HackTheBox Zipping

Рет қаралды 11,440

Күн бұрын

00:00 - Introduction
01:00 - Start of nmap
02:50 - Discovering a likely LFI in product.php but cannot use filters, likely because there is a file_exists() check
05:30 - Playing with the File Upload functionality
08:40 - Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist and we can go into the ZIP to bypass the .pdf check
10:55 - Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper
16:40 - Showing the intended File Disclosure vulnerability, by uploading a zip with a symlink
18:00 - Creating a python script to automate the file disclosure vulnerability, making it easier for us to download files
28:30 - Script completed, looking at the PHP Code, then showing another unintended solution with a zip file and null byte
37:30 - Explaining what happened with the null byte
40:00 - Showing the intended solution with the null byte, talking about how we can bypass this regex with CRLF Injection due to lack of multi-line
48:00 - Dumping the SQL Database with a union injection
51:15 - Dropping a file from MySQL and then including it with the LFI to get a shell
58:00 - As Rektsu we can execute a binary with sudo, running strings discovers a hard coded password. Strace reveals it loads a library that doesn't exist, so we can use MSFVenom to create a malicious library

Пікірлер: 28

@user-js4wi8mp7m 6 ай бұрын

Nice! I really like the second unintended method because it shows whoever discovered this, knew how the code works in deep depth and how to exploit it. That's something I need to get good at!

@ippsec 6 ай бұрын

Haha nope didn't really know the code in depth. Had looked in depth after finding it, null bytes is something I try a lot and when it didn't throw an error at upload, but the file never existed. Started debugging it and discovered what happened.

@AUBCodeII 6 ай бұрын

You can't spell Zipping without Ipp

@utkarshagrawal6060 6 ай бұрын

Doesn’t make any sense

@utkarshagrawal6060 6 ай бұрын

Amazing. Always great to see ippsec video

@xrunner55 6 ай бұрын

I remember popping this box. Figuring out the proper formatting for the file extension bypass was a pain. Trying all of them and also figuring out how to format it was educational. Once I got a foothold with that, it was a lot easier.

@mohammadhosein6847 6 ай бұрын

I always learn sth new by watching you videos.TY

@Yoyo-qn4mv 6 ай бұрын

Learned so much from this one :) Tnq sir

@0xmoriarty36 6 ай бұрын

Keep it up

@anonymouspotato6017 6 ай бұрын

Great video! I actually have a few questions about the machine. There're actually two files that we can perform SQLi : product.php as shown in the video and cart.php at product_id parameter. However, we cannot write files with cart.php and I couldn't figure out why. Also for the lfi part, we can't include the file if the php file was written to /tmp directory. I was able to perform it on my machine but the machine didn't like /tmp.

@ippsec 6 ай бұрын

/tmp is a dangerous directory because of SystemD PrivateTmp. MySQL and Apache have different tmp directories.

@stefan.b7812 6 ай бұрын

It is really hard to see urls and payloads on browser address bar. Can you zoom a little when working on address bar? Thanx in advance.

@HackerBabaOfficial 6 ай бұрын

Can you kindly tell which keyboard you are using ?

@ippsec 6 ай бұрын

Ducky Zero with cherry mx reds.

@perfectshow-bx1ov 6 ай бұрын

Sir I have many issue's on bookworm machine please could you help me to solve it 😉

@trustedsecurity6039 6 ай бұрын

There is tons of discord server where people do box together or help others people ;) That's also why i find the ranking a bit useless for most people, i interviewed a guy who was 48 or 58 on the ranking but didnt answer basic web question like what is a SSRF, didnt know what Magic bytes are...

@perfectshow-bx1ov 6 ай бұрын

@@trustedsecurity6039 thanks for your suggestion thanks a lot 🫡