This is What REAL Hacking Looks Like!

Share

Summary

This video shows a real-time hacking demonstration on Try HackMe, a cybersecurity training platform. The goal is to obtain user and root access by exploiting vulnerabilities in a target machine. The video covers the thought process of a hacker, from initial reconnaissance to privilege escalation.

Highlights

Introduction to Try HackMe and Initial Setup
00:00:00

The video starts by introducing Try HackMe as a platform for ethical hacking exercises. The presenter sets up their Try HackMe VPN and starts a new challenge machine, aiming to capture two flags: one for user access and one for root access. After resolving connection issues, the target machine's IP address is established.

Network Scanning and Service Enumeration
00:02:05

An Nmap scan is initiated to identify open ports and services on the target machine. The scan reveals SSH, HTTP (port 80) running a Magnus Billing web service, MySQL, and an unknown port 5038 related to Asterisk. The focus shifts to exploring the web service first.

Web Service Exploration and Vulnerability Identification
00:03:37

The Magnus Billing web service is accessed, and a Gobuster scan is started to discover hidden directories. Research on 'Magnus Billing' identifies a potential unauthenticated remote code execution vulnerability (CVE). The video also briefly mentions a directory traversal vulnerability related to Asterisk Call Manager on port 5038 and attempts to connect to MySQL, which is unsuccesful.

Exploiting with Metasploit and Gaining User Shell
00:07:07

Metasploit is launched to exploit the Magnus Billing vulnerability. A specific module for unauthenticated remote code execution is selected and configured. After a check confirms the target is vulnerable, the exploit is executed, resulting in a partially interactive Metasploit session. A full TTY shell is then obtained using a Python reverse shell for easier interaction.

Finding the User Flag and Privilege Escalation Strategy
00:10:41

With a user shell, the file system is explored. The 'user.txt' flag is located in the '/home/Magnus' directory, providing the first objective. The next step is to escalate privileges to root. A common privilege escalation checklist is used, and 'sudo -l' reveals that the user can run 'fail2ban-client' as root without a password.

Root Access via Fail2ban-Client Exploit
00:13:03

The 'fail2ban-client' vulnerability is researched using GTFOBins, which provides a method for privilege escalation. Since direct parameter passing might be an issue, a temporary shell script is created in a world-writable directory ('/dev/shm'). This script will contain the reverse shell command. After confirming the script works, it's executed via 'sudo fail2ban-client', leading to a root shell and the root flag.

Recently Summarized Articles

Loading...