HackTheBox - AdmirerToo

Рет қаралды 15,594

Күн бұрын

00:00 - Intro
01:08 - Start of nmap, discovering a webserver and filtered port
04:15 - Discovering a hostname in the 404 not found message in the mailto section
05:25 - Gobuster VHOST Discoery finds the subdomain db.admirer-gallery.htb which is adminer. Playing with the application and raw SQL Commands
07:25 - Trying to write files with INTO OUTFILE, also testing the secure file priv default directory for MySQL which is the most reliable
09:30 - Going to google and finding this version of adminer is vulnerable to a SSRF, but having trouble with this because the login for adminer is different
11:45 - Intercepting the login request, finding a hardcoded password that doesn't really help us
13:00 - Installing adminer in a docker container, so we can play with the application locally which helps us understand the SSRF Exploit
15:30 - Finding a python3 http server redirect example to use for our SSRF
17:00 - Performing the SSRF Vulnerability failing to extract local files
18:10 - The CSRF is annoying, configuring burpsuite to replace variables in our post automatically so we don't need to manually intercept.
20:00 - Having the SSRF access localhost:4242 (the filtered port from nmap), we see the OpenTSDB application, finding an exploit
21:15 - Exploit fails, it complains about an invalid metric. Googling to find OpenTSDB API Documentation and finding an endpoint to list metrics
24:30 - Updating the exploit to use the http.stats.web.hits metric and getting RCE
29:10 - Reverse shell returned
33:40 - Finding database credentials in server.php, which also are jennifers credentials.
36:00 - Enumerating Apache configuration files, discovering one webserver runs as devel
39:20 - Discovering a PHP Object Injection vulnerability in a OpenCats which is a webserver running on localhost, jennifer can login. We can't write to the web directory thoe
42:30 - Discovering devel can write to /usr/local/etc/ and fail2ban is installed, which has an RCE with whois
45:00 - Running strace on whois to discover it looks at /usr/local/etc/whois.conf
47:00 - Using phpgcc to test our file write to see what the file looks like
48:40 - Looking at an example whois configuration file
49:20 - Explaining our payload and doing some weird regex termination to get this to work
50:10 - Looking at the whois source code to see it only reads the first 512 bytes of the configuration file
52:00 - Creating the whois configuration file, which starts with ]* to terminate the regex, then puts 500 spaces to get rid of the appended data by the exploit
55:30 - Creating our payload for the fail2ban whois exploit and getting root

Пікірлер: 26

@panhavorn 2 жыл бұрын

I can say it's really enjoy to watch your content.

@theremyyoutube5431 2 жыл бұрын

That's a fast end ! Really good videos !

@j.stan8916 2 жыл бұрын

Great content. For some strange reason when I did this box - the "nc" didn't want to catch the root shell, but only "ncat" worked. I was not sure why that happened since I see you got it with "nc" from the 1st try :)

@darshanakhare6676 2 жыл бұрын

Nice q&a on htb channel

@rohitsumbrui3374 2 жыл бұрын

The thing i was waiting for

@Cybergh0st_17 2 жыл бұрын

Hey, thanks for sharing this one! Will you be releasing a video about your setup of Parrot OS to look like the HTB one?

@FrancescoM- 2 жыл бұрын

very good video

@NVTFT 2 жыл бұрын

so good chain attack

@StephenOgu 2 жыл бұрын

this is interesting

@The_Dark_Cats 2 жыл бұрын

I Could not get the very last part to work where it should connect to me on 43 and grab the fail2ban file. I used the walk-through method with printf and after ctrl-c on my nc on port 43, it would kick my root shell back for about one minute and then disconnect me. I am trying to figure out where I messed up... I was still able to read the root flag before it kicks me. Anyway as usual great video, it was very helpful!