HackTheBox - Horizontall

Рет қаралды 22,749

Күн бұрын

00:00 - Intro
00:57 - Start of nmap, examining the page discovering its all static with no user input
05:20 - Examining the source code of the website
06:20 - Running the javascript through a beutifier so we can easily read this, and finding another web endpoint
08:57 - Going to api-prod.horizontall.htb, running gobuster and examining the endpoints
12:00 - Navigating to /admin brings us to a STRAPI login, searching for exploits and finding an RCE
13:50 - Lightly reading the exploit script, we will go more in depth at the end of this video
15:15 - Getting a reverse shell
17:30 - Reverse shell returned, looking for how the webapp talks to the database
18:50 - Explaining why this nginx server uses proxy_pass and has a node app listening on port 1337
21:20 - Dropping an SSH Key and using SSH to access this box, no privilege escalation yet just wanted a better shell
25:20 - Having a lot of trouble with getting data out of the MySQL Database, not exactly sure what went wrong here.
32:20 - Going over the LinPEAS Output and discovering port 8000 running laravel
33:50 - Going over why we cant see processes from other users
35:30 - Using SSH to tunnel port 8000 to our box, allowing us to access laravel, finding out laravel is in debug mode
37:52 - Finding an exploit and executing code as laravel.
41:08 - First script didn't work, looking to see if there are others. This one didn't require absolute paths, which allows it to work! Getting root
42:30 - Looks like there's some bad characters with our reverse shell, switching to a web cradle and getting root
46:00 - Explaining why this box isn't the box I wanted to show off FeroxBuster (Recursive Searching on API wouldn't work)
48:40 - Looking at the STRAPI Exploit and showing how the patch worked
56:50 - Comparing PHP Exploits

Пікірлер: 57

@yurilsaps 2 жыл бұрын

I remember one year ago I was very beginner at hacking and said, let's watch easy videos to start, and this video made me really sad. now one year after I didn't cry watching again

@bidkonic 2 жыл бұрын

26:41 the problem was with the "-", you should have wrapped the users-permissions_user in backticks: `users-permissions_user`

@ippsec 2 жыл бұрын

Thank you!

@and_rotate69 Жыл бұрын

I knew that the prblm was in the dash but i didn't know how to solve it xD

@dhaneshsivasamy8865 2 жыл бұрын

Thanks Ippsec for this new "After Exploitation inspection" section in your recent videos. Can you also do them for AD machines in the future for better understanding of why we can enumerate null authentication, why we can list smb shares anonymously and stuffs like that

@ghsinfosec 2 жыл бұрын

Thanks for the explanation on the shell for zsh! I've seen other ways to do that, but I end up getting some weird line wrapping sometimes so I would switch to bash before setting up the listener, but I also forget to do that sometimes and have to re-establish my shell. I've learned a lot from your videos and really enjoy your approach to each box.

@Giperium 2 ай бұрын

A very cool and detailed analysis of this car. Many people don't care how the exploit works, but just publish the vulnerability. It's nice to see in the wolkthrough that there is still an analysis of why the exploit worked. I love ipsec for that. I still haven't figured out how to get into the >SSH command prompt (~L\ or ~C\), what to look for when you press "C". Maybe you need to press a hotkey?

@readysetexploit 2 жыл бұрын

At 5:31 the html source was laid out in a “horizontal” manner

@ippsec 2 жыл бұрын

Hahaha I wish I thought of that.

@020nils 2 жыл бұрын

Just managed the user flag on this one before its getting retired. Won't have time to try for the root flag anymore today so watching this later and learning will be fun.

@huuloc8719 2 жыл бұрын

Great video as always.

@jonxslays 2 жыл бұрын

videos are dope and helpful. thanks dude.

@randomguy3784 2 жыл бұрын

Feroxbuster looks neat! 👌

@meudta293 Жыл бұрын

1h of his content is like 4y of Computer science college

@asib12 2 жыл бұрын

The first laravel exploit does work - you could guess the log file location using the information about the location of the files mentioned in the debug output on /profiles.

@DJ-rr7cj 2 жыл бұрын

Hey Ipp! Another great video. A quick way to prettify the javascript source files is F+12 > debugger tab > app.js > then click the prettify button from within the developer console. You weren't imagining the button XD it's there (just not in view page source)

@ippsec 2 жыл бұрын

Thanks! That was the piece I was missing

@ul7987 2 жыл бұрын

@@ippsec I was laughing when you were like: "Maybe I'm just imagining it....." 😂

@ARIFF861 2 жыл бұрын

awesome video

@cadesummers5866 2 жыл бұрын

35:40 I have no idea how to get it to show ssh> using C. What inputs did you press? I can't get it.

@mohamedkhoulali7267 Жыл бұрын

in your running ssh session just copy ~C and paste it in your terminal. another way you run cat command and then paste the ~C to run a command line or ~? to get more commands. Note : it should be the first in the line.

@danilopc9742 2 жыл бұрын

How long did you take to do this box prior recording this?

@someyounggamer 2 жыл бұрын

Thank you, kind sir

@JuanBotes 2 жыл бұрын

thanks for the content \o/

@ellerionsnow3340 2 жыл бұрын

What is the thought process to look for VHOST? I wracked my head on this one trying to use dirbuster.

@sp000fy 2 жыл бұрын

When you examine the http headers for the api you missed the x-powered-by header that told you this was strapi cms. Otherwise great walkthrough as always.

@taylor8294 2 жыл бұрын

47:35

@swapnilbhosale2230 2 жыл бұрын

Thanks ippsec 😊

@rayyue4194 2 жыл бұрын

38:11 The gobuster returned "[ERROR] ... connection refused" I have the same error too and the port forwarding is terminated. Any idea why does this happen? The error messages in the port forwarding are like: "channel X: open failed: connect failed: Connection refused" "client_loop: send disconnect: Broken pipe"

@kaushikkodeeswaran9918 2 жыл бұрын

sir you have mentioned to reach the site i will have to add the IP to /etc/hosts file, directly typing IP in the url tab states "unable to reach the site" but after adding to hosts file i am able to reach, but why does this happen??

@BenB5 2 жыл бұрын

imgur.com/a/mAtT3YN If you curl the IP, you can see that we're getting a response but it's a redirect to horizontall.htb (which doesn't exist on the internet): the website wants us to access it via horizontall.htb. To remedy this, we add the IP-to-hostname mapping to our local hosts file so that when we navigate to horizontall.htb in a web browser, it's locally resolved to the correct IP.

@shedelbrecherinc.4603 Жыл бұрын

~c is not working. I cannot seem to get the portforwarding to work in any way,

@kalidsherefuddin 2 жыл бұрын

Thanks

@tyaprak 2 жыл бұрын

great vid as always. by the way, my progress stalled in htb academy since ffuf was not installed on the box. can you please check the parrot os' basic template?

@ippsec 2 жыл бұрын

Are you talking about pwnbox? If so, I can forward this to the people that do update it.

@tyaprak 2 жыл бұрын

Yes, the default pwnbox for the module doesnt have ffuf installed. Thank you for your help ippsec

@sand3epyadav 2 жыл бұрын

I am vip and always listen whats going on youtube.

@Fahodinho 2 жыл бұрын

I kinda wanna see ippsec do a room live without any prior knowledge

@ippsec 2 жыл бұрын

I used to do it with easy boxes. However now I generally help vet boxes before they get to the platform to make sure it’s enjoyable.

@yurilsaps 2 жыл бұрын

I really wanted to see how is it also, a black box testing

@damnmayneunfiltered 2 жыл бұрын

I have the worse luck with solving boxes that seem to get retired in succession.

@Hunter97424 2 жыл бұрын

I did solve this box this week, close call

@umeshb8210 2 жыл бұрын

Ippsec how your terminal is so colorful ? Looks so pleasing. Can u make a video on it. No kidding, actually really good.

@insect1285 2 жыл бұрын

It's just default terminal for ParrotOS.

@yurilsaps 2 жыл бұрын

I want to give up Kali just because of these beautiful terminal

@bech2342 2 жыл бұрын

backticks are the key 🙈

@zeroordie453 2 жыл бұрын

@ippsec I think this should work in all shells: stty raw -echo && fg

@ippsec 2 жыл бұрын

Yep, that or semi colon both work

@iconelias508 2 жыл бұрын

Are these boxes free?

@ippsec 2 жыл бұрын

All boxes while active are free... Once they retire, which means writeups and videos are allowed they remain free for 2 weeks. After that you need VIP or VIP+ to play old machines.

@0xdf 2 жыл бұрын

Before I had a VIP account, when I was just starting with hacking, I made sure to own and understand (to the best of my abilities) everything I could about each box during the two week window after retirement using walk-throughs, writeups, etc. It's a great way to learn.

@yurilsaps 2 жыл бұрын

seriously guys, what happened to the "easy" concept?? this is NOT an easy box

@ippsec 2 жыл бұрын

Easy has certainly gotten tougher, but there is starting point now that replaced what the old easy was.

@yurilsaps 2 жыл бұрын

@@ippsec firstly thanks a lot for your attention, and thanks to be honest with this topic. You are a hero to many of us

@TylerRake141 2 жыл бұрын

I hate this machine so much, i have tried it couple of times and get stuck nonetheless. I wanted to do it on my own though now i will watch ipsec's video to figure out what i did wrong