HackTheBox - Love
Рет қаралды 23,950
Күн бұрын00:00 - Intro
01:02 - Running nmap against all ports
04:55 - Attempting to enumerate the initial web page (Voting System)
08:00 - Nmap finished, checking staging.love.htb from the SSL Certificate
10:05 - Finding an SSRF Vulnerability in the file scanner
12:30 - Having trouble using WFUZZ to fuzz all ports
17:45 - Switching to FFUF and still having trouble to fuzz all ports
24:30 - Fuzzing takes too long, trying ports from nmap to see if any page is restricted by IP and findig creds
29:45 - Attempting to use an exploit script for Voting System (More at end of video)
39:40 - Enough with the exploit script, manually exploiting the application with an image upload
43:43 - Using Nishang to get a reverse shell, then running WinPEAS
52:30 - Seeing AlwaysInstallElevated is set on the system, using msfvenom to build an msi
54:45 - Box Done - Going back to the exploit script and getting it working
@PierreMandrou 3 жыл бұрын
I'm feeling so nostalgic watching your video. The first time i watched your KZbin channel, i was a software engineer dreaming about knowing how to pwn boxes. 1 year after, i have oscp and currently work as a professional pentester. Thank you a lot for this amazing content, you have no idea how many of us consider you as our "hack daddy" 😂 !
@samsepi0l227 2 жыл бұрын
congratulations man.
@buhaytza2005 3 жыл бұрын
13:30 Does anyone else just scream “file!!! Not fule!!” at their screen? My wife asked me who am I arguing with 🤣🤣
@buhaytza2005 3 жыл бұрын
20:12 cursor was right there!!!
@djjoaosarmento 3 жыл бұрын
ippsec and his tunnel vision :D
@ippsec 3 жыл бұрын
Thankfully that’s not the issue hahaha
@buhaytza2005 3 жыл бұрын
@@ippsec still… the OCD kills me. Futher down the road: cookes 🤣🤣 Great content though, troubleshooting an exploit is hard for us script kiddies and you doing it live helps expand the mind map. Not just inserting print statements but showing us how a more functional exploit could be built on the back of what you found on searchsploit. BTW, ever thought of doing what John Hammond did and do a bit of reverse engineering on a video for the Kaseya ransomware code? With the level of detail you showcase it should be interesting to follow the thought process 🤷♂️ As everyone else has said: thank you for the content, I was itching for your video - even after a bike (motorcycle) ride as I am still struggling with the damn Writer box 😡
@buhaytza2005 3 жыл бұрын
@@djjoaosarmento tbh it just shows that our insecurities are warranted. That’s why I am not fast. I check every command twice before hitting enter - most of the time still doesn’t yield the desired result because I got the wrong exploit but at least I know it’s not because of a typo
@ramiahmed312 3 жыл бұрын
You know by putting both your time & effort making such content u will be forever in our hearts …. Keep it up champ ..
@sheerazali2395 3 жыл бұрын
Thanks i had fun making the box
@chrisrice8836 3 жыл бұрын
I always feel like a Fule when I notice I have a typo in a command....
@uppilibadri2170 3 жыл бұрын
Thank you for all the good content! Stay safe and well!
@_tartofraise 3 жыл бұрын
I love your videos man, keep up the good work ;)
@124BHP 3 жыл бұрын
Awesome video. I have stopped wasting my time on social media and Started watching your videos. You are awesome
@julianopl 3 жыл бұрын
The end of the video with debugging the exploit is just awesome! I mean, how many of us stops after rooting the box to understand what could've been done different? Where did it fail and why? Where did it work and why? These extra steps is what almost everyone misses when trying to get better on this cyber sec world... KUDOS as always Ippsec... just love your videos it really teaches me tons!!!
@thepioneer517 3 жыл бұрын
IppSec you have been my teacher since i started with htb! Trank you for all your Videos
@richardjones9598 2 жыл бұрын
Thanks for all your content and tips, will definitely keep your words in mind for next time.
@aryan7tiwary 3 жыл бұрын
You can use tr (translate) command for getting ports in a line. tr " " ","
@engray685 3 жыл бұрын
3:21 This is the syntax. sed -z 's/ /\,/g' You have to specify the -z flag
@yamunaudayanthi3266 3 жыл бұрын
Super video...❤️❤️🤟
@ChristopherPelnar 2 жыл бұрын
I mentioned you in my AWS interview for a position on their RED Team. They knew who you were and asked me what I found so interesting about your videos. I told them your videos are like plugging into the Matrix and downloading vast amounts of information in a small amount of time.
@ippsec 2 жыл бұрын
Awesome, great to hear! Hope you get the job!
@salluc1712 3 жыл бұрын
Thank you so much ❤️
@ibnsaltus 3 жыл бұрын
I think when using the 2to3 program, it shows the changes that should be applied to convert it to py3, but doesn’t actually write anything to the file, there’s a flag that I can’t remember you need to supply in order to actually write the changes
@flawlesscode6471 3 жыл бұрын
You could use rustscan to speed up your nmap enumeration.
@DjZyklon 3 жыл бұрын
I think your idea of returning something from functions is just healthy programming. I can't imagine how painful it is debugging scripts that don't do that at scale.
@rafaelfonseca6163 3 жыл бұрын
Great video!. I got foothold in a different way. I noticed there was a sqli in the login form, then I use sqlmap to spawn a shell. To get the complete location of the website in the file system, I had to generate an error in the login form.
@somebodystealsmyname 3 жыл бұрын
I guess the video is old? I did the box the day before it was retired and on 06/05/2021 a new exploit (EDB 49843) was published that lets you bypass the admin authentication for the voting system. But this also means, that you miss the SSRF completely.
@aminhatami3928 3 жыл бұрын
Respect.
@MASAbirokou 2 жыл бұрын
what i learn from this video is the phrase _"speak of the devil"_
@raj77in 3 жыл бұрын
Nice one btw for removing newlines you can use tr
@y784y 3 жыл бұрын
Ty🙃
@stefanosbek 3 жыл бұрын
Could someone please explain why we fuzzed those ports using the file scanner request and the significance of port 5000?
@deepb5204 3 жыл бұрын
Look up SSRF vulnerability. Nothing special about port 5000, it's just serving a HTTP webpage but port 5000 is forbidden, but not when the connection is from the internal network (that'd be SSRF).
@MrJCollector 3 жыл бұрын
Hi IppSec and guys, I am running into some issues while running WinPEAS (Basically on Windows). Just like you mentioned at 46:56, what are some other methods of executing it?
@cadenfore8298 3 жыл бұрын
What’s the error or issue you are having?
@Dave-ll2fm 2 жыл бұрын
Any idea why we can't execute msi files while connected via winrm? I found Phoebe's password in the web server config files and connected via winrm. I spent forever trying to execute an msi file while connected via winrm but it would not work.
@hidayatbachtar 2 жыл бұрын
53:58 why using MSI? its because AlwaysInstallElevated is automaticly use System / administrator to installed MSI?
@LoayMatar 2 жыл бұрын
Living-off-the-land.
@ul7987 2 жыл бұрын
not sure why `cme` doesn't work like yours.
@TheErixcode 2 жыл бұрын
Scan+Fule?
@simplaysgames1967 3 жыл бұрын
A solution to your Google'ing problem, instead of going to google.com each time, you can press the down button on your keyboard, or click the google icon and it will search in google. Or you can start the searches with @Google Hope this helps a little
@marsanmarsipan 3 жыл бұрын
He have another week to fix his google search, guess he dont have the time tho. I think using scripts on the user exploit was a long travel in my eyes, the easyest thing here was just to upload a script manually imo. I didnt catch the root esc so just user for me on this one :/
@SweatSculptSucceed 3 жыл бұрын
Could you have uploaded the magic bytes to an image and then uploaded a reverse shell that way
@luoc3415 3 жыл бұрын
File , Not Fule
@retro4848 3 жыл бұрын
Lmao our legend still haven't fix his google search Keep us waiting huh?
@aniketkokate20 3 жыл бұрын
First View!!
@nikolausseverson4537 Жыл бұрын
Fuff faster your Fules.
@elfinpok 3 жыл бұрын
ok
@boogieman97 3 жыл бұрын
The exploit uses a session.post, setting a proxy with a session is slightly different than with requests.post. That's why it didn't work. Really like your videos, but sometimes you are a bit hasty impatient.
@nnawaff 2 жыл бұрын
/votingsystem/ == /
@potatoonastick2239 3 жыл бұрын
>still hasn't fixed his google
@sakisekiz 3 жыл бұрын
ippsec when ı broke up my girlfriend.