HackTheBox - Magic

Рет қаралды 28,243

Күн бұрын

00:00 - Intro
00:50 - Nmap
02:40 - Starting GoBuster on the root and images
05:00 - Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap
09:00 - Creating a basic PHP Shell, then attempting to upload it
12:30 - Grabbing the magic bytes off a JPG, then prepending it to our shell
16:00 - File uploaded, hunting for an LFI and doing more SQLMap
18:20 - Turns out we don't need the PHP Extension (.htaccess allows anything)
26:20 - Reverse Shell returned
27:50 - Grabbing the username and password out of Website Configuration
36:10 - Using VirusTotal to identify when a file was created
37:20 - Examining the .htaccess to see why we could execute code (should have a $ at the end)
39:30 - Using MsqlDump to dump the database and get a password out of it, su to the theseus user
46:00 - Found a SetUID Binary (sysinfo) then using strace to see what it does
48:00 - Using the -f argument with strace to follow forks and see the exec() calls
51:00 - Using Path Injection since absolute paths were not used in exec() and getting a root shell
55:00 - Showing SQLMap did complete with the increased level/risk

Пікірлер: 59

@InfiniteLogins 3 жыл бұрын

"that's there because of... reasons" - Ippsec I love this dude.

@il2626 3 жыл бұрын

It's the first machine on release day i did. Was really proud for being in top 100 xD I liked the root of this machine very much but also your video explained me many concepts that are behind the machine (why stuff works). thank you for this videos always

@alexandrataita8331 3 жыл бұрын

@IppSec great job. I have been to your channel since I discovered. Am really learning a lot from Kenya. Kudos!!!👍👌

@somethingamongthebytes9228 3 жыл бұрын

Great as always! 🔥

@AbdennacerAyeb 3 жыл бұрын

Thank you for your efforts open sourcing knowledge.. great jov

@archangelos7426 3 жыл бұрын

My favorite and most enjoyable box so far !!!!!

@virtulosity 3 жыл бұрын

Thanks for the vids :) - Awesome content

@mi2has 3 жыл бұрын

i saw quite a few writeup, this one is cool

@loremipsum685 3 жыл бұрын

setuid + path injection was nice

@clarb027 3 жыл бұрын

Always interesting to see a different (far more technical) way of working. I just used exiftool to embed the php into a jpg and uploaded it to give me command exe.

@dinbabush6472 3 жыл бұрын

Love it!

@disconnect3763 3 жыл бұрын

cool. I like the theme of your terminal.

@Ms.Robot. 3 жыл бұрын

Thank You sweetheart 💗🥳

@trashandchaos 3 жыл бұрын

You can use the -b flag on strace to specify syscalls, i.e. strace -b execve.

@picious 3 жыл бұрын

!!!! Magician !!

@brettnieman3453 3 жыл бұрын

Curious, if you had code exec through PHP, why do you go for a web shell first? Why not go directly to php rev shell?

@huhwhatwho7895 3 жыл бұрын

Its best to step slowly through untill a revtcp, sometimes firewalls or routing tables are in place. Thus with a webshell you can step your way up. In practice its best to leak phpinfo() first and then enumerate which php functions are enabled/disabled. But then again this is a CTF machine so it wont be difficult :D

@alvinsmith8420 Жыл бұрын

I think the last PE would only work for something like `popen` or `execv` those open other processes. The bash script can work under popen('div-script ...snip...'). In other more common scenarios, bash scripts don't honour SUID for security reasons. Please correct me if I'm wrong. Thank you.

@damnmayneunfiltered 3 жыл бұрын

hope you or some die hard fan reads this: can we get a playlist where you go into a box blind? i would do it, but im not as familiar with your entire collection. when you go into a box blind, we hear the depth and breadth of your methodologies.

@ippsec 3 жыл бұрын

A lot of the easy boxes, i go at it blind

@damnmayneunfiltered 3 жыл бұрын

@@ippsec thanks. should be no problem putting together a good playlist.

@darshanakhare6676 3 жыл бұрын

Kali 2020.4 getting zsh as default shell what's your opinion Caught you at 11:22 99s 😜🤭

@DHIRAL2908 3 жыл бұрын

Haha lol was gonna comment it!

@amoghnath3330 3 жыл бұрын

lol can you mind explaining?

@terror403 3 жыл бұрын

i did it, i love it :)

@laurenzkaml3864 3 жыл бұрын

Could u just enter in the username “admin-” that should in Theorie do the job 🧐

@user-vq7my5te3b 3 жыл бұрын

the content type was screwed up because of that uglish burp, which tends to pop up and become the main window even when you fcn don't ask it to. and all typing goes there spoiling everything. I've seen this so many times.

@nicoswd 3 жыл бұрын

There's actually a second way to get to upload.php. While it's password protected, they're just doing a "Location:" redirect without exiting the script afterwards. So I just removed the redirect header from the response in Burp

@jannmoon 3 жыл бұрын

Smart man, I went the unnecessary extra step by changing it to "200 OK" and really thought I was foolin' my browser 🤷‍♂️

@nicoswd 3 жыл бұрын

@@jannmoon While I fooled mine, I guess yours was lot less confused about that response 🙃. But nice to see someone else caught this bug too!

@NytNaatitaan 3 жыл бұрын

Did the same :)

@mikemutter4521 2 жыл бұрын

in the SQL " 'or 1=1 -- - " what does the last slash mean? i know double slashes are for comments and when I try it myself it only works if there is a space and another slash and i don't understand why.

@ippsec 2 жыл бұрын

A comment is two dashes and a space. Sometimes the webapp will append a and not , so if you don't do it will be inconsistent. In no situation will adding the hurt, it can only help. Just like when I do "bash -c' bash -i ..." its just a stability thing... The which i use for is just there so you can visually see the space.

@laurenzkaml3864 3 жыл бұрын

👍👌

@aharonmo4188 3 жыл бұрын

Why you don't use kali?

@johnnywilson3071 3 жыл бұрын

Personal preference probably.

@panosklainos3031 3 жыл бұрын

There is actually an easier way of uploading a shell by using exiftool to write the code in a real image.

@markgentry8675 3 жыл бұрын

That sounds interesting. can you give me a simple example of how to do that?

@panosklainos3031 3 жыл бұрын

@@markgentry8675 I just used 'exiftool -Comment {php code} image.png'. Notice that this only works with the png extension and not jpg or jpeg. I think it's a way easier method and I never would have thought about adding the magic bytes.

@aneeshnadh5377 3 жыл бұрын

How to setup the os you are using?

@MohmdSy5 3 жыл бұрын

github.com/theGuildHall/pwnbox I guess this what you’re looking for

@MohmdSy5 3 жыл бұрын

It’s a collaboration between Hackthebox and parrotOS

@aneeshnadh5377 3 жыл бұрын

@@MohmdSy5 thankyou

@ayushprajapati2630 Жыл бұрын

I ithought it was gonna be a magic video after he said " i am doing magic "

@user-fp6dt1os1l 3 жыл бұрын

I swear I've seen this one before... am I going mad?

@imperium305 3 жыл бұрын

Don't think so, he has done a bunch of magic byte trickery boxes in the past though

@h8handles 3 жыл бұрын

it is funny seeing this after the 9 year sudo vuln was release he said @ 37:00 cant exploit it because we dont have access to sudo....yes you do as we now know.

@IvanRandomDude 3 жыл бұрын

Site vulnerable to the most basic sql injection in 2020 omegalul.

@Xbotto 3 жыл бұрын

found the same broken login irl in 2018 kekw

@leon1985ist 3 жыл бұрын

Hi Ippsec few questions and advises you could give here hope not to bother, , am a big fun here am starting to support , and truing to get my build PC on I just want to have the same environment , Soo first I have 16 RAM should I put more RAM ? Other questions, you use the CRACKING u say is a different machine do you run a Linux base system on it or is other virtual machine? , And is it a Good idea to run Linux as a base system on a PC or not , hope you can understand my silly question hope to have advised Abt them thanks

@jannmoon 3 жыл бұрын

I know you didn't ask my opinion but here ya go anyways. I have 32 GB and haven't really seen it all burn up yet (besides hashcat getting my CPU to 90 C) - last year with 16 it did slow down some. 16 is near perfect but 32 is flawless for me. Got into VPS and I love it especially with all the credits for free from aws and Google cloud etc, I use it for any web heavy directory fuzzing for bug bounties and the speed and lack of IP bans is great . Finally I use Kali as my main OS and it died a lot at first, then as soon as I finally start making 2-3 backups, no issues. It can be done but be prepared and back up stuff regularly, windows workarounds are kinda necessary sometimes so kinda wish I kept it as a dual boot instead of full Linux . Oh well!

@leon1985ist 3 жыл бұрын

@@jannmoon how do I get VPS? What's stands for