HackTheBox - Buff
Рет қаралды 56,743
Күн бұрын00:00 - Introduction
00:45 - Begin of nmap and poking at the website
03:00 - Checking when an image was uploaded to the server with wget and exiftool
04:10 - Contact.php discloses the software Gym Management Software is being used. Examining the exploit
06:10 - Editing the Python Exploit to force everything through a proxy, so we can examine what the exploit does.
08:30 - Running the exploit and examining in Burp
14:20 - Having trouble getting a reverse shell via PS, Uploading NC.EXE to do it
17:10 - Running WinPEAS.exe
21:00 - Discovering CloudMe in the Downloads directory then looking at the exploit
23:20 - CloudMe isn't listening on a port... Reverting and getting a shell again
25:30 - Reverse shell returned... Still waiting for CloudMe to listen on a port
27:27 - Uploading Chisel to the box, then doing a port forward for MySQL to enumerate the database
31:00 - Finding MySQL Credentials in db.php, then checking the database from our box thanks to Chisel
34:30 - Replacing the payload in the CloudMe exploit with a reverse shell
37:20 - Running the exploit and getting root
@bobcooke90 3 жыл бұрын
Great walk-through as always! Stoked to see you walking through my exploit. Your videos were my life line to passing the OSCP and getting into pentesting!
@Slickjitz 3 жыл бұрын
Awesome! How much experience do you have in exploit development?
@bobcooke90 3 жыл бұрын
@@Slickjitz some? You can checkout my work on edb or packetstormsecurity. just search for author boku
@lloyd-wright 3 жыл бұрын
@@bobcooke90 as in the BOKU that made the script for this box?
@Ms.Robot. 3 жыл бұрын
Very clear to understand. Well explained and educational. You are worth every dollar you receive, and more.
@skandamahesh9974 3 жыл бұрын
This box was super duper cool for me as a beginner, it was the first box I did on my own.. it took me a couple of days to do it but man it was fun. Thanks ippsec for all the cool videos 😁
@kret63 3 жыл бұрын
You made it look so easy while it took me around 4h with help of a writeup...
@allenxd 3 жыл бұрын
didn't manage to root this one. thanks for the walkthrough ippsec!
@NatureMagicsNew 3 жыл бұрын
Great, Thanks father of HackTheBox
@Erikpfank 3 жыл бұрын
Lot of issues with this box for me as well with slowdowns and services not running when they should be. Overall good learning experience though!
@saulernesto4832 3 жыл бұрын
Great, thanks! regards from Mexico
@martinflores9611 3 жыл бұрын
Esta fue mi primera máquina echa y tuve que ver un vídeo para sacar system
@NetworkITguy 3 жыл бұрын
The big issue with this box was that the program you had to start and the exploit you had to run through the reverse tunnel had to be do instantly. Otherwise the program would just crash by itself. It took me three days to finally figure it out.
@paprika5487 3 жыл бұрын
Getting root was hell with all the other users hammering the cloudme service with malformed payloads. If it's any consolation, I learned so many different ways of trying to run the exploit. It was nice seeing how you attempted to handle it.
@grandmakisses9973 3 жыл бұрын
Curl is a alias for invoke webrequest
@cybermavia6023 3 жыл бұрын
Hey you de best ever seen in de planet.
@plugandplayreviews 3 жыл бұрын
IPPSec Rocks!!
@KartikSharma-qx9qo 3 жыл бұрын
Where dud you learn all the techniques . How and when to use which tools. Really want ot know. Would someone help me with this.
@Hellfire0x01 3 жыл бұрын
Thankyou so much sir, with this simple walkthrough I'm able to get root flag which i was stucked on how to get and not to mention that i love this video and my deep respects for you. Once again, thankyou sir.
@emanueloliveirasilva8406 3 жыл бұрын
Hello man, you are awesome!! I'm from Brazil 🇧🇷
@Ragab0t 3 жыл бұрын
Great video, QQ, did you miss to record the part where traffic on port 8888 gets tunneled thru chisel? I re-winded a couple of times and I couldn't find it.
@heyserge 3 жыл бұрын
He did it on 29:15
@rakana4554 3 жыл бұрын
The part about port 3306/mysql (starting at around 27:30), why couldn't we just do "nc.exe localhost 3306" on the box instead of doing port forwarding and accessing it from our own machine?
@malikkkk2679 3 жыл бұрын
because it would be a real pain to use netcat for accessing the db. it's way simpler using the mysql cli client
@majr_215 3 жыл бұрын
For Nmap, why not just -A instead of -sC -sV?
@christianv258 3 жыл бұрын
He said before he wanted people to hear what each flag does. Hence he mentions what each flag does.
@famed3777 3 жыл бұрын
I need help with this box have been constantly trying it for 5 days
@ssejjengoisaac5144 3 жыл бұрын
Did this box but had the same issue with port 8888,regards from Uganda, Africa
@magnfiyerlmoro3301 3 жыл бұрын
at 27 you did not say why u needed chisel please explain thanks
@heyserge 3 жыл бұрын
Chisel is a tunnel. Ipp tunnels the two ports (3306 and 8888) that are available on the remote box to his own machine. That means that instead of having to connect to these ports via the remote machine, you can now just connect to it "locally". Under the hood, you would still connect with the remote box, but you wouldn't have to worry about that because the ssh tunnel will take care of it.
@Rac00n 3 жыл бұрын
Hello. Thanks for doing this.
@Jake-km7wp 3 жыл бұрын
hey @ippsec, this may be a silly question. But how did you know to use python3 to run the cloud me exploit? Is there a clear indication on why that needs to be run, rather than just normal './' or 'python'? (it did work for me when using python3)
@soufiane4527 3 жыл бұрын
In the end of the script u can see print(), wich is only on python3
@BooBooHaHa 11 ай бұрын
Please help! How, how should I know to find the CloudMe_1112 file and understand that this is an attack vector????
@MASAbirokou 2 жыл бұрын
We specify "-a x86" for msfvenom though target system is x64-based PC!? But it's right. I tried various exploits and payloads without "-a x86" and all of them failed. That's strange😑
@josephseed3393 2 жыл бұрын
both x86 payloads and x64 payloads will normally work on a x64 machine, but on x86, only x86 will work
@albertobarbieri8280 Жыл бұрын
I did the exact same steps but I just can't get a shell ROOT.. I just don't get the connectino back. I checked like 10 times if everything it's correct. I still don't get a shell back.. wonder why this box have like 12k user flag and just 8k root flag.. That's look like it's bugged
@Temeturs 9 ай бұрын
Half of this doesn't work on Hack the Box Pwnbox We can't even do the gobuster command because no file exists.
@madhavareddy3937 3 жыл бұрын
If you don't mind, you recorded it on Tuesday and still released this late compare to other videos , looks like someone told you to release late!!!!
@ippsec 3 жыл бұрын
I simply just forgot to schedule it when I uploaded it to KZbin.
@madhavareddy3937 3 жыл бұрын
@@ippsecgot it and thanks for the content as always ,first I thought you did late because you told you are moving to New office , looking forward to see rope two
@locacbndwar5555 Жыл бұрын
I cant find this machine
@zaidakhtar7954 3 жыл бұрын
what is this?
@dominikcicea 5 күн бұрын
This box is a fkin nightmare, horrible
@famed3777 3 жыл бұрын
Just leave i figured it out the trick is to reset the machine and then work within a few minutes make sure you have everything ready
@spoopymayers2224 3 жыл бұрын
Hello, can you make apt???
@crafterzman5277 3 жыл бұрын
APT is not retired yet. Once APT is retired he will do it.
@spoopymayers2224 3 жыл бұрын
@@crafterzman5277 oh yeah, forgot it
@trevorkeller3965 3 жыл бұрын
Not first
@dxsp1d3r 3 жыл бұрын
Yeah this box was pathetic on free servers, it took me 2 weeks to get root even I know what had to be done!!!
@devbidesmega1662 3 жыл бұрын
Hey man you are late today whyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
@thochan5188 3 жыл бұрын
if you want God to forgive you dont commet here just go to the church and pray.
ОВР Шоу
Рет қаралды 8 МЛН
Mekan Bairyev - MrCyberSec
Рет қаралды 7 М.