out the actual link we should also try and strip uh trailing slashes on that and realistically we should make the port an integer if we can try to but make a function return it that sounds so stupid but but it seems so unnecessary yeah yeah uh c
Original Description
For more content, subscribe on Twitch! https://twitch.tv/johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
PayPal: https://paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: https://johnhammond.org/discord
Twitter: https://twitter.com/_johnhammond
GitHub: https://github.com/JohnHammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
ECB Gives Banks Four Months to Prepare for AI-Powered Cyber Threats
Medium · Cybersecurity
A hospital network went dark at 2 AM. Here is what the next 72 hours looked like.
Medium · Cybersecurity
Cyber Security Training with Placement Assistance
Medium · Cybersecurity
The Part of Cybersecurity No One Talks About
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI