HackTheBox - Admirer
Рет қаралды 26,496
3 жыл бұрын01:15 - Doing nmap quickly by not running scripts to get open ports, then using that output to run scripts.
04:50 - Checking out the webserver, discovering robots.txt
07:55 - Running gobuster on the admin-dir with the extensions txt and php
11:15 - Finding credentials.txt within that admin-dir
13:15 - Logging into FTP to discover the web directory source
21:30 - Running gobuster again on utility-scripts to discover adminer.php
24:55 - Going to adminer and trying to login
27:10 - Bypassing adminer authentication by creating a MySQL Database
31:45 - Failing to drop a file in adminer
34:30 - Using LOAD DATA LOCAL to insert a file into our database
38:05 - Uploading the servers index.php to our database and discovering the password
39:00 - SSH into the server with the password found before
41:50 - Sudo allows us to set environment variables, using PYTHONPATH to hijack a python library... Failing to get a rev shell
49:00 - Switching to nc for a revshell and getting a root shell!
@miltondewey573 3 жыл бұрын
Man, I was struggling with the privilege escalation and now from this video I've learned something new, thank you so much Ippsec, your videos are such great educational material.
@vonniehudson 3 жыл бұрын
@03:00: ORS = Output Record Separator! Wtf never even heard of that! Thanks @ippsec !
@craig3880 3 жыл бұрын
also available in powershell under "OFS:"
@maz3146 3 жыл бұрын
“This is a easy box” 😂😂 gg ippsec u are the best!
@tzachihazan3459 3 жыл бұрын
Thank you ippsec as always amazing video 💪
@jaylal4899 3 жыл бұрын
the sql part of the box is arguably the most difficult bit....Thanks Ippsec for the demo, it makes much more sense now.
@kosmonautofficial296 3 жыл бұрын
awesome video!
@mehmetux4186 3 жыл бұрын
i was preparing for Hollywood movie but i found better one :)
@lazula 3 жыл бұрын
I got the reverse shell to work on my first try using pty.spawn() where you had p=subprocess.call(), so there might have been an issue with subprocess's availability (I can't test it since I don't have a subscription). pty tends to be so much more reliable on top of being easy to work with, so it's always my first choice for a shell. Also, you can use *args if you don't know how many arguments the function you're hijacking has.
@zgeekdiver 3 жыл бұрын
Ooo the mic sounds crispy.
@DHIRAL2908 3 жыл бұрын
It took way longer time in setting my own sql server to accept connections lol!
@pauliehorgan 3 жыл бұрын
Yeah, I'd question why this machine was labelled easy, it was a medium for sure
@Eric-the-wise 3 жыл бұрын
@@pauliehorgan it was very easy...
@CuteLittleHen 3 жыл бұрын
@@Eric-the-wise Perhaps we weren't blessed with your supreme knowledge of penetration testing techniques. Forgive us for being lesser beings, oh mighty Lord Eric. May we find HTB challenges as easy as you do, one magical day.
@flrn84791 3 жыл бұрын
@@CuteLittleHen I think what he meant is that the difficulty wasn't in the hacking, but the possible setup which can be new for some people.
@locke8412 Жыл бұрын
@@CuteLittleHen eric the wise
@lazarvukasinovic4878 3 жыл бұрын
this was very interesting one
@nonasuomynona1734 3 жыл бұрын
Balkans?
@lazarvukasinovic4878 3 жыл бұрын
@@nonasuomynona1734 jes maj frend
@nonasuomynona1734 3 жыл бұрын
@@lazarvukasinovic4878 epik
@scottieaustin1397 3 жыл бұрын
When you discovered the admin_tasks.php, could you just have done command injection using the "tasks" parameter as part of the HTML request? @19:50 you might have been able to do like ?task=&& whoami or something like that?
@lazula 3 жыл бұрын
This won't work because the parameter must be a literal number between 1 and 7. I tried a few different null terminators to get around this but it's a red herring.
@scottieaustin1397 3 жыл бұрын
@@lazula ah okay, cool thanks! I hadn't actually messed around with this box, it was just a thought I had while watching the vid.
@onlyastron4ut 3 жыл бұрын
Had a go at this box today but unfortunately it retired while I was going at it. Foothold was such a pain, I couldn’t find anything for hours. I even checked all the images for any stego.. I ended up trying different wordlists on the /admin-dir directory and finally found that juicy file with the ftp creds. Managed to login over ftp and wanted to grab the files but the box wouldn’t let me because it got retired that instant :-(
@geeshta 3 жыл бұрын
I think the lazy eval() approach would work if you wrapped the content of the function in single quotes, eval() evaluates a string (and there already were double quotes somewhere). Not that the reverse shell worked anyway.
@JuanBotes 3 жыл бұрын
thanks again
@PolTen72 3 жыл бұрын
That's odd, I tried this box, but when I used nmap it showed me others ports open, like 25, and 80 was filtered
@checknate8820 3 жыл бұрын
I don't mean to be spammy, but I wrote a python script for that pentest monkey page called insta_shell. You supply the type of shell, the ip, and port and it fills out the correct syntax for you. Its on github.If anyone wants to try it, I can provide more info. Saves you the time of actually going to the website and finding the right shell to modify
@pn_tedro3013 3 жыл бұрын
One question, when you got the user waldo and understood that you can execute a file with a sudo perm, you chose to get a shell, but could you just write a bash script to copy the root.txt to a new txt file in the waldo home dir? is it possible? If anyone else can answer i will appreciate it.
@redpanda31337 3 жыл бұрын
Yes you can just: bash -c “cp /root/root.txt /tmp/root.txt” Instead of the command ippsec used, but why would you just want to copy the root flag if you can get a root shell and potentially just get a backdoor in the system for the long run? Speaking for a real-life engagement.
@pn_tedro3013 3 жыл бұрын
@@redpanda31337 yes, thank you, because this is a box and i know already where is the root flag, just dont wanted to mess up with the shell as he did, im lazy, i know
@DHIRAL2908 3 жыл бұрын
@@pn_tedro3013 also, anyone else would be able to access the root flag as well.. so it's better to not spoil it!
@marcostorres572 3 жыл бұрын
:)
@kret63 3 жыл бұрын
See You next week!
@Kiiib4 3 жыл бұрын
Hey there Ipp! Since your Patreon is paused due to the recent events: Is there any .way I can toss a few coins to you? I just want to thank you for the great content and all the things you've taught me so far :).
@bdorr17 3 жыл бұрын
how do you split the console like that, you are like a keyboard wizard with shortcuts...I have tried forever to tab out the standard parrot terminal and I cant. Additionally, I had to use terminator and right click for tabs. any help would be greatly appreciated. Love the vids
@bdorr17 3 жыл бұрын
@True Miller I have tried tmux before, but can't seem to figure out how to split the terminal, I google how to and it seems I keep messing it up in some way
@armandkruger911 3 жыл бұрын
I always replace the reverse shell with "chmod +s /bin/bash" to just make /bin/bash and SUID instead of causing more egress traffic out... Hitting "bin/bash -p" then you are root... Reverse Shells are always buggy
@ippsec 3 жыл бұрын
I avoid doing things like that because of the insecurity it creates *especially* if you forget to clean anything up. Reverse shells are buggy but its a bit safer than just dropping an easily findable binary that lets anyone privesc.
@armandkruger911 3 жыл бұрын
@@ippsec Thanx a lot! makes sense, something one can forget very easily!
@lutfahelal9140 3 жыл бұрын
Since when did KZbin start adding two unskippable Ads???
@longdashes 3 жыл бұрын
I really enjoyed this box. I do not understand it's relatively bad rating.
@aidancollins1591 3 жыл бұрын
The Gobuster thing (needing to run it on utility scripts) has people worked up.
@longdashes 3 жыл бұрын
@@aidancollins1591 Yeah I was stuck on that a bit myself, but I think it was pretty manageable. The other stuff, especially the getting onto the box due to the adminer exploit was pretty cool imo.
@aidancollins1591 3 жыл бұрын
@@longdashes Yea, I didn't see it as too much of a hurdle either. I think some people are just a little impatient (strange for hackers) and get flustered when the tools don't give them something that is immediately suspicious.
@Eric-the-wise 3 жыл бұрын
Es q ell...oh boy
@danieldolen1945 3 жыл бұрын
Which linux distro are you using?
@themasterofdisastr1226 3 жыл бұрын
Parrot os
@Rahul-me8ws 3 жыл бұрын
How to get so much knowledge like you
@pauliehorgan 3 жыл бұрын
I really didnt like this box. It needed such a leap to run gobuster again on the utility scripts folder. and "the usual" wordlist didnt have what was required
@rujotheone 3 жыл бұрын
Good video. Where can we get that wordlist?
@flrn84791 3 жыл бұрын
SecLists
@ajjjjjjbullrider 3 жыл бұрын
I found this program called ShellGen github.com/thejoker3000/ShellGen where you can create shells automatically. I use it sometimes and it comes in handy when I need a new shell. Someone called Th3J0k3r made it. Might want to take a look at it.
@Ms.Robot. 3 жыл бұрын
I'm your admirer💋.
@user-fp6dt1os1l 3 жыл бұрын
That whole nmap "optimisation" thing at the start is totally uneccessary, nmap only runs scripts on open ports anyway
@craig3880 3 жыл бұрын
I don't think its strictly for this box. He's showing examples of "how" to use the tool other than just typing the usual. The great thing about ippsec is that he teaches you little tips and tricks that you might need on other boxes or for a specific reason. This is a very simple method for showing a powershell way to filter output from one tool and use it with others.
@bruh_5555 3 жыл бұрын
Fact: all great hackers are lazy, that's what makes them great
@Eric-the-wise 3 жыл бұрын
Keep telling that to yourself skiddie
@themasterofdisastr1226 3 жыл бұрын
@@Eric-the-wise Yeah and while everybody else is pwning anytjing left and right, you are writing your programs and waste your time. Deal? Deal.
@bruh_5555 3 жыл бұрын
@@Eric-the-wise your condescending nature shows you're the skid
@Eric-the-wise 3 жыл бұрын
You little skiddies are so cute 😊
@bruh_5555 3 жыл бұрын
@@Eric-the-wise ok boomer
@muralidharansubburaman8863 3 жыл бұрын
Hi great explanation.. I know u r using parrot os .. i would like some help in tmux session.. u have ur ip address and u r running bash in zsh .. i would like to know how.. any help wil be great
@jacquesmit502 3 жыл бұрын
Ippsec is using the Hack the box “pwnbox” that’s an in-browser parrot install for VIP users. There is a github repository showing how to set up your parrot to look the same Can’t remember the link now but just google: pwnbox site:github.com
@muralidharansubburaman8863 3 жыл бұрын
@@jacquesmit502 thank u
4242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242
Theo - t3․gg
Рет қаралды 332
Android Penetration Testing: #androidsecurity | QuickSetup-Genymotion,AndroidVirtualDevice,Burpsuite
SecureMonk
Рет қаралды 418