HackTheBox - Seal

Рет қаралды 24,308

Күн бұрын

00:00 - Intro
01:00 - Begin of nmap
03:25 - Browsing to the website and doing some light fuzzing
06:10 - Adding the uri_hex (url encoder) to our wfuzz to fuzz special characters
07:55 - Taking a look at port 8080, discovering gitbucket and registering an account
09:20 - Exploring the infra repository on gitbucket, going over its Ansible Scripts
12:30 - Taking a look at the Seal Market Repository and discovering NGINX has mutal auth configured
14:00 - Discovering tomcat credentials in a previous commit
15:45 - Going over an Orange Tsai SSRF Talk from 2018, showing the Tomcat SSRF when behind NGINX
17:00 - Testing the SSRF Exploit to discover we can hit protected pages
18:00 - Logging into tomcat, then showing another SSRF
19:25 - Using MSFVenom to generate a malicious war file to exploit tomcat
21:00 - Reverse shell returned, uploading pspy to discover a cron running a playbook
23:00 - Going over the playbook to show how we can exploit this playbook to copy an ssh private key with a symlink
26:00 - Creating the symlink to extract the SSH Key
28:30 - SSH in with Luis, discovering we can run ansible with sudo, then creating a malicious playbook to run a reverse shell

Пікірлер: 35

@velomeister 2 жыл бұрын

The fact that I didn't think of checking file versions in a git repo got me a little mad hahahahaha. Great vid as always!

@ilimanjf 2 жыл бұрын

Thanks for this video! I really appreciate that you take the time to explain what you're doing.

@jack23907 2 жыл бұрын

Wonderful Ippsec, Wonderful :)

@syddemoney3214 2 жыл бұрын

Thank you! It's my first time to hack in HTB . I learn a lot!

@samu5167 2 жыл бұрын

dude just speedran that :D I'm a big fan of yours, really hope I would be as experienced as you some day :)

@wkppp4732 2 жыл бұрын

Thanks for the vids!

@TechSolutionHindi 2 жыл бұрын

Hey IPP, how did you find that tomcat was vulnerable to SSRF, please explain ...

@ippsec 2 жыл бұрын

I think i said it in the video, but its common when nginx is in front of tomcat. We saw nginx was there from nmap (the server header).

@SamNetw0rk 2 жыл бұрын

🔥🔥 awesome, thanks for interest content

@uppilibadri2170 2 жыл бұрын

Hey Ipp! Any extra content anytime soon 😅 Your videos are a real treasure!

@damnmayneunfiltered 2 жыл бұрын

good artwork

@marsanmarsipan 2 жыл бұрын

Great vid. And as always the foothold is the hardest part. I didnt ieven find the manager password on this one :P

@faresamara7528 2 жыл бұрын

FKN GREAT!

@stant605 2 жыл бұрын

Is there any way I can support you? The patreon link in your profile doesn't seem to have a page where I can subscribe to you. I have been learning so much from your videos!

@ippsec 2 жыл бұрын

Hey - Just spreading the word about my channel is more than enough. I stopped patreon when the pandemic started and don't really have a plan to bring it back right now.

@newton4098 2 жыл бұрын

Holy shit you are good, i cannot do more then 25% of this. Trying but feel like ill never get it. But now i must watch every one of your videoz. Thanks! You are beast asf.

@newton4098 2 жыл бұрын

oh and i subbed.

@DaniSpeh 2 жыл бұрын

@@newton4098 You will if you want. But yes, watch all the videos, subscribe, get out the word. He deserves it. There are 3 itsec content creators worth the time and ippsec is the best. Close second and third are John Hammond (more content please) and hackersploit. If ippsec were Santa I would wish even more content from him, especially in depth stuff not necessarily linked to htb ctf's

@DaniSpeh 2 жыл бұрын

@@matheusespindola4971 Have to look up s4vitar, didn't see anything from him yet, ty