1
00:00:00,500 --> 00:00:00,760
OK.

2
00:00:00,790 --> 00:00:05,140
So we have scanned the machine and we have port 80 open and port.

3
00:00:05,140 --> 00:00:07,140
3 3 8 9 open.

4
00:00:07,330 --> 00:00:12,820
So we don't have a lot of information here and on port 80 we actually just have a looks like a default

5
00:00:12,880 --> 00:00:14,570
ISIS page of.

6
00:00:14,680 --> 00:00:16,630
I asked ten point zero.

7
00:00:16,630 --> 00:00:22,120
So we're probably up against some sort of newer type of windows it's guessing Windows Server 2016 but

8
00:00:22,180 --> 00:00:27,970
really we don't know right now what I mean to go ahead and do is just kick off a door buster against

9
00:00:27,970 --> 00:00:33,490
this because I have a hunch that we're going to have to do directory busting unless the exploit deals

10
00:00:33,490 --> 00:00:36,790
with 3 3 8 9 which it's possible.

11
00:00:36,790 --> 00:00:44,380
So what we're going to do here is we're going to do say door buster and like that or an ampersand and

12
00:00:44,380 --> 00:00:49,870
then we're just going to utilize the web page so I'm going to go over here I don't remember the IP address

13
00:00:49,900 --> 00:00:59,590
because it is randomized and I'm going to go and just say hey door buster go ahead on H TGP or 80 I

14
00:00:59,590 --> 00:01:05,760
want you to go faster when we scan this so we're going to increase the threading and then we're going

15
00:01:05,770 --> 00:01:10,490
I'm going to go here to user share.

16
00:01:10,610 --> 00:01:19,580
You can start typing door buster and I'm going to scan with word list and the lower case medium that's

17
00:01:19,590 --> 00:01:21,410
60 small might work.

18
00:01:21,430 --> 00:01:23,080
I'm not sure to be honest.

19
00:01:23,080 --> 00:01:28,470
Now we're an IRS page we could scan for something like ISP or ISP x.

20
00:01:28,480 --> 00:01:35,220
I'm just gonna leave this at ISP and roll with that and then we're just going to hit start now while

21
00:01:35,220 --> 00:01:36,120
this is running.

22
00:01:36,120 --> 00:01:39,250
Let's go ahead and talk about some other things.

23
00:01:39,330 --> 00:01:43,050
So we have this scan here right.

24
00:01:43,080 --> 00:01:47,430
We have port 80 open and we can navigate to port 80 when we enumerate this.

25
00:01:47,430 --> 00:01:53,570
We can just go and say copy and then just paste this in and you could see this is just gonna be IRS

26
00:01:53,610 --> 00:01:54,330
page.

27
00:01:54,360 --> 00:01:59,790
Now the other option would be if this was some sort of vulnerability with 3 3 8 9 where we had the blue

28
00:01:59,800 --> 00:02:01,140
key vulnerability.

29
00:02:01,170 --> 00:02:05,800
Now I have never successfully ran blue keep it's always crash for me.

30
00:02:05,910 --> 00:02:10,290
So I don't even consider it an option at this point until there's like a working proof of concept.

31
00:02:10,290 --> 00:02:13,550
Now there might be one out there but the ones that I've seen are not very stable.

32
00:02:14,010 --> 00:02:19,710
So it could be an option but my guess is we're going to investigate 80 and then we're going to log in

33
00:02:19,710 --> 00:02:25,820
probably over 3 3 8 9 or maybe we don't maybe we just get 80 and we get an exploit here.

34
00:02:26,070 --> 00:02:32,520
The times that we see this port 80 in Port 3 3 8 9 4 Windows machines it's common on Linux you'll see

35
00:02:32,520 --> 00:02:34,640
like port 80 and then port 22.

36
00:02:34,800 --> 00:02:39,540
Meaning that typically you'll take 80 as a path in and then you'll find credentials somewhere and use

37
00:02:39,540 --> 00:02:42,910
3 3 8 9 or port 22 and then elevate.

38
00:02:42,960 --> 00:02:48,240
Now if you remember the last box that we had with the service are the unquote quoted service paths.

39
00:02:48,240 --> 00:02:54,300
We did get in and then we were able to escalate or we're able to use 3 3 8 9 if we wanted to because

40
00:02:54,300 --> 00:02:58,430
when we used when piece we found a set of credentials in there for the user Bill.

41
00:02:58,500 --> 00:03:04,320
That's kind of the same little path that we can get a gooey based here on 3 3 8 9 if we wanted to.

42
00:03:04,390 --> 00:03:10,020
So let's check here and see if we can find any information and we see that a does come back of a retro.

43
00:03:10,020 --> 00:03:13,850
And so we could just right click on this and open in browser.

44
00:03:13,910 --> 00:03:19,610
Now if you have any interest in this you're welcome to actually come in here and follow along with their

45
00:03:19,610 --> 00:03:24,260
step by step if you want you can answer the questions like how many ports are open on the target system

46
00:03:24,260 --> 00:03:27,850
and you say two and just gives you sort of that walk through.

47
00:03:27,860 --> 00:03:31,790
So if you want to learn more and do the walkthrough you're more than welcome.

48
00:03:31,790 --> 00:03:35,090
You have to do the walkthrough to get the points anyway so it doesn't hurt to try

49
00:03:37,810 --> 00:03:38,120
OK.

50
00:03:38,120 --> 00:03:40,720
And for me it took retro just a little bit to load.

51
00:03:40,730 --> 00:03:46,070
So if it takes a little bit to load that's absolutely OK and when we're coming through here we kind

52
00:03:46,070 --> 00:03:51,630
of want to look at this page and just see OK well we've got the author of Wade here.

53
00:03:51,650 --> 00:03:53,490
So we want to notate that we have Wade.

54
00:03:53,490 --> 00:03:56,970
We might even open a little no panel is right Wade.

55
00:03:57,020 --> 00:04:01,580
Because Wade could be a potential user name and what I saw when I was looking through here too is that

56
00:04:01,580 --> 00:04:06,470
there's a WP dash content meaning we're looking at a wordpress site.

57
00:04:06,620 --> 00:04:12,140
Now if I'm going to enumerate this further I might run something like WP scan and look for vulnerable

58
00:04:12,140 --> 00:04:13,980
plug ins on this Web site.

59
00:04:14,150 --> 00:04:20,300
I might even try to use the credentials if we find credentials or a user name I might try to brute force

60
00:04:20,300 --> 00:04:25,760
his user name away because we know that Wade's a user so maybe Wade has an easy password and we can

61
00:04:25,760 --> 00:04:30,400
get in or maybe there are vulnerable plug ins and we can utilize that as well.

62
00:04:30,470 --> 00:04:36,770
But when you see a blog page like this on a CTF you should always look around and just see if there's

63
00:04:36,770 --> 00:04:40,430
anything in there that might be advantageous to you.

64
00:04:40,520 --> 00:04:46,490
So you have the different you have the different pages in here and you can actually open these.

65
00:04:46,730 --> 00:04:51,350
So you can open this one and I'm going to open one that does spill out a little information just to

66
00:04:51,350 --> 00:04:52,400
save time on the video.

67
00:04:52,430 --> 00:04:58,100
But we can open this Ready Player One and we should be reading these blog posts too.

68
00:04:58,270 --> 00:05:01,020
Now on some of those they're just like a little write ups.

69
00:05:01,030 --> 00:05:04,660
But here for example you could see first post on the new blog.

70
00:05:04,660 --> 00:05:07,180
I'm excited to share my love of all things.

71
00:05:07,180 --> 00:05:11,230
And this one says I can't believe the movie based my favorite book of all time is going to come out

72
00:05:11,230 --> 00:05:12,300
in a few days.

73
00:05:12,370 --> 00:05:17,440
Maybe it's just because my name is so similar to the main character but honestly I feel a deep connection

74
00:05:17,440 --> 00:05:24,490
to the main character Wade I keep Miss typing the name of his avatar whenever I log in but I think I'll

75
00:05:24,490 --> 00:05:25,330
eventually get it down.

76
00:05:25,360 --> 00:05:28,310
Either way I'm really excited to see this movie.

77
00:05:28,360 --> 00:05:33,630
I keep Miss typing the name of his avatar when I log in but I think I'll eventually get it down.

78
00:05:33,640 --> 00:05:40,150
So he's logging in and he's saying hey I'm using that avatar as my password and I keep screwing it up.

79
00:05:40,210 --> 00:05:46,300
So we go over here and we just look at the ready player one you can see that is actually a comment and

80
00:05:46,300 --> 00:05:48,660
Wade has left a comment for himself.

81
00:05:48,760 --> 00:05:52,100
And so leaving myself a note here just in case I forgot how to spell it.

82
00:05:52,210 --> 00:05:55,980
POWERS Of all the hours I DHL.

83
00:05:56,080 --> 00:06:01,730
So what we can do is we can utilize this and we can try to log in.

84
00:06:01,840 --> 00:06:09,580
So I'm going to use a tool called X free RTP now if you don't have it you should just be able to at

85
00:06:09,620 --> 00:06:16,790
install X free RTP but if we tried to our desktop to this machine it's not going to actually allow us

86
00:06:16,790 --> 00:06:17,270
to do it.

87
00:06:17,300 --> 00:06:20,600
So if we say 10 that turned out twenty six that two hundred.

88
00:06:20,720 --> 00:06:24,220
Now I don't think it will.

89
00:06:24,260 --> 00:06:26,030
So we get the credit SSP error.

90
00:06:26,090 --> 00:06:33,500
So we're going to utilize X free RTP which negotiates for us and I'm going to do a dash dash help.

91
00:06:33,500 --> 00:06:40,730
Just so we can look at the syntax and we can say user name and then we can say we could supply a password

92
00:06:40,730 --> 00:06:41,240
if we want.

93
00:06:41,240 --> 00:06:42,420
We don't have to do that.

94
00:06:42,620 --> 00:06:47,210
And then we just supply the port and the IP address.

95
00:06:47,210 --> 00:06:54,850
So we're gonna do a user do X free RTP slash you.

96
00:06:55,010 --> 00:07:02,110
We're gonna try Wade and then we'll go ahead and just do a slash of V and we'll do the IP address here

97
00:07:02,140 --> 00:07:10,250
and we'll say 10 dot 10 dot 26 that two hundred three three eight nine and let's see if that works and

98
00:07:10,250 --> 00:07:14,570
then we'll go ahead and type in pars of all our easy Ivy Al

99
00:07:18,480 --> 00:07:29,380
so we're gonna accept this certificate here and we are the Ivy a l see if that works looks like it's

100
00:07:29,380 --> 00:07:36,540
trying to log us in here in the box is a little slow mainly because it's on a free server so it looks

101
00:07:36,540 --> 00:07:42,400
like we are actually logging in so at this point we have gotten the low level user.

102
00:07:42,400 --> 00:07:50,140
This is a very common CTF like Box and I actually really like this box because we can sit here and we

103
00:07:50,140 --> 00:07:53,140
just enumerate that's all we do and we have options.

104
00:07:53,140 --> 00:07:58,630
There are some rabbit holes if we want to go down them we can even try to take this and see if we can

105
00:07:58,630 --> 00:08:03,660
log in with these credentials to like the WordPress admin or we could see if there are vulnerable plugins

106
00:08:03,760 --> 00:08:08,830
there might be other path on this machine but we could see here where we're on this gooey interface

107
00:08:08,860 --> 00:08:14,380
we've got the user dot text we've also got this recycle bin if we open the recycle bin maybe there's

108
00:08:14,380 --> 00:08:22,570
some stuff in here there's this HPD to see if we go out to Internet Explorer and we open it up we might

109
00:08:22,570 --> 00:08:27,610
find information here I'm actually going to pause we're going to stop here now that we have a low level

110
00:08:27,610 --> 00:08:33,670
user and then next video will enumerate this and we'll escalate this machine via the CDC twenty nineteen

111
00:08:33,670 --> 00:08:34,990
thirteen eighty eight.

112
00:08:34,990 --> 00:08:36,000
So if you're already ahead of me.

113
00:08:36,010 --> 00:08:39,910
Great job if not I'll see you next video when we actually escalate this machine.