HackTheBox - Nibbles

Рет қаралды 99,277

Күн бұрын

00:18 - Start of Recon
01:15 - Finding hidden directory via Source
02:15 - Downloading NibbleBlog to help us with finding version information
03:59 - Identifying what vresion of NibblesBlog is running
04:42 - Using SearchSploit to find vulnerabilities
05:36 - Examining the Exploit
06:08 - Explanation of exploit
07:25 - Attempting to find valid usernames for NibblesBlog
09:13 - Finding usernames in /content/private
10:15 - Using Hydra to attempt to bruteforce
14:08 - Oh crap. Hydra not good idea we're blocked...
-- Some minor panicing about how to continue
15:40 - Using SSH Proxies to hit nibbles from another box (Falafel)
18:20 - Guessing the password
20:10 - Logged in, lets attempt our exploit!
22:46 - Code Execution achieved. Lets get a reverse shell
24:53 - Reverse shell returned.
26:00 - Running sudo -l examine sudoer, then finding out why sudo took forever to return
26:50 - Privesc via bad sudo rules
32:10 - Alternative PrivEsc via RationalLove

Пікірлер: 98

@pswalia2u 6 жыл бұрын

that ssh tunnel trick was awsome

@diegobernal9750 6 жыл бұрын

Thank you very much for the video, always learning something new! Just one thing, I got blacklisted as well while rooting the machine but came out of it in a different way. You just have to set the x-forwarded-for cookie with a different ip, that does the trick and bypasses the check, if I remember well. Just so that you know ;)

@brettnieman3453 6 жыл бұрын

Thanks so much! It's great to watch you do these easier machines as well. So helpful and learning tons. Thanks again!

@nothing-hm7dz 6 жыл бұрын

i became happy and excited every time i see you upload new video :D i really do , thanks for your Knowledge i really appreciate it

@saeedsaeed9 6 жыл бұрын

Amazing, did this machine two days ago and had no idea it was going to be retired the next day :"D Btw, thank you very much for those amazing videos, they're literally stacked with knowledge! I'm grateful.

@Barkbarkdoge123 5 жыл бұрын

Many thanks for ALL your walk-throughs!

@raanonyms7926 4 жыл бұрын

"Is there something else that I can do", this phrase keeps me motivated for HTB :)

@sefterm-zade9744 3 жыл бұрын

You are amazing... I found this channel today and learned lots 👌👍💥🔥🔥🔥🔥🔥🔥

@mattbangert396 6 жыл бұрын

This is my first box on HTB. Learned much already from this vid. Thank you!

@nicolasperezmolina491 6 жыл бұрын

how the fuck do you hack one lol

@thepag52 6 жыл бұрын

start with vulnhub my guy

@nicolasperezmolina491 6 жыл бұрын

what diference is between hackthebox and vulnhub?

@3rg1s 6 жыл бұрын

Nicolás Pérez Molina hackthebox has machines that won't find solution until they are retired. Vulnhub most of the time had solutions. That depends on what you like. Also hackthebox gives you a vpn so that's the only thing you have to download to hack the machines. On vulnhub you need to download a virtual machine and run it on your network which is better somehow,because no one restores the machine so... There are other differences btw. If you are a beginner do some easy machines on vulnhub. Hackthebox is difficult.

@abhishekchaudhari970 6 жыл бұрын

Nicolás Pérez Molina HTB provides online machine to attack while vulnhub give image files which you can download and attack

@fitman84 6 жыл бұрын

The last question you could think someone would ask you: what keyboard do you use? Thanks for sharingh all this knowledge.

@LeandroLemos 4 жыл бұрын

Which keymaps have you used to change the encoding in the burp suite?

@baciukrystyan6479 6 жыл бұрын

Thank You for sharing Your Knowledge.

@ranbash 5 жыл бұрын

Looking for my first machine to work on. Thinking this is a great place to start?

@medic660 6 жыл бұрын

when I did nibbles I always got permission denied when trying to edit the etc/hosts file for some reason. Doing sudo -u root /path/to/monitor.sh ended up working for me. Also didn't know about RationalLove privesc, where tf did this thing pop out of? ty ipp

@obsessed92 5 жыл бұрын

It's over 9000 !

@user-qm4zl2ng5i 6 ай бұрын

The way you solve the machines with easy make me realize I have a long way to go.

@crackedclips5605 4 жыл бұрын

For the better shell with autocomplete, can you type what u press please? you say FG with enter or something but tbh i dont understand xD

@shivangkumar6646 6 жыл бұрын

How to find the ssh credentials for DevOops???

@striple765 5 жыл бұрын

password was nibbles tf how do you guess it so right

@sriharikeerthi1480 3 жыл бұрын

cewl the website you will get it, no need to guess

@rickjames3034 2 жыл бұрын

@@sriharikeerthi1480 true but there is a login attempt blacklist so you wouldnt be able to brute force the cewl output...

@sudosuraj 2 жыл бұрын

15:30 why didnt you use proxychain just before hydra?

@deathfromthekrypt 6 жыл бұрын

My first machine, was a great one for me

@KucharJosef 6 жыл бұрын

Exactly :)

@jacquesmit502 5 жыл бұрын

Same here

@deviousmethod1310 5 жыл бұрын

like a first sex hehehe )

@Brlesskoin 2 ай бұрын

Amazing job!, I'm your new follower, hope one day I do all that stuff you do...

@user-fw7zw9ce9j Жыл бұрын

Can appreciate the "over 9000" reference

@henryhaller6714 Жыл бұрын

When I grow up, I wanna be like you man.

@TeoLiangWei 4 жыл бұрын

where do we copy /opt/shell/php/cmd.php from

@treew4 5 жыл бұрын

Any idea what to do if you not guess the password?

@PrestonZen 2 жыл бұрын

Are you able to hit the web server with a proxy chain configuration so you can bypass the lockout with multiple IP's?

@charlesnathansmith 7 күн бұрын

He's routing traffic through another htb box he'd already solved to avoid a reset since they're on the same VPN anyway.

@lumenknotty6355 Жыл бұрын

At 24.49 what hotkey is pressed to code the right format? - It is Ctrl-U

@Abhijitkamath14 Жыл бұрын

why did the local port forwarding work ... is it because the nineveh machine has connectivity to nibble. Is it possible to do the same thing using another local machine

@Fiji_water_man 6 жыл бұрын

nice, can't wait for nightmare

@cxdva8635 Жыл бұрын

Hi, this one was pretty easy. Other then the password everything went smooth maybe ten minutes to complete if i knew the password? However, I've been trying to find a way to bruteforce the password with hydra but i couldn't find any way. Is there actually a way to find a password in this kind of senario?

@deltajee7_org 3 жыл бұрын

They've put this in the latest getting started module on the academy.. lol the 'they' is you because you were in the credits.. I dunno why I'm saying this.. but yeah great module... Im just a beginner.. that module cleared a lot of ideas..

@luizfzs 6 жыл бұрын

It would be awesome to have a video of you approaching an unknown box so we could understand all of your reasoning.

@ippsec 6 жыл бұрын

I believe I had completed nibbles in under 10 minutes. I cover a lot more things in the video than I would if doing it live. Also after pretty much tearing apart one ctf box a week for a year straight, its likely that a lot of my path won't make sense because I'll already know some weird trick the author wanted to put in the box. I've thought about streaming VulnHub but would need to block out a 2-3 hour chunk of time predictably to be successful there. I'd rather just spend the time studying and creating a different non-ctf video series.

@TheKyodaija 5 жыл бұрын

IppSec non-ctf would be good

@bugr33d0_hunter8 5 жыл бұрын

Yeah i take tons of notes when i dont understand a new term you use and research it. I really appreciate you explaining further on your videos. I figured as much considering the amount of genius level of imformation you have stored in that beautiful mind of yours. Do you take donations? If so where could i send it, because you taking the extra time to help out the InfoSec community is tremendously awe-inspiring. We cant thank you enough.

@ippsec 5 жыл бұрын

Thanks for the kind words, just pay it forward when you can. Videos are as much for me as everyone else. Unfortunately, I don’t accept donations but appreciate the offer. Luckily for me a one time donation wouldn’t really have any impact on my life so it’s hard to be as greatful as I should be. That being said it would be pretty awesome to hear about someone helping out a charity local to them. For example sending food to an no kill animal shelter.

@bugr33d0_hunter8 5 жыл бұрын

IppSec _/ alright my brother. Will do, will do.

@dannythomsen 6 жыл бұрын

Oh there is a CVE for the image upload thing. I enden up reading the sources for the upload function and quickly spotted the vulnerability. It works because the code checks the image _after_ it has been moved into the web dir, where it throws an error and leaves the file without deleting it.

@MatheusCopyright 6 жыл бұрын

why does sudo checks the hostname/ip?

@ippsec 6 жыл бұрын

You can specify hostname in the /etc/sudoers file, so the entry is only valid on that host. Was useful before the days of DevOps, because you could just have one file across all servers and be relatively secure.

@mbrkic01 5 жыл бұрын

Ssh tunel was used on potion :)

@noizedub80 4 жыл бұрын

This was my first box, did many different things but still got root :) !

@gunslingerfourtysix 6 жыл бұрын

Keep them coming IppSec ✌️

@PhotoSlash 6 жыл бұрын

no way, I was trying to do this machine 10 mins ago, damn it.. lol

@pentestical 4 жыл бұрын

Keep in mind: The box names on HTB have special meanings. In this case, nibbles is also the password - lol

@TaelurAlexis 11 ай бұрын

Snitchingggg lol

@guestguest5450 6 жыл бұрын

Thank You @IppSec ;) - deleting empty lines in Vi -> :g/^$/d OR you can use in Burp "Copy to file" ;)

@guestguest5450 6 жыл бұрын

you can also make an alias for this command -> :command Lines :g/^$/d after this you can call :Lines

@skylarmcdermott2020 6 жыл бұрын

It took sooo long for me to get user cuz I couldn’t find the admin credz

@o3tg2w35t 3 жыл бұрын

Same. Small problem, big impact!

@ahmedabdullah5274 Жыл бұрын

Thanks

@automata8973 5 жыл бұрын

I wandered through open directories and found image.php which was a somebody else's shell with GUI. Used that to get user. Lol !

@spaffhazz 3 жыл бұрын

i hate using vi. the enter doesnt work and i keep getting weird strings of characters when i hit esc or insert. can anyone help me with this?

@ippsec 3 жыл бұрын

Install VIM.

@spaffhazz 3 жыл бұрын

@@ippsec what if the user cant use apt?

@sand3epyadav 3 жыл бұрын

Nice ippsec sr

@paulojr1384 2 жыл бұрын

thanks

@traderH 3 ай бұрын

Why don't you wanna use metasploit?

@cybertools8560 2 жыл бұрын

ipsecc: "this is a really easy box" 14 minutes later: gets locked out.

@jawadsher1062 Жыл бұрын

🤔🤔 awsome. Whats the best to create methodology likh you. Seriously awsome and so fast

@ronak3600 5 жыл бұрын

Ippsec master teach me your way

@privateger 6 жыл бұрын

Hm, I found the username by guessing.

@bluehawk1860 6 жыл бұрын

password nibbles WTF ?

@garrettweber4589 5 жыл бұрын

Make sure you spell monitor.sh right as well as have it in the dir /home/nibbler/personal/stuff$

@teleton11 4 жыл бұрын

This might be something that changed but how are you executing that other shell file? if only "monitor.sh" can actually run without being root?

@paired7815 5 жыл бұрын

password nibbles ?..oops

@skylarmcdermott2020 5 жыл бұрын

The day I owned root this machine got retired😥😥

@SuperMarkusparkus 6 жыл бұрын

If you would not have guessed the right password directly, you could have used x-forwarded-for to switch to a new ip for each login attempt. See github.com/cloudfoundry/gorouter/issues/179 www.dzonerzy.net/post/nibble-blog-ip-spoofing-attack

@ippsec 6 жыл бұрын

Nice Catch! Didn't even think to check for that type of attack.