HackTheBox - Backdoor
Рет қаралды 75,382
Күн бұрын00:00 - Intro
00:50 - Start of nmap
02:10 - Starting WPSCAN
02:50 - There's no index.php in wp-content/plugins/, which lets us find a vulnerable plugin (eBook Download 1.1)
05:50 - Playing with the eBook Download LFI
07:45 - Doing a full nmap portscan
08:20 - Using the LFI to extract the process names with curling /proc and doing some cut/sed magic
10:15 - Downloading the cmdline for the first 1000 PID's
13:00 - Using find to show us files greater than a couple bytes to show us every valid PID
14:40 - Examining the final output, discovering screen running and gdb
16:00 - Using metasploit to exploit GDB
21:50 - Reverse shell returned, playing with screen to connect to the session
24:30 - Attaching to the root session, then digging into why this worked
31:40 - Digging into wpscan to see how to make it find this
@fabiorj2008 2 жыл бұрын
I'm impressed how much I can learn new things even on easy machines in ippsec videos. There is always a valuable tip that helps me a lot in my daily work.
@emtrexsecurity5882 2 жыл бұрын
Ippsec and John Hammond get me through my day
@yttos7358 2 жыл бұрын
In the mood for quality YT content and look who just uploaded ⛱️😎
@ghsinfosec 2 жыл бұрын
I really wish I could have spent more time on this box. This was awesome
@jaylal4899 7 ай бұрын
The trick to stealing the process information to identify what was listening on port 1337 was a great technique.
@Ruiditos80 2 жыл бұрын
29:04 🐶
@ohmyavax 2 жыл бұрын
Really good video, thank you for the effort for showing us how privesc worked and for waiting 30+ minutes to show wpscan is not useless :P
@Dooom7 2 жыл бұрын
videonun olayı ney
@drd2852 2 жыл бұрын
You can use "show advanced" or just "advanced" to see the advanced options in Metasploit. Use "set DisablePayloadHandler true" to disable Metasploit's payload handler and use your own (like nc).
@tlouik 2 жыл бұрын
great work :D
@mathisabbaszadeh2433 2 жыл бұрын
great as always
@samsepi0l227 2 жыл бұрын
keep going man!
@VoidBiscuit 2 жыл бұрын
32:53 - This should be in the timestamps 😂
@argon603 Жыл бұрын
Great video, as usual! Learned a ton, thanks. Just a quick note, the wpscan aggressive plugins enumation can be sped up a lot by using more threads (-t flag). I've used -t 200 and got the result in less than 3 minutes. YMMV.
@kalidsherefuddin Жыл бұрын
The great course
@6Sambora 2 жыл бұрын
Hi Ippsec, which do you prefer as your daily laptop? Windows or Mac? 🤔
@Error-rz9re 2 жыл бұрын
🔥🔥🔥🔥
@vonniehudson 2 жыл бұрын
Yes!
@blackmine57 2 жыл бұрын
29:05 Was that a dog ? Do you have a dog ?!
@gabrielsantos19 2 жыл бұрын
👍👏👏
@Itayc3578 2 жыл бұрын
Another way to find the cmdline behind the open 1337 port instead of brute forcing could be looking in the /proc/sched_debug file (By the way I would appreciate if someone can explain more about that file to me. This file did not seem to exist on my machine and I don't understand it to a degree I'm comfortable with.)
@ippsec 2 жыл бұрын
The sched_debug won't display the port afaik. It may say GDB is running but not the arguments that started it.
@Itayc3578 2 жыл бұрын
@@ippsec Yeah, I don't think it will, but it may help with intuition about interesting processes to get the cmdline of. If I recall correctly, what I did was using it and my intuition to get the cmdline of some processes, and it was a bash process so it was one of the first ones I checked, and then (in the cmdline) I found the port and connected the dots
@mikes_.5_cent 2 жыл бұрын
@ippsec can you share your bash prompt ?
@kavishkagihan9495 2 жыл бұрын
You can also use `screen -x root/root` to attach to a detached session. Format of -x is `username/session_name` I guess.
@sezarstarscourge7368 2 жыл бұрын
i wanna learn more request stuff what box you suggest
@FamilyGuyClipsOfficial 2 жыл бұрын
Ippsec Rocks
@AUBCodeII 2 жыл бұрын
Ipprock 'n roll
@AUBCodeII 2 жыл бұрын
@Voldemort however he's never gonna let me down
@i_sometimes_leave_comments 2 жыл бұрын
Why do you run `sudo msfdb run` instead of just `msfconsole`?
@markgentry8675 2 жыл бұрын
its starts the database if needed and opens the console. i always do the same thing. probably just habbit
@AndreaTosk 2 жыл бұрын
why not using xmlrpc?
@leafaravlis9705 2 жыл бұрын
Is there a tool to test API zend
@saidjonasrorov1721 2 жыл бұрын
can anyone explain how hack so easy box(i try but never could it) plz?
@taiwolateef2981 2 жыл бұрын
Please can you give me a nudge on how to get root access on meta machine.. I have been on it for some days now. Thanks in anticipation of your response.
@TAYYABKHAN-fm6wx 2 жыл бұрын
Please sir tell me the format of fullname of hackthebox i want to create new account m new user
@sand3epyadav 2 жыл бұрын
Rockstar of hacking
@sparrowgamingl6200 2 жыл бұрын
cannot find port 1337
@declanmcardle 2 жыл бұрын
@22:30 $MANPAGER
@Geniyah_is_crazy 2 жыл бұрын
is that MacBook? cuz I see three button it have yellow green and red we have that MacBook😮😮😮😮
@y.vinitsky6452 Жыл бұрын
It's parrotos
@cy_wareye7395 2 жыл бұрын
How did you know '/self/' to add there on URL (/proc/self/cmdline)? I dont get it. Edit: 8:30
@AUBCodeII 2 жыл бұрын
It's part of the default Linux directory structure: man7.org/linux/man-pages/man5/proc.5.html
@cy_wareye7395 2 жыл бұрын
@@AUBCodeII Ah, Ty! Good to know!
@TAYYABKHAN-fm6wx 2 жыл бұрын
Please sir tell me the format of fullname of hackthebox i want to create new account m new user
Carlos Reis
Рет қаралды 28