HackTheBox - Surveillance

Рет қаралды 10,572

Күн бұрын

00:00 - Introduction
01:00 - Start of nmap
02:45 - Discovering an exploit for Craft CMS, it doesn't work out of the box because of a typo on exploit-db looking into this exploit
06:00 - Walking through the Exploit Script
11:45 - Getting a shell on the box with the script that was on Github
14:45 - Logging into the CraftCMS Database, finding the password
17:30 - There is a backup of the database in the storage directory, which contains an old password for Matthew
22:45 - Linpeas shows us configurations for ZoneMinder, which lets us into another table of the database
25:20 - Setting a port forward so we can access ZoneMinder, then updating the password so we could login (not needed but fun to do)
29:20 - Showing an unauthenticated exploit in ZoneMinder
31:40 - The ZoneMinder user can run zoneminder scripts with sudo
33:30 - Finding a command injection in ZMUPDATE, getting shell as root
42:20 - Showing ZoneMinder lets you set the LD_PRELOAD which is another way to get root
55:50 - Showing the intended way to exploit ZoneMinder to get a shell as the ZM User, authenticated RCE

Пікірлер: 28

@TechieGanesh 19 күн бұрын

Hey ipp, I just wanted to say thank you soo much for making these videos.

@NatteeSetobol 14 күн бұрын

I totally missed getting access to Matthew and went straight Miner using chisel and the miner exploit to get shell. I couldn't figure out root but I could of gotten points for users T_T. I should always remember to always check the input first, like you said in this video, nice, and thanks!

@apoc4223 16 күн бұрын

makes me realize how much stuff I missed lmao. I hope you tackle Mist and Corporate too eventually, they were crazy

@AP-rv6kk 18 күн бұрын

Great video! How many MH/s can you get on your kraken machine while cracking md5 hash?

@AUBCodeII 3 күн бұрын

1:06:48 we're still watching the video because we like you and you rule!

@spandexvortex1097 18 күн бұрын

Hey Ipp, just a question. Around 40:00, when you were trying to priv esc by setting SUID bit to the bash binary in /tmp, I think the you copied the binary as zoneminder user. Maybe that's the reason it did not escalate to root?

@AUBCodeII 5 күн бұрын

That and also because he ran "/tmp/bash -i" instead of "/tmp/bash -p"

@Progressive_Entrepreneur 16 күн бұрын

around min 38, when you were trying to priv esc, why did you move the bash file ? and how using it make you root ? you didn't really explain that

@AUBCodeII 5 күн бұрын

He copied the Bash binary to /tmp because usually you don't want to change the permissions of the actual binary, be it during a CTF or while doing a shared box, because other competitors may piggyback on your work and get root easily, or during a pentest, because you may forget to unset the permissions. As for the second question, you can become root with Bash by running the command "bash -p". The option "-p" means to run Bash in privileged mode. However, this only works if: 1) The binary is owned by root. If it's owned by another user, say matthew, "bash -p" will start a shell as matthew. You can check who owns a file with the command "ls -lath". 2) The binary has the setuid bit set. If the binary doesn't have the setuid bit set, "bash -p" will start a shell as the same user that ran the command. You can set the setuid bit of a binary with the command "chmod u+s ".

@zauthentiqz-_1188 19 күн бұрын

How do I get better at privelege escalation?

@AUBCodeII 18 күн бұрын

By studying lots of walkthroughs and practicing on lots of boxes. I have a privesc checklist and I update it whenever I learn of a new privesc vector. I usually learn new privesc vectors on this channel.

@pugglecorn1085 15 күн бұрын

With nmap you can just do -sCV and achieve the same effect as -sC -sV

@GajendraMahat 19 күн бұрын

i was waiting from a long time

@gao645 11 күн бұрын

I don't need to use any CVE in zoneminder users, just exploit misconfiguration in its web services

@gespoL- 18 күн бұрын

Se garantiu doido

@dadamnmayne 19 күн бұрын

with htb machines, you never see creds in environment variables; you'd think this would be a thing.

@AUBCodeII 19 күн бұрын

Analytics had creds in environment machines

@dadamnmayne 19 күн бұрын

@@AUBCodeII thanks. ill check it out

@tg7943 18 күн бұрын

Push!

@george___43 19 күн бұрын

😊

@sand3epyadav 19 күн бұрын

Ippsec sir i was doing usage.htb box but unable to cracked within 1 hour i watched every video but why? How to strong penetration testing step plz reply sir