HackTheBox - Trick

Рет қаралды 27,505

Күн бұрын

00:00 - Introduction
01:00 - Start of nmap
02:30 - Poking at the DNS Server and discovering its hostname when querying itself
03:00 - Using dig to show the reverse lookup aswell, then perform a zone transfer with axfr
04:30 - Just showing dnsrecon to bruteforce a range of IP's, not really relavent to this but figured I'd show it
06:00 - Poking at the website and logging into the website
07:30 - Finding an LFI that allows us to disclose PHP Source code, can't do much else because it appends .php to our string
12:15 - Using SQLMap with the login to extract files
14:20 - SQLMap only found time injection, changing the levels and specifying the techniques which allows it to find a quicker method
16:45 - Having SQLMap extract the nginx configuration and discovering another subdomain
19:10 - Checking out the new domain preprod-marketing.trick.htb, discovering an LFI but this time the extension is in the URL!
21:30 - Going over the source code of the LFI to show why this was vulnerable the ../ strip was not recursive
24:00 - Using the LFI to discover the user we are running as, then extracting an SSH Key
25:30 - Showing another way to weaponize this LFI, poisoning the nginx access log
27:15 - Showing yet another way to weaponize the LFI with sending email to the user, then accessing it with the LFI
29:40 - Shell on the box, checking Sudo then using find to see files owned by my user/group and seeing I can write fail2ban rules
36:10 - Editing iptables-multiport.conf to execute a file instead of banning a user and getting root
37:30 - Showing an alternate way to discover preprod-marketing, using a creative sub domain bruteforce with ffuf
39:45 - Checking out why we couldn't read the environ file, turns out it was owned by root and only root readable.

Пікірлер: 38

@adityatelange Жыл бұрын

3:46 AXFR is Asynchronous Transfer Full Range.

@DanielEhlmann Жыл бұрын

I’m only now getting deep into pentesting and offensive security after some years of managing teams of cybersecurity and IT personnel, and it really feels like I’m unlocking a whole new side of cybersecurity that’s been veiled from my eyes. It’s great. Excellent content.

@ianmusyoka9717 Жыл бұрын

There was another way of getting a shell using that login which is sql injectable and INTO OUTFILE to drop a shell and execute using LFI... The shell will be www-data but to escalate to the user you dig through nginx config file find that other subdomain Nice walkthrough!!!. The SMTP route totally didn't cross my mind

@hackersworld2974 Жыл бұрын

teach me I'm a noob

@SakayaNagii Жыл бұрын

Ippsec = 🧠++

@theSoloMimic Жыл бұрын

Great to see the sqlmap things. I didn’t know any of that. The speed ups you used for it were excellent to learn. So thank you.

@DeadAksRab Жыл бұрын

Awesome. I did the box but was waiting for this video and yup I learnt 3 new things again. Brilliant.Thanks ippsec :)

@romilthakkar404 Жыл бұрын

Learning a lot from it. Thank you, appreciate it.

@lonelyorphan9788 Жыл бұрын

Another awesome video 🙂!

@damuffinman6895 Жыл бұрын

Ippsec, how much do you get out of doing the easy to medium boxes? Does it just help to get your methodology down or is it to easy to have an impact.

@adonistarcio Жыл бұрын

I didn't think this was an easy box. But great to see how you did it

@sand3epyadav Жыл бұрын

Easy box

@h4gg497 Жыл бұрын

It doesn't use TCP just for zone transfers. Also for anything that's greater than 512 bytes. DNSSEC, IPv6 etc increase the response size. Although servers should respond to request for any records over TCP if TCP is used by the resolver. RFC 7766 is a good read.

@h4gg497 Жыл бұрын

There was also an EAR vuln on the preprod-payroll site that offered an easy alternative auth bypass. The response size on the 302 redirect to login.php gives it away.

@h4gg497 Жыл бұрын

You see it in the index.php code at 10:16. Missing exit; statement after the header('location:login.php').

@celticfans1 2 ай бұрын

I was wondering why the privesc doesnt seem to work by changing the actionstart instead of actionban? seems easier by just restarting but it's not being executed, why?

@celticfans1 2 ай бұрын

with sqlmap we had the FILE privilege, but I tried to write a file instead of read which worked. However, I couldn't write to .ssh to try and get a shell that way. Could someone explain why this wasnt possible and we only tried reading in the video?

@InfoSecIntel Жыл бұрын

Hey this is not related to this vid but what is your favorite not os specific command to test for rce that may be blind?

@ippsec Жыл бұрын

Ping against a DNS Name and look for the ICMP/DNS request.

@anselmpeter Жыл бұрын

Awesome.. things go very fast with ippsec thanks YT have speed control.

@DeadAksRab Жыл бұрын

How can the "database management system users privileges" be found manually without sqlmap?

@ippsec Жыл бұрын

If you go to ippsec.rocks, and search "file priv SQL", you'll find a video with time stamp answering this question

@FMisi Жыл бұрын

It was an interesting box to pop

@and_rotate69 Жыл бұрын

33:20 why didn't you just change the perms of the bash shell to be accessed by anyone with +s? is there a downside to it? cause i always use it xD

@ippsec Жыл бұрын

That's a bad habbit to be in as it leaves the server in a much worse state than before you got on it. Forget to change it back and bash will be a privesc for the next person, even if you fixed the vulnerability that allowed you to make it SetUID. A shell in /dev/shm will be erased upon reboot and if you patch the thing that executed it and you need to re-exploit the application to trigger it as another user. It's just safer.

@netcatter Жыл бұрын

@@ippsec What if you copy the /bin/bash into /tmp/bash and then modify the SUID of /tmp/bash instead? Then after escalating, delete the /tmp/bash

@oz.3133 Жыл бұрын

I'm not getting the root reverse shell after pointing actionban to my reverse shell script on iptables-multiport.conf, restarting fail2ban and subsequently failing ssh. What could be going wrong?

@celticfans1 2 ай бұрын

i have the same issue

@yuyu-ce4fz Жыл бұрын

nice

@hackersworld2974 Жыл бұрын

how does he scroll so fast in copy mode in tmux ??

@tg7943 Жыл бұрын

Push!

@S2eedGH Жыл бұрын

Thanks for the great walkthrough. there is a thing I don't understand clearly on 20:13 . could you please explain it one more time? How the "include()" line should look when php filter working on it?

@ippsec Жыл бұрын

in order for php filter to work, it needs to be at the start of the path to include. So if the include is include( "someFolder/" + $userInput), a PHP include won't work because the folder is at the start of the path.

@tanja84dk1 Жыл бұрын

My first thought why you cant see the enviroment is proc is prob as you say that nginx is running as root ( tbh I havnt done the box myself ) and I feel the reason the reason the website is running as michael is proberbly because the php-fpm is set to use/run as michael in the php-fpm pool configuration

@sand3epyadav Жыл бұрын

Everythink is a trick

@jamesalexander655 Жыл бұрын

First

@beezball38 Жыл бұрын

I got preprod-marketing by fuzzing. it makes the payroll domain seem like a diversion unless you figure out how to SQL map properly, which I clearly did not very informative video as always.