HackTheBox - Swagshop
Рет қаралды 49,329
4 жыл бұрын00:45 - Begin of recon
01:36 - Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright
04:50 - Whoops should of done apt search magescan, either way this package is not in Kali
05:30 - Running MageScan to scan the website
08:20 - Finding an open configuration file (app/etc/local.xml)
10:30 - Running searchsploit to identify public exploits
12:10 - Examining an exploit that will add an administrative user via SQL Injection
15:15 - Running the exploit out of the box didn't work, send it through burp in order to debug it
16:45 - Exploit needed to be modified to include index.php due to mod-rewrite misconfig
19:25 - Going back to SearchSploit and using the Authenticated RCE Exploit
21:30 - Making the obvious changes to fix the exploit script
24:17 - Debugging the exploit by running it through burpsuite, find out we need to use an login page
29:00 - Bit more in-depth debugging by setting a breakpoint with pdb
30:30 - The regex is failing due to page not returning anything, the URL has a time span lets increase that
33:15 - Finally fixed this exploit! Reverse Shell Returned
35:30 - Noticing we can exec vim with sudo, lets privesc
37:10 - Mentioning GTFOBins which helps find privesc paths from privileged programs
38:15 - EXTRA: Examining the PHP Object Injection RCE Exploit
@ev3rything533 4 жыл бұрын
SwagShop was my first box, I did it when it was live, funny to see other people do it different ways. I found the open directories to be interesting, and after digging around in the admin panel for awhile I found a way to make a product with custom parameters. I used the custom parameters to upload a file, and used that file to get remote code execution via the searchbar. after testing it with ls, and whoami, I saw that it worked and then did a reverse shell. The hardest part was definitely the enumeration, but also the most fun. Actually, I take that back, the hardest part was having to do the first couple of steps 300 times because people kept resetting the box.
@ITSecurityLabs 4 жыл бұрын
I love your videos. They are very helpful in my OSCP studies
@Y3llowMustang 4 жыл бұрын
This was like my second box and I still had no clue what I was doing. I gave up on that second exploit and just used the frog hopper method of uploading bad php code through and image then executing it using a news template. Great write up as always, been watching your videos for a while now and I'm glad you're doing boxes I've done myself.
@ev3rything533 4 жыл бұрын
Yep, that's what I did, I couldn't remember what I did exactly, but I knew it was something to do with a product and uploading a file, great minds think alike.
@WarkerAnhaltRanger 4 жыл бұрын
thank you for sharing so many sources! Your videos are pure gold!
@SP-hz5tp 4 жыл бұрын
This was the first box I rooted! You were my inspiration to solve it. Nice seeing your perspective now.
@mrjamesprince 4 жыл бұрын
Did you learn from his other videos?
@SP-hz5tp 4 жыл бұрын
Yes of course.
@mrjamesprince 4 жыл бұрын
@@SP-hz5tp so awesome, thanks for replying
@cvija997 4 жыл бұрын
Wow, well done! I'm really impressed with your knowledge as well as sharing it with others, thank you!
@vonniehudson 4 жыл бұрын
@22:45 "Port 9001 because... let go over 9000..." Love it! Lolz
@nashvillewebnet 4 жыл бұрын
We have many ports, it's over 9000!!! 😭😭😭
@deansmith2012 4 жыл бұрын
Awesome video ippsec keep it up bro! 👍🏼
@tapsobaaubainpazisnewende5060 4 жыл бұрын
Thank you for sharing! I missed the part where the URL should be changed to 1y. Awesome video as always
@BreakTheCode115 4 жыл бұрын
First box i rooted. this was an awesome experience in pentesting. interesting to see a different process to it
@cwlancaster979 4 жыл бұрын
First, thanks for the upload and well done. Thank you for the very thorough explanation. Second, minor suggestion todo with vim-fu, not the actual exploitation itself: @21:35 "use dw to delete word" certainly works, however the faster and more precise replacement once your cursor is on the beginning "S" of the date string: c/'. followed by pasting your copied date string. Meaning, change the characters between the cursor and the next single quote (in this case the end of the string).
@mattfowler6504 4 жыл бұрын
thank you so much I've been stuck on this box for the last day. I managed admin access but couldn't quite gain root. Thank you for the video and all your help!!
@_mayankr 4 жыл бұрын
Would definitely love a video on php deserialization and the attacks possible with it! Thank you for this video!
@fragrant3021 4 жыл бұрын
could you tell me, how to get a real bash terminal? python3 -c 'import pty;pty.spawn("/bin/bash")' ctr z stty raw -echo and then? what i should do? thanks :)
@fragrant3021 4 жыл бұрын
got it . fg enter enter
@aneeshverma1 3 жыл бұрын
For people who are getting :mechanize._form_controls.AmbiguityError: more than one control matching name 'login[username]' when trying to run code_exec file => Use this userone = br.find_control(name='login[username]',nr=0) userone.value = username Instead of br['login[username]'] = username Don't know why I am getting this error though..but selecting the first value seems to make it go away!
@murataltngul4980 2 жыл бұрын
you are a life saver
@Urbancorax2 4 жыл бұрын
Nice info about getting a shell using vi and separate kudo for showing where you get it from!
@KLarsen00 4 жыл бұрын
I'm watching this video wearing my HackTheBox t-shirt I bought back when this box was still new :-)
@Ms.Robot. 3 жыл бұрын
Got popcorn, Gatorade, and listening on my bed. Nice.
@linuxlove1912 4 жыл бұрын
Thanks bro for this video , I did try for shell but I didn't get any. Now I realised what I doing wrong on that box. Once again thank you so much..!!
@rtrvlogs582 4 жыл бұрын
I did the rce with adding file manager plugin in magento, and editing a previous php file to get code execution, also tried that python exploit but bcz of errors avoided it.But the way you debug and explained it, very informative Thanks! 😄
@ippsec 4 жыл бұрын
The file manager was patched so I didn’t show it
@rtrvlogs582 4 жыл бұрын
@@ippsec you mean the plugin for file manager, but we could add it by importing it. I imported that plugin
@p6y 4 жыл бұрын
Bro, can you send me the page where you saw the plugin, I've been searching and all are paid or must sing up on the page
@L33TTechReviewer 4 жыл бұрын
I got it to work with outer single quotes and inner double quotes so I don't think it was that. Also, I believe the demonstration you showed with the $ippsec is more so a quirk with how single quotes interpret the symbol $ more than anything else. Either way enjoyed the video, thanks for making it!!
@unevalkamlesh387 4 жыл бұрын
thankyou for make this free hack the box machine videos
@_JS96 4 жыл бұрын
This was my first box, user'd and rooted. Had lots of fun haha
@sangamo38 4 жыл бұрын
That index.php/folders is common with MVC frameworks like Codeigniter and Laravel. It's not misconfiguration, it's a routed differently.
@bassman7689 4 жыл бұрын
I got a shell on this box by uploading a plugin that allowed me to either upload or edit php files (can't remember which one) after using the first exploit to get an admin user. Wish I would have paid more attention about the RCE!
@shreatehVlog 4 жыл бұрын
Many thanks
@shadowKamiyama 4 жыл бұрын
i just subscribed :)
@abhinavram5223 4 жыл бұрын
You sir are amazing, quality content
@yusufanything 3 жыл бұрын
pdb is fucking great, thanks for showing us!
@kalidsherefuddin Жыл бұрын
Ok the great course
@shellbr3ak443 4 жыл бұрын
I didn't understand the part "7d" where u changed the value in "br.open(url + 'block/tab_order/period/7d/?isAjax=true') and, thank u for sharing your knowledge :)
@markgentry8675 4 жыл бұрын
because it didnt return any results so he increased the range to 1yr. it must have been looking through some data.
@MrNubix 4 жыл бұрын
Damn, I was just doing that Box. It got retired literaly while I was rooting it. Now i know why. I wanted those points
@peterdjalaliev1 4 жыл бұрын
Out of curiosity - why do you use ports above 9000 for reverse shells?
@AndrewD007 4 жыл бұрын
I believe he is referencing a common "meme" (for comedic effect) related to the animated TV series called Dragonball. knowyourmeme.com/memes/its-over-9000
@GuitaRHero5611 4 жыл бұрын
my question about all your videos how did you get all the knowledge of this? I'm new and I want to be just like you Also how did you know all the next steps super fast. Sorry if I'm asking dump questions !!
@corpsec6630 4 жыл бұрын
i need help with the point at nearly 30:25, where we realized that 7d is a period and it should be changed to something else. I am unable to understand how come making it 7 year did not help but 1year did... was this completely a hit and trial or i am missing on something please?
@ippsec 4 жыл бұрын
Just guessing things sometimes have min/max values so try both high and low
@corpsec6630 4 жыл бұрын
@@ippsec so what i understand then is that "we realized that it's a period, and then tried different periods like 1y, 7y etc. just as a trail.. i mean not any specific logic based.. "please correct me if i am no..?
@sd9847 4 жыл бұрын
@@corpsec6630 If you go to the specific page on the admin dashboard, it's looking at displaying some kind of sales history, so maybe there are some default timeframe values, 1 week, 1 month, 1 year? 7 years wouldn't be an option. I just turned off the box so I won't be able to double check if that's true or not.
@JuanBotes 4 жыл бұрын
my next dog i am going to call IppSec. Awesome, if i get this good be fore i retire i will die happy.
@nikolanojic6861 4 жыл бұрын
I finally pwned something before you :D
@CarbonDPG 4 жыл бұрын
Not to shatter your thoughts - but HTB limits when writeups can be released (EG: Retired from active service). He likely crack this months ago.
@nikolanojic6861 4 жыл бұрын
@@CarbonDPG I know , i just meant on the time it took him in the video !
@mallikarjunkishore4345 4 жыл бұрын
Can someone pls tell me why Auth of this video changed some thing like '1y' in second script
@cauxxx2454 4 жыл бұрын
epi052.gitlab.io/notes-to-self/blog/2019-09-12-hack-the-box-swagshop/
@c1ph3rpunk 4 жыл бұрын
Why in 2019 is little Bobby Tables STILL around?
@vonniehudson 4 жыл бұрын
Because developers don't believe in HP Fortify
@c1ph3rpunk 4 жыл бұрын
As a former HP company, I’ll pass.
@velomeister 4 жыл бұрын
Could have easily rooted this box if I knew the little "index.php" thing before the path of the login panel for the exploit to work... Oh well, every day you learn something new I guess.
@msphr7426 4 жыл бұрын
For getting the root.txt file, *sudo vi /var/www/html/../../../root/root.txt* should be fine
@kristerpanett9683 4 жыл бұрын
Also symlink into any wanted file, shadow or passwd, works
@Y3llowMustang 4 жыл бұрын
I like this, noted.
@raycharles6240 3 жыл бұрын
Unable to import Mechanize. I cannot get 'pip' to work for me using python2.7. I tried to upgrade to python3 but the script only works with pip-python2
@TheQuest07 3 жыл бұрын
I heard pip is end of life for python2. Ive just been copying files across from python3. Locate mechanize (/usr/lib/python3/dist-packages/mechanize) sudo cp -r /usr/lib/python3/dist-packages/mechanize /usr/lib/python2.7/dist-packages
@Rezurrektz 4 жыл бұрын
Could U add the Bighead & Fjujab videos to their respective playlists please, if it's not too much trouble
@ippsec 4 жыл бұрын
Done! Thanks for letting me know they weren't in a playlist
@ciph3r836 4 жыл бұрын
You could have just added php backdoor from the file editor in magento dashboard and save it . It would save a lot of time . I did it that way
@guyunknown226 3 жыл бұрын
15:33 why in flower bracket?
@stephengarrison172 4 жыл бұрын
So I went a slightly different path. Once I got site admin I just went and found an IDE plugin for that version. Dropped a php reverse shell. But the php object injection is much more elegant.
@ippsec 4 жыл бұрын
That was actually patched after the machine went live, along with uploading a plugin.
@stephengarrison172 4 жыл бұрын
I rooted in the first week so that makes sense. The command injection leaves less to be discovered. Going to try this method later.
@stephengarrison172 4 жыл бұрын
IppSec also, thanks for these videos. I may be getting my first security job in a few weeks.
@its-me-dj 4 жыл бұрын
The 10.10.10.140/RELEASE_NOTES.txt totally screwed me over. It says version 1.7.0.2
@youarenotspecial17 3 жыл бұрын
that lists previous versions
@mohamedzumri4305 4 жыл бұрын
Second 🥴
@Mike-cp1tj 2 ай бұрын
there is special place in hell for people who writes broken python2 "public exploit" for everyone else
@wheeler90 4 жыл бұрын
3rd
@saketsourav1202 4 жыл бұрын
Guys don't forget his new ippsec.rocks where you cam search the entire playlists through specific keywords
@tonkotsu_noodles 4 жыл бұрын
third :)
@higswat 4 жыл бұрын
god damn that script dont work for me even tho I follow your debugging.....I get this mechanize errors even when i put index.php/admin I also put the credentials from my created acc....I cant get it to work cuz of the mechanize thingy
@geekgeek8453 4 жыл бұрын
first
@hondatech5000 4 жыл бұрын
ahh like all the easy boxes i pwned are public now...
@manojkarajada7188 4 жыл бұрын
Ippsec htb help box date and time exploit for helpdeskz worked fine first time and i got shell later l tried same exploit for reverse shell its not working (i mean after running python exploit hash url not found error all time i tried changing x range in exploit but nothing work)error : sry i did not find anything
@kashifamanat9510 4 жыл бұрын
Is it retired?
@TehAngryBirdzFamily 4 жыл бұрын
IppSec only uploads videos of retired machines, as it is against Hack The Box's terms and conditions to upload content of active machines/challenges, etc. Hope this helps!
@servermadum7297 11 ай бұрын
I can't run the exploit code I get this error how can i solve it? Traceback (most recent call last): File "/home/ma/Desktop/swagshop-exploit.py", line 24, in "filter": base64.b64encode(pfilter), ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/base64.py", line 58, in b64encode encoded = binascii.b2a_base64(s, newline=False) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: a bytes-like object is required, not 'str'
TheSoul Music Jam
Рет қаралды 25 МЛН