1
00:00:00,990 --> 00:00:08,640
Hi, within this section, we're going to continue with Wahhab and we're going to sell Mr. Robot CTF.

2
00:00:09,270 --> 00:00:15,570
So if you have heard about this, I believe you know that this is a TV series.

3
00:00:15,610 --> 00:00:23,010
OK, so, Mr. Robot, if you search for it, you will see that this is actually a TV series and apparently

4
00:00:23,010 --> 00:00:26,290
about to Hekker and people really love it.

5
00:00:26,310 --> 00:00:33,270
I hadn't had the opportunity to watch it yet, but I will in some future, I believe.

6
00:00:33,540 --> 00:00:39,690
And if you have watched it, maybe it will be easier for you to solve this challenge, because there

7
00:00:39,690 --> 00:00:41,730
may be there might be some tips.

8
00:00:41,730 --> 00:00:42,420
I don't know.

9
00:00:42,750 --> 00:00:47,070
So I'm just going to go in and try and hack this box.

10
00:00:47,310 --> 00:00:52,170
OK, so over here we are in the wrong number one more time.

11
00:00:52,170 --> 00:00:59,370
We're going to use this a lot during this course because it's free and they have awesome seats.

12
00:00:59,370 --> 00:01:01,870
They have awesome vulnerable machines over here.

13
00:01:02,430 --> 00:01:11,940
So in this case, as you can see, Mr. About one is released in 2016 and you can still find your ways

14
00:01:11,940 --> 00:01:12,660
over here.

15
00:01:12,990 --> 00:01:18,330
So make sure you download one of these areas and make sure you read the description as well.

16
00:01:18,630 --> 00:01:22,800
And as you can see, this has three keys hidden in different locations again.

17
00:01:22,950 --> 00:01:25,110
So we're going to capture three Fleck's.

18
00:01:25,440 --> 00:01:29,940
So it says that each keys progressively difficult to find, which is good.

19
00:01:30,720 --> 00:01:36,900
And it says that the virtual machine isn't too difficult, but maybe it's a beginner.

20
00:01:36,900 --> 00:01:41,360
Maybe it's like an intermediate kind of level of thinking.

21
00:01:41,940 --> 00:01:44,520
So we don't have anything else over here.

22
00:01:44,520 --> 00:01:45,920
So make sure you download it.

23
00:01:45,930 --> 00:01:49,560
Of course, I downloaded it for you in order not to make you wait.

24
00:01:49,770 --> 00:01:55,230
So I'm just going to double click on this OIA and just install it on my virtual box.

25
00:01:55,680 --> 00:02:01,410
So let me just do that double click over here and just live with it.

26
00:02:01,410 --> 00:02:02,700
Live this as it is.

27
00:02:02,970 --> 00:02:04,580
We can change it later on.

28
00:02:04,590 --> 00:02:09,600
Just import this, OK, and make sure you wait until it's important.

29
00:02:10,590 --> 00:02:12,080
So far so good.

30
00:02:12,090 --> 00:02:14,970
Let me come over here and just open the settings.

31
00:02:15,180 --> 00:02:19,050
As you can see, this is Ubuntu 64 bit, OK?

32
00:02:19,440 --> 00:02:22,080
And I'm going to come over here.

33
00:02:22,080 --> 00:02:28,290
Maybe I can just make it like one gig or something like that, but we're not going to use it anyway.

34
00:02:28,470 --> 00:02:32,050
So you're free to use it with 500 megs as well.

35
00:02:32,530 --> 00:02:39,000
OK, so I'm going to come over here and I'm not going to change anything regarding to display storage

36
00:02:39,000 --> 00:02:39,780
or audio.

37
00:02:39,960 --> 00:02:42,030
Of course I'm going to change the network.

38
00:02:42,180 --> 00:02:47,970
I'm going to bring it into that network and just make sure that I love the promiscuous mode over here.

39
00:02:48,360 --> 00:02:53,850
Make sure your colors and your Mr. Robot is on the same network.

40
00:02:53,880 --> 00:02:58,800
OK, so if you're using another way to do that, it's perfectly fine.

41
00:02:58,980 --> 00:03:03,330
I'm using that network, so make sure you put it on the same network.

42
00:03:04,020 --> 00:03:08,220
So I'm going to open the Mr. Robot over here as well.

43
00:03:08,700 --> 00:03:11,490
OK, and here you go.

44
00:03:11,640 --> 00:03:15,480
Of course, we're not going to do much with inside of Mr. Robot.

45
00:03:15,480 --> 00:03:15,870
We have more.

46
00:03:15,870 --> 00:03:16,530
We're here.

47
00:03:16,740 --> 00:03:19,290
I'm just going to see if we have the IP address.

48
00:03:19,650 --> 00:03:22,620
And as you can see, we don't have any IP address over here.

49
00:03:22,620 --> 00:03:26,580
It just says Mr. Robot, and that's it.

50
00:03:26,590 --> 00:03:33,960
OK, so I'm going to go back to my colleague and let me close this down and just give some credentials

51
00:03:33,960 --> 00:03:34,740
over here.

52
00:03:35,430 --> 00:03:39,840
Of course, we're going to start by finding the IP address of the target machine.

53
00:03:40,770 --> 00:03:43,050
So let me open my terminal.

54
00:03:43,050 --> 00:03:44,460
I'm going to change my keyboard.

55
00:03:44,460 --> 00:03:47,310
First of obviously, you don't have to do that.

56
00:03:47,820 --> 00:03:55,410
I'm going to run on that map, scan against Channel two zero, slash twenty four over here in order

57
00:03:55,410 --> 00:03:58,080
to just see my target IP.

58
00:03:58,470 --> 00:04:01,470
Of course you can do that with net discovery as well.

59
00:04:01,470 --> 00:04:10,230
Just make sure that you run it against your own IP address, our own IP range to be exact, and wait

60
00:04:10,230 --> 00:04:12,310
until you get this response.

61
00:04:12,310 --> 00:04:13,230
So here you go.

62
00:04:13,230 --> 00:04:18,060
We have the scan over here, a map scans completed.

63
00:04:18,420 --> 00:04:21,510
So I did that against tunnel to zero.

64
00:04:21,510 --> 00:04:25,240
If you have another IP range, just go for that.

65
00:04:25,740 --> 00:04:31,350
So over here we have Tunnel 215, which is our target machine, apparently.

66
00:04:31,740 --> 00:04:38,660
And as you can see, we already see some open ports over there, like twenty to eighty four for three.

67
00:04:39,180 --> 00:04:46,560
So we definitely have some kind of web server going on and we have one SNH port closed.

68
00:04:47,220 --> 00:04:47,940
Great.

69
00:04:47,940 --> 00:04:56,580
So we know that this is going to be a penetration test from beginning because we already have seen as

70
00:04:56,580 --> 00:04:59,520
a result and we only have the.

71
00:05:00,230 --> 00:05:02,520
And EPA service running over here.

72
00:05:02,840 --> 00:05:10,640
Of course, I'm going to make it more intense for IMAP against only this target over here, but again,

73
00:05:10,940 --> 00:05:12,770
we know that there is a Web server.

74
00:05:13,550 --> 00:05:18,830
If you want, you can open them up and do this with the map anytime you want.

75
00:05:19,100 --> 00:05:20,150
I'm not going to do that.

76
00:05:20,150 --> 00:05:26,720
I'm just going to do it with a map and just take the notes into my folder, as usual.

77
00:05:27,170 --> 00:05:36,500
So I'm going to go for tea for a which is our intention with verbals on, OK, and I'm going to just

78
00:05:36,500 --> 00:05:39,070
go for the tunnel 215 over here.

79
00:05:39,920 --> 00:05:47,260
And of course, I forgot to put a dash over there inside of Weebles parameter.

80
00:05:47,570 --> 00:05:49,500
And as you can see, it already started.

81
00:05:49,880 --> 00:05:54,710
OK, so we're going to get back some results from the map.

82
00:05:55,040 --> 00:06:01,600
We we actually see the four, four, three and the 80 port open right now.

83
00:06:01,940 --> 00:06:06,140
So it's already discovered that maybe we have some other ports.

84
00:06:06,350 --> 00:06:08,390
Maybe we can do this for all ports.

85
00:06:08,390 --> 00:06:13,160
OK, Dash, B dash or for some UDP ports or TCP ports.

86
00:06:13,490 --> 00:06:15,060
But again, this is good.

87
00:06:15,470 --> 00:06:16,520
So here you go.

88
00:06:16,520 --> 00:06:18,120
DSH is closed.

89
00:06:18,130 --> 00:06:26,680
We only have 80 open and we have some kind of information regarding to https as well.

90
00:06:27,170 --> 00:06:32,230
So we definitely know that this is going to be a Linux machine.

91
00:06:32,610 --> 00:06:33,320
Great.

92
00:06:33,740 --> 00:06:42,470
So this is a Linux machine and I don't know yet if we have some kind of old kernel over here or like

93
00:06:42,470 --> 00:06:45,290
a kernel exploit in the Linux going up.

94
00:06:45,950 --> 00:06:51,770
So what I'm going to do, I'm going to go into my documents folder.

95
00:06:51,990 --> 00:06:55,790
OK, so I'm going to write code document CTF.

96
00:06:56,240 --> 00:07:05,510
So I'm going to create a new directory over here called Mr. Robot and I'm going to create new not text

97
00:07:05,510 --> 00:07:08,840
file over there like we used to do in the previous sections.

98
00:07:09,140 --> 00:07:16,460
So I'm going to neno into that know not start to see, OK, and I'm going to copy everything that we

99
00:07:16,460 --> 00:07:20,480
see over here just to save a Redmap results.

100
00:07:21,020 --> 00:07:29,270
So I'm going to copy this and open the text and pasted over there and he'd control all and control X

101
00:07:29,480 --> 00:07:31,190
in order to save this and quit.

102
00:07:31,430 --> 00:07:33,530
OK, like that.

103
00:07:33,810 --> 00:07:40,550
Right now I'm going to clear this up because we can reach it anytime we want.

104
00:07:40,820 --> 00:07:45,780
And to be honest, we don't have so much going on in in the skin as well.

105
00:07:46,130 --> 00:07:52,260
So basically, I'm going to go for 10 or to 15 over here to see what's there in the website.

106
00:07:52,880 --> 00:07:53,780
So here you go.

107
00:07:53,780 --> 00:07:56,150
We have something going on in the website.

108
00:07:56,390 --> 00:08:00,320
I believe this is some kind of animation going on over there.

109
00:08:00,320 --> 00:08:08,030
But even though it's a CTF and even though it's an animation, I believe this is a quality work.

110
00:08:08,030 --> 00:08:08,470
Right.

111
00:08:08,720 --> 00:08:17,390
So we are getting this we are getting this user experience and better yet, we are presented with some

112
00:08:17,390 --> 00:08:18,970
kind of terminal over here.

113
00:08:18,980 --> 00:08:20,570
So let me zoom in a little bit.

114
00:08:21,410 --> 00:08:23,300
Maybe we can just scan here.

115
00:08:23,300 --> 00:08:26,630
Let me quickly read what's written over there.

116
00:08:26,780 --> 00:08:32,120
Since this is a TV series, I believe we're going to have to deal with this kind of information very

117
00:08:32,120 --> 00:08:35,150
much during this penetration test.

118
00:08:35,660 --> 00:08:42,350
But again, it's a good user experience, so I don't have a problem with that.

119
00:08:42,350 --> 00:08:44,740
I'm just going to see the page source over there.

120
00:08:45,020 --> 00:08:46,890
It says you are not alone.

121
00:08:47,430 --> 00:08:48,110
Great.

122
00:08:48,170 --> 00:08:59,090
So this is kind of HTML, but we have one JavaScript over here and we have some kind of comment about

123
00:08:59,450 --> 00:09:00,080
things.

124
00:09:00,410 --> 00:09:04,130
Let me try this terminal first to see if that works or not.

125
00:09:04,520 --> 00:09:06,770
If I write prepay, for example.

126
00:09:07,400 --> 00:09:08,090
Here you go.

127
00:09:08,090 --> 00:09:14,270
We are presented with kind of maybe give maybe kind of video over there.

128
00:09:15,140 --> 00:09:17,480
And it's not Lagi at all.

129
00:09:17,480 --> 00:09:18,850
It's very good, I believe.

130
00:09:19,400 --> 00:09:24,830
So we are f society and there are some kind of things going on.

131
00:09:25,190 --> 00:09:29,510
I bet these are related with the TV series itself.

132
00:09:30,500 --> 00:09:37,880
We don't understand is that at least I don't understand this, but maybe there is some sort of a tip

133
00:09:37,880 --> 00:09:40,370
in order to solve this challenge.

134
00:09:40,550 --> 00:09:42,170
So I'm just scanning over here.

135
00:09:42,300 --> 00:09:44,660
OK, so here you go.

136
00:09:44,900 --> 00:09:47,330
We are presented with the terminal one more time.

137
00:09:47,330 --> 00:09:53,390
If I just write help as instructed, I can see the other comments like F Society.

138
00:09:53,720 --> 00:09:57,950
So let me just run after society and see what is F society.

139
00:09:59,450 --> 00:09:59,740
It's a.

140
00:10:00,130 --> 00:10:02,230
Are you ready to join the society?

141
00:10:02,920 --> 00:10:03,560
I don't know.

142
00:10:04,150 --> 00:10:04,870
Let me just.

143
00:10:04,870 --> 00:10:05,170
Right.

144
00:10:05,170 --> 00:10:07,600
Help and let me write the Inform.

145
00:10:08,050 --> 00:10:08,640
Here you go.

146
00:10:08,680 --> 00:10:15,790
You're presented with some kind of carrousel over here, like we can swipe the images.

147
00:10:16,300 --> 00:10:19,440
And I don't even read these descriptions.

148
00:10:19,630 --> 00:10:23,290
Maybe they are very important to solve the CTF.

149
00:10:23,500 --> 00:10:25,870
I'm just going to go with the flow right now.

150
00:10:26,050 --> 00:10:30,580
And if we cannot solve it, I can come back and just read them later on.

151
00:10:30,780 --> 00:10:35,380
OK, so I'm being lazy about this, so I'm going the right question.

152
00:10:35,980 --> 00:10:37,270
And here you go.

153
00:10:37,270 --> 00:10:40,840
There are some kind of political things going on over there.

154
00:10:41,370 --> 00:10:47,470
OK, let me just close this down and let me run help one more time.

155
00:10:47,470 --> 00:10:53,440
So we have wake up and see what is wake up and here you go again.

156
00:10:53,440 --> 00:10:55,840
Wake up runs a video for us.

157
00:10:56,470 --> 00:11:03,490
And it seems like the previous video that we have seen in the beginning, these are the same guys I

158
00:11:03,490 --> 00:11:06,430
believe this is supposed to be Wall Street.

159
00:11:06,430 --> 00:11:06,930
I don't know.

160
00:11:07,600 --> 00:11:08,530
Let me see.

161
00:11:09,340 --> 00:11:10,260
Yeah, here you go.

162
00:11:10,270 --> 00:11:11,620
We didn't see much.

163
00:11:11,620 --> 00:11:14,570
And finally, we have the join in fire.

164
00:11:14,580 --> 00:11:15,960
I joined over here.

165
00:11:16,690 --> 00:11:19,720
So it says that, yeah, you don't know me.

166
00:11:19,720 --> 00:11:21,190
I've been watching you.

167
00:11:21,400 --> 00:11:23,040
I've been fighting for you.

168
00:11:23,050 --> 00:11:23,830
Great.

169
00:11:24,550 --> 00:11:32,620
And if you're ready to join me into your email address, OK, so of course, I'm not going to give my

170
00:11:32,620 --> 00:11:37,390
actual email address, but I'm just going to give some kind of fake one over here.

171
00:11:37,900 --> 00:11:39,820
It says that we will be in touch.

172
00:11:40,660 --> 00:11:44,860
OK, maybe we should have given our actual email address.

173
00:11:44,860 --> 00:11:46,750
Maybe it will just send us some tip.

174
00:11:47,020 --> 00:11:48,550
But I don't know about that.

175
00:11:49,180 --> 00:11:53,020
And as you can see, we cannot find very much over here.

176
00:11:53,020 --> 00:11:53,320
Right.

177
00:11:53,320 --> 00:11:57,280
So even though we can come over here, we can see the things going on.

178
00:11:57,520 --> 00:11:58,510
It's very cool.

179
00:11:58,720 --> 00:12:03,550
You're presented with like a terminal in the website itself.

180
00:12:03,790 --> 00:12:04,420
It's very cool.

181
00:12:04,420 --> 00:12:06,130
But we didn't get a tip.

182
00:12:06,550 --> 00:12:11,440
So what I'm going to do, I'm going to use door buster or derp.

183
00:12:11,890 --> 00:12:20,830
So if you don't know about this, this is a this is a tool in order for you to discover hidden pages

184
00:12:21,310 --> 00:12:29,380
like it has a dictionary or you supply a dictionary to it and it tries every page you supply one by

185
00:12:29,380 --> 00:12:31,320
one like you did.

186
00:12:31,510 --> 00:12:34,060
It checks to see if it has an admin page.

187
00:12:34,060 --> 00:12:37,390
It checks as it has a login page, something like that.

188
00:12:37,840 --> 00:12:44,020
OK, so in order to do that first, we're going to have to give the URL, which is HTTP tunnel to 50.

189
00:12:44,470 --> 00:12:48,100
And over here we're going to have to choose the number of threads.

190
00:12:48,790 --> 00:12:55,330
So if we lower this number, like if we choose ten threads, it will be slower if we choose to trad's,

191
00:12:55,330 --> 00:13:01,990
for example, if we say go faster, it will be much faster, but it will consume much more CPU power.

192
00:13:02,230 --> 00:13:09,550
OK, so for the scanning type, I'm going to do a list based brute force and we're going to supply a

193
00:13:09,550 --> 00:13:10,090
list.

194
00:13:10,720 --> 00:13:13,360
So of course we can create our own list for that.

195
00:13:13,570 --> 00:13:17,710
But I'm just going to show you some list that comes prebuilt with callisthenics.

196
00:13:18,010 --> 00:13:26,260
So go to your route like this and find the U.S. Are the user OK or not?

197
00:13:26,260 --> 00:13:29,650
Vare I believe it's supposed to be in user.

198
00:13:30,040 --> 00:13:30,460
Yep.

199
00:13:30,460 --> 00:13:35,080
Let me just go back from here by clicking on this.

200
00:13:35,410 --> 00:13:37,090
So let me find the user.

201
00:13:37,090 --> 00:13:37,840
Ah, here you go.

202
00:13:37,990 --> 00:13:43,090
And user share and there should be a word lists folder over here.

203
00:13:43,390 --> 00:13:44,040
Here you go.

204
00:13:44,050 --> 00:13:46,330
Now this is the thing that we are looking for.

205
00:13:46,570 --> 00:13:52,030
If you come into this world, this folder, you can see there are a couple of words over here, like

206
00:13:52,030 --> 00:13:56,100
for dear Buster, for Derb and for other things as well.

207
00:13:56,680 --> 00:14:00,370
So since we are using door buster, I'm just going to go for the door buster.

208
00:14:00,610 --> 00:14:09,460
And basically you want to use this medium texte wordlist for RCTs or you can use a small one, but a

209
00:14:09,460 --> 00:14:10,810
small one is really small.

210
00:14:10,810 --> 00:14:16,390
It doesn't have that kind of very much extensive work that's going on over there.

211
00:14:16,390 --> 00:14:18,040
So I'm going to go with the medium.

212
00:14:18,910 --> 00:14:26,980
And if you have like a basic CTF, I've heard this that you always use, just use it when you just start

213
00:14:26,980 --> 00:14:27,670
this again.

214
00:14:27,670 --> 00:14:35,710
It will just try to find the solution for you will just try to find the results to you, OK?

215
00:14:35,890 --> 00:14:39,280
And as you can see, current number of running threads is 200.

216
00:14:39,280 --> 00:14:43,270
So make sure you do this as well, not to run this on ten.

217
00:14:43,720 --> 00:14:45,850
And you can see the results over there.

218
00:14:46,240 --> 00:14:50,290
So over here we see the index and every other thing as well.

219
00:14:50,500 --> 00:14:58,000
So if we filter this for response or if we just ordered this by response, then we can get much better

220
00:14:58,000 --> 00:14:59,500
view because.

221
00:14:59,660 --> 00:15:01,500
200 means it's OK.

222
00:15:01,940 --> 00:15:09,560
OK, 200 means it's OK, and for all, four, as you might know, means there is no such thing.

223
00:15:10,250 --> 00:15:13,280
Like if we get a 500, it can be a server error.

224
00:15:13,490 --> 00:15:15,880
So we're going to basically look for two hundreds.

225
00:15:16,190 --> 00:15:17,150
And here we go.

226
00:15:17,150 --> 00:15:18,860
We have some lead.

227
00:15:19,070 --> 00:15:24,980
As you can see, we have WP log in, WP admin, so we have admin as well.

228
00:15:25,730 --> 00:15:31,890
So these are indicators that this website has WordPress installed.

229
00:15:32,120 --> 00:15:34,720
OK, we have images folder over here.

230
00:15:35,330 --> 00:15:42,740
So even though it uses WordPress or not, I don't know about WordPress is installed and it's live so

231
00:15:42,740 --> 00:15:48,040
we can try to see if there is any vulnerability regarding to WordPress.

232
00:15:48,080 --> 00:15:48,470
Right.

233
00:15:48,620 --> 00:15:53,940
And there are a couple of folders over here that we can check as well in order to see what's going on.

234
00:15:54,470 --> 00:16:01,240
So we it is disked isn't complete yet, but we got what we need, I believe.

235
00:16:01,610 --> 00:16:03,830
So I'm going to run the Nito here as well.

236
00:16:03,830 --> 00:16:09,020
So NICTA is a tool to understand the vulnerabilities inside of a Web server or Web website.

237
00:16:09,800 --> 00:16:17,360
We generally use it for RCTs, not for actual pantsing, really, but it's very efficient in CAFS.

238
00:16:17,480 --> 00:16:21,440
So make sure you run this NICTA H and your URL.

239
00:16:21,650 --> 00:16:23,500
You're also H for host.

240
00:16:23,720 --> 00:16:26,900
OK, so here you go.

241
00:16:26,900 --> 00:16:29,560
It started to find things over here as well.

242
00:16:29,960 --> 00:16:32,420
So we're trying to get our lead right.

243
00:16:32,600 --> 00:16:36,410
So we don't know what's going to happen yet, even though it has WordPress.

244
00:16:36,950 --> 00:16:40,040
This is a good lead, but maybe there is nothing wrong with the WordPress.

245
00:16:40,040 --> 00:16:41,690
There is no vulnerability at all.

246
00:16:41,900 --> 00:16:46,550
Then it would be it wouldn't be just our way in.

247
00:16:47,090 --> 00:16:49,400
But of course, we're going to just look for that.

248
00:16:49,970 --> 00:16:54,170
So as you can see, time to finish is displayed like seven days over here.

249
00:16:54,170 --> 00:16:56,360
So this is going to take some time.

250
00:16:56,720 --> 00:17:04,160
But again, I believe we got what we need from the door buster, so we don't have to wait for seven

251
00:17:04,160 --> 00:17:04,400
days.

252
00:17:04,400 --> 00:17:07,460
You can just wait for a couple of minutes more and then stop it.

253
00:17:08,060 --> 00:17:12,350
We're going to continue solving this within the next lecture.