HackTheBox - BountyHunter
Рет қаралды 29,467
Күн бұрын00:00 - Intro
01:00 - Running nmap, doing all ports and min-rate
02:30 - Poking at the website to discover a static site
04:25 - Starting up a gobuster to do some recon in the background
05:30 - Discovering log_submit, and finding out it is vulnerable to XXE (XML Entity Injection)
08:00 - Verified it is vulnerable to XXE, attempting to extract a file
09:50 - Chaining a PHP Filter to convert files to base64, which lets us avoid bad characters and leak source
11:15 - Start of coding out a program to automate this LFI
17:45 - XXE LFI POC Done, improving it by adding the cmd module
20:50 - Reading source code of pages, getting nothing
21:35 - Finding db.php from out gobuster, leaking the source and getting a password
22:05 - Grabbing /etc/passwd in order to build a userlist to password spray
22:45 - Using CrackMapExec (cme) to perform a password spray over SSH and discovering creds
23:35 - With shell on the box we can do sudo against a python file, doing some manual code analysis
31:00 - Switching to VSCode to debug our exploit script
38:30 - Exploit file works, copy it to our target and run it to get a root shell
39:44 - Taking a step back and Verifying the bad characters in our XXE
@durzua05 2 жыл бұрын
Love your content!! Was stuck on the XXE doing it on my own, luckily for me you uploaded this tutorial. Had a lot of fun doing the command line interface on python! Keep up the insane work!
@-bubby9633 2 жыл бұрын
Great vid once again! Really is so easy to understand when watching you do it, and I often come away with some great tips. Thanks a lot
@DJ-rr7cj 2 жыл бұрын
I wouldn't be where I am today if it wasn't for you ipp. Amazing content creator and teacher. 11/10 would recommend.
@Lin-yo3og 2 жыл бұрын
How is every step of enumeration and footprinting going so easy and smooth, but also reasonable. It's amazing.
@someyounggamer 2 жыл бұрын
A true "Senpai" Thank you for all that you do.
@numberiforgot 2 жыл бұрын
This one surprised me because of the XXE, but it was obvious after I had found the code disclosure. Definitely had me refreshing my XML skills.
@JR-wf6vn 2 жыл бұрын
This is so insane how fast this videos goes.
@ismailarame3756 2 жыл бұрын
first one , Love u from Morocco you Are a LEGEND by the way
@yunietpiloto4425 2 жыл бұрын
sir...you are talented, thanks for sharing!
@Jaidevpgramya 2 жыл бұрын
Great video 👏🏽
@frankstarson2403 2 жыл бұрын
this is useful, thank you sir
@marwandos 2 жыл бұрын
OMG! ippsec, That xxe py is awesome 🤤
@hadrian3689 2 жыл бұрын
This was a pretty ingenious machine, not too hard but just tricky/hard enough depending on your experience. Plus it was great to practice some code analysis at the beginner/easy level
@TechSolutionHindi 2 жыл бұрын
i like when ipp says if you're not running anything in every second you are just wasting ....
@SecAura 2 жыл бұрын
Its almost like me and ippsec had the exact same approach to making a video on this box! Though he always does it better!
@huuloc8719 2 жыл бұрын
Thanks
@PhuongHoang-jj5pm 2 жыл бұрын
Thanks so much
@chiragartani 2 жыл бұрын
Earlier I tried this box but didn't completed it because something was unknown for me, Like I don't know how to do that, Thank you for the video and teaching everything will watch this tonight and also gonna complete the box. 🙏🌟
@maoropizzagalli4153 2 жыл бұрын
Thanks for the content ippsec
@1nf1n7y 2 жыл бұрын
Love the way you give the information. thank you little note: this machine is a Linux machine and you put it with a windows playlist. you can fix this
@ippsec 2 жыл бұрын
Thanks fixed it
@points7824 2 жыл бұрын
this machine was neat. I almost got blood on it as well, was like 20 seconds from it
@xB-yg2iw 2 жыл бұрын
Say the form was as in this video, but instead of the XML body being generated client side, it sends the four variables you input and generates the XML serverside, is there still a way to get XXE in this scenario?? obviously in this case you couldn't add entities to the DOCTYPE, but is there any way to do it inline?
@d0abarr3lroll 2 жыл бұрын
You could potentially use an xinclude I think, but that would require the schema being available.
@kalidsherefuddin 2 жыл бұрын
Ok thanks
@fpplanos3493 2 жыл бұрын
Hey @IppSec would you say this box is oscp level? Or is it above that? & As always GREAT CONTENT! It's amazing what you do for the community!!!
@haroonrehman9489 2 жыл бұрын
4rth Comment ❤️🇵🇰
@chapaavalerie5629 2 жыл бұрын
Wow
@haydene3802 2 жыл бұрын
Do you run through boxes first before recording?
@sprBEAST211 2 жыл бұрын
I was wondering the same thing. What he accomplished in the first 15 minutes would probably take me hours, not including time spent banging my head on the desk 😂 he's a wizard either way
@ursr78122 2 жыл бұрын
Hey ippsec, do u still use obsidian for notes?
@MrCipek1221 2 жыл бұрын
39:38 when you said "and we're now root" i felt like you just hacked some nsa like server :D
@axelvirtus2514 2 жыл бұрын
🐶
@diegoguimaraes4391 2 жыл бұрын
Thanks a lot for the Videos!! Any chance of doing Secret Walktrough? Peace!
@hadrian3689 2 жыл бұрын
When it retires he will. He doesn’t do live machines
@diegoguimaraes4391 2 жыл бұрын
@@hadrian3689 oh… I didn’t know that! TKS
@rdarkmind 2 жыл бұрын
First. Notice me sensei!!
@dietodo21 2 жыл бұрын
Bro iam beginniner i don't no anything about hacking .where should I start and what should I learn to start in hack the box .
@astraflayer4970 2 жыл бұрын
5th Comment 🔥🎉
@saketsrv9068 2 жыл бұрын
Not sure how this box gor selected on HTB these days,but great video as usual.
@nios1515 2 жыл бұрын
What's wrong with this machine?
@hadrian3689 2 жыл бұрын
What may seem easy to some people, it may be difficult for others. I think HTB likes to cover all of the different areas of difficulty for those who aren’t able to get the VIP service.
@saketsrv9068 2 жыл бұрын
@@hadrian3689 You are right ! But this box was so traditional, never expect such quality from HTB. There are easy boxes on HTB but they have some twist..this box was like hey come, got root ? No ok here we go !
@sacheenkhakureel3460 2 жыл бұрын
How do I stop active machine in hack the box? I cannot do anything until it is stopped? However, i cannot see any active machines.
@sprBEAST211 2 жыл бұрын
If you have an IP spawned for a machine it will be considered active. Make sure you go back through the previous box you were doing and disconnect it
@plurby1703 2 жыл бұрын
This is considered an easy box? 😰 Or were you just having fun because you're bored? Could you have just done a gtfobin sudo python to get priv esc?
@TheDarthsteve316 2 жыл бұрын
It is, but while it's technically easy(scan website, find creds, use known technique, SSH over) that was also one hell of a specific piece of knowledge needed for this. I'm amazed I've never heard of XXE or PayloadsAllTheThings until now somehow, and that's with several Udemy courses and HTB machines over the last 2 years. And while that route is something that exists for other machines, this machine seemed to have the sudo -l NOPASSWD tied specifically to that python version and script(which also no one had Write access to, so you couldn't just add a line at the beginning to pop a shell), so not sure that would work. Although I do have one or two things I'm interested in trying to see if there's alternate ways to get more info or access on this. I kinda hate that XXE thing. It's good to know but just strikes me as incredibly oddly specific for some reason. Then again, so were the tickets, and sometimes that's just what's needed. But still. Argh.
@audi1800G36C 2 жыл бұрын
did ippsec upload the wrong box tutorial by accident?
@slayeeerrr 2 жыл бұрын
What do you mean?
@przemekwleklik1714 2 жыл бұрын
Did you used database user password to login into developer ssh account? In real world this scenario is highly impossible... :(
@ippsec 2 жыл бұрын
I think you’d be surprised how often credential reuse is a problem
@sudoer92 2 жыл бұрын
Please Do "bolt" is kinda like hard
@Tech69YT 2 жыл бұрын
if php filter was blocked then we can also host our malicious dtd and in our dtd we can generate payload using CDATA to retrieve php file contents
@slayeeerrr 2 жыл бұрын
How do you'll retrieve PHP source code outside the host? I mean, when you get content from outside, the PHP script is interpreted by the webserver. I didn't understand what you meant. Would you like to explain?
@Tech69YT 2 жыл бұрын
@@slayeeerrr i tried it but failed :( , sorry for the comment i hosted dtd file which contains entity and pointed that entity in the xml form field but didnot get contnets sorry for this comment
@slayeeerrr 2 жыл бұрын
@@Tech69YT Don't sweat it, bro! Thanks for replying!! :-)
@phanuctrunghieu4571 2 жыл бұрын
Play Backdoor room pls
@Jake-nh4ek 2 жыл бұрын
Nmap only runs version detection/scripts on ports it finds open, as these are done after host discovery and port scanning. So there is no reason to run multiple nmap scans for this, using both options -p- and -A on the same scan is fine
@slayeeerrr 2 жыл бұрын
The first Nmap execution is valid for just taking all open ports quickly! That's where comes from the `--min-rate 10000 -sS -p-`. So, you can execute whatever you want straight to each (open) port afterward. Since sS doesn't establish a TCP connection, and you need the handshake to take enumerate thoroughly, running two Nmap is faster to take everything instead of executing "nmap -A -p- --min-rate 10000,` which can screw up the network environment. Then again, using Nmap with `-p- -A` (a trivial aggressive scanning on all ports) always takes a long time to finish the scanning in contrast to "--min-rate 10000 -sS -p-". *Note: I should advise you that you don't have to worry about network performance in a CTF-like environment. *Edit/Update: I have to get rid of dashes characters.
@infosec6253 2 жыл бұрын
Xxe