HackTheBox - Armageddon
Рет қаралды 22,491
Күн бұрын00:00 - Intro
00:50 - Start of the box, showing a quick way to nmap
02:15 - Looking at web page
03:00 - Looking for Drupal Scanners
04:00 - Showing how I would fingerprint opensource apps if there was no scanner
06:30 - Using DroopeScan to scan the site
07:50 - Starting to use Drupalgeddon2 to get a shell
11:40 - Installing gems so DrupalGeddon works
12:15 - Drupalgeddon2 works, going from a webshell to reverse shell
16:00 - Confused about OSError: out of pty devices when improving the shell, give up eventually
17:50 - Looking for users on the box, then hunting for the Drupal configuration
21:00 - Cannot find the drupal configuration, going to google and asking for how to change the SQL Password
22:45 - Logging into the Drupal MySQL Database then dumping the Drupal Hash but have trouble getting it to work since we don't have a TTY
29:00 - Cracking the Joomla Password, then testing the password with ssh and logging in
30:00 - Our user can install Snap Packages with sudo, so building a malicious snap
31:20 - Installing FPM which lets us build packages, building a lot of bad packages until we find one that works
36:20 - Our malicious packages aren't working, switching to a non-malicious one to test the exploit
40:16 - Having our snap attempt to grab the root flag, turns out i was just impatient before
43:43 - Moving bash to avoid system directories and setting it to setuid
45:10 - Explaining what snap is
@JuanBotes 3 жыл бұрын
as a beginner I like your un prepared videos, as you methods teaches me how to do research, looking for keywords, finding hints you use to get to the answers for an exploit understanding your mind process. Thanks again for sharing \o/
@Stefan-uj8du 3 жыл бұрын
@IppSec: 7:36 the reason your grep does not find what you wanted is, that searchsploit outputs the ANSI color codes even when the results are piped. And since Drupal is highlighted there are ANSI sequences before and after each instance effectively breaking up Drupalgeddon into [ANSI]Drupal[ANSI]geddon. To disable color output you need to pass "--colour" to "Disable colour highlighting in search results" (how intuitive).
@TheDexofWar 3 жыл бұрын
Thank you for the videos IppSec. I just wanted to let you know that I have passed the CISSP last week. I am going for CEH next, and I know that watching you every Saturday for a long time, is going to pay off! Thanks again.
@axelvirtus2514 3 жыл бұрын
Good luck 🍀
@element-1254 3 жыл бұрын
If I was you, I’d skip CEH and start doing OSCP (if you dont have it yet)
@thev01d12 3 жыл бұрын
@@element-1254 ^^^^^^ true, ceh is literally scam in comparison with oscp
@ishanpatel8386 3 жыл бұрын
Do not waste your money on CEH
@qwqqq2416 3 жыл бұрын
Thumbs up if you say IppSec should always record these boxes live instead of preparing them beforehand. I genuinely learn much more if IppSec does them live.
@noone-ld7pt 2 жыл бұрын
I just wanted to say how fantasticly instructive your videos are! I'm doing my OSCP some time this year, and I am currently watching atleast one of your videos on the J-nul list every day this month. Thank you so much for this amazing source of information!
@morphein 3 жыл бұрын
I like to watch you in live man, keep it up, its so good.
@hadrian3689 3 жыл бұрын
I was waiting for this video. This was the first active box I rooted and the whole time I just kept thinking “what would ippsec do next?” Thanks for the great content!
@jamescowling2753 3 жыл бұрын
Amazing! When this was an active machine I got my first ever User flag from this box. Got stuck on the priv esc though, really appreciate the walk through on this one!
@Jambion 3 жыл бұрын
Yeah python libraries are not to be messed with, theyve destroyed my arch install and forced me to reinstall my kali vm. The display manager in kali has some python dependencies, so once I had removed all libraries and reinstalled python, the vm was dead.
@kasuntechtest8871 3 жыл бұрын
Ippsec videos are like waiting for Christmas gift .....
@imranthoufeeque165 3 жыл бұрын
You ran droope scan back in bastard hackthebox machine.... You mentioned you havent ran that before he he he.... But we follow you and we love you...
@wkppp4732 3 жыл бұрын
Thanks for the vid ipp! Will you joining the new event hosted by hack the box?
@thev01d12 3 жыл бұрын
Hey ipp have you thought about uploading that HTB theme for parrot os it looks clean
@KeinVorhandenerUser 3 жыл бұрын
I second this, it looks really nice.
@jim106gti 3 жыл бұрын
I had the same dramas getting mysql connection from the command line, eventually stopped and used PHP to query and echo data out. Is there a specific setting that restricts access from the command line to get into the mysql shell? Even though you could query it using -e ?
@mitchodonnell3976 3 жыл бұрын
2:58 lol I know that feel man.
@TracerPortable 3 жыл бұрын
Hey! How is your 5950X doing? I'm on the edge of upgrade and considering 5900X vs 5950X. On the paper 5950X looks great but it is quite pricey and 5900X has 4 cores less but much more affordable and I can't decide if it is worth to pay more? I
@SamerLOLOfficial 3 жыл бұрын
Hey IppSec, About the issue you are facing when used hashcat, I got the same issue and when I searched about it. I found out that because of my CPU. I installed Intel OpenCL(as I remember) and it worked. the issue was caused by my CPU AMD Ryzen 9 ( same as yours.).
@Zmunk19 3 жыл бұрын
you should use "set -o vi" in the terminal to edit commands faster. also, you repeat the same long commands a lot, so wouldn't it be efficient to create temporary bash aliases, and you could delete them when you're done?
@ca7986 2 жыл бұрын
👌
@124BHP 3 жыл бұрын
Is it possible for you to explain commands for newbies . That would really help .. Regards
@gamesinloop148 3 жыл бұрын
I'm curious about OSCP instead of my college degree. So after completed OSCP can i get a penetration testing job??
@DHIRAL2908 3 жыл бұрын
No, Bachelor's is atleast necessary for any jobs...
@kariminal2999 3 жыл бұрын
@@DHIRAL2908 Absolutely not true. It helps sure but you can defo get a job without
@kariminal2999 3 жыл бұрын
You can but like with all things it's not the qualifications alone which will get you the job. You've gotta show apptitude, willingness to learn etc. You may end up shadowing people first before doing your own pentesting etc. Also depends where you live as different areas have different opportunities, internships, apprenticeships, starter jobs, scholarships, demand for pen testing in particular etc
@intruder70 3 жыл бұрын
why I can't connect ssh?
@ronaldjonson8240 9 ай бұрын
33:48 you could of used bash -i to spawn an interactive shell
@xx_xxx_xxx_xx 3 жыл бұрын
12:31 why did not just use a python shell instead
@locke8412 Жыл бұрын
i watched this walkthrough just so i could hear ippsec say booboo
@errormanerrorman9777 3 жыл бұрын
Cracked Drupal password hash, not Joomla. Mistake in timecode.
@brunoteixeira5092 3 жыл бұрын
Instead i used dirty sock to privesc
@andresstreetpunk 2 жыл бұрын
does it work with dirty socket? I tested with dirty cow and didnt work.
SmarterEveryDay
Рет қаралды 408 М.