HackTheBox - Secret
Рет қаралды 23,893
Күн бұрын00:00 - Into
01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner
03:20 - Checking out the webpage to discover source code and some docs
04:00 - Always RTFM, Playing with the API to Register a user, login, and check out privilege level.
05:50 - Renaming our burp repeater tab by just double clicking on the number
07:30 - Trying to login with a name instead of email
10:10 - Testing our login token to find out it uses JWT's in a non-standard way
10:50 - Analyzing the source code to see the token is used in a header called "auth-token"
12:40 - Looking at git commit history to see there is a hard coded secret in an older commit and forging a token
13:40 - Changing our tokens user, going back to the source code and seeing "theadmin" is a hardcoded administrative user
14:30 - Talking about the importance of rotating secrets in a web application
16:30 - Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE
17:50 - Testing command injection and getting a reverse shell
22:00 - Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box
23:40 - Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt.
25:20 - Running LinPEAS, discovering a custom SetUID Binary called count
30:00 - Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root
31:57 - Examining the source code, to discover it allows for dump files to be created
33:15 - Failing to kill the linux process with the correct signal
34:50 - Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11)
36:40 - Using apport-unpack to extract the crash report into readable files
37:23 - Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box
40:00 - Showing how file descriptors (/proc/pid/fd) work and failing to pull the ssh key, because the key isn't readable by us.
41:30 - Failing to dump the the heap memory with DD as a regular user
44:10 - Back the examining the fd's in proc, showing if we had permission to read the file, that we could bypass the directory permission by cat'ing the file handle
48:00 - Dumping the heap of the process as the root user to show we can extract the file from the processes memory
@readysetexploit 2 жыл бұрын
34:05 “I don’t know what I am doing” me all the time. Thanks for the video!
@AUBCodeII 2 жыл бұрын
Hey ipp. If you ever come to Brazil, I'll buy you a glass of ippbeer.
@honybeeskingdom 2 жыл бұрын
I’m going to invite him in Saudi first
@yurilsaps 2 жыл бұрын
Brazil first! I buy you some Januticaba
@johnwest3325 2 жыл бұрын
Tonight I had a dream about Ippsec. He uploaded a video just talking about his favourite snacks. It became the most watched video on youtube. Please keep it up. You are awesome!
@pswalia2u 2 жыл бұрын
Thanks for showing the importance of closing fd at last !!
@PhotoSlash 2 жыл бұрын
I have no idea how this dude manages to remember every tool and its flags. Best part is that its not always the same tools on every machine but he just knows them lmao. can't imagine the study behind it and the time spent, that's dedication at its best.
@v380riMz 2 жыл бұрын
Don't forget these boxes are already owned by him, so he knows how to lay it out for the video. Most of the time it's just trail and error with the tools you already know. I myself keep a note file with steps I can take for each different phase i.e. nmap/dirbusting/fuzzing etc checking headers for info, setting domainames in etc/hosts file. No results? poke the website find extensions, try different nmap scans like UDP or all ports, you name it..
@PhotoSlash 2 жыл бұрын
@@v380riMz yeah same here hahah :)
@v380riMz 2 жыл бұрын
@@PhotoSlash its still pretty hard nonetheless. Even easy boxes 🤣
@Ms.Robot. 2 жыл бұрын
This was very well explained and carried out.
@dopy8418 2 жыл бұрын
If your a basketball player you watch nba games to get inspired and replay all the time to understand. If your CTF player, you do the same with this.
@BlueIsLeet 2 жыл бұрын
Thanks for the great content Ipspec!
@k24a2vtecpower 2 жыл бұрын
You are the man, keep up the great work....
@AvinashKumar-fe8xb 2 жыл бұрын
ssh-keygen already create keys with correct permission. I think it's just you doing it out of habit every time chmod 600. Great video as usual , learned the file descriptor thing awesome. :)
@BroodPitt 2 жыл бұрын
Awesome! Great video
@alwan7777 2 жыл бұрын
🔥🔥🔥✊go go
@Soda-stream 2 жыл бұрын
This man is amazing. Respect
@ghsinfosec 2 жыл бұрын
This was a great box!
@walkingcore9196 2 жыл бұрын
Just a note. I actually did this box without downloading the source code, since I didn't see the button (lol). If you look at the images on the website, you can actually see they are pulled directly from a github repo, and if you go there you have the code and the secret in the commits directly.
@berndeckenfels 2 жыл бұрын
It’s an interesting lesson that dropping permissions which is usually best practice cause this dump vulnerability in this case
@Pentestingwithspirit 2 жыл бұрын
It was fun watching this walkthrough, haha but I guess it was really a long day for you at the time you recorded this video. But great walkthrough as always xD learned something new about fd
@ippsec 2 жыл бұрын
Haha it was early in the morning - That was just a joke earlier, I didn't do any prep for this box. I knew the path from testing it months ago. The box changed from when I tested it and that threw me for a curve ball. As originally there was a file that was owned by dasith in /root, that you read via the file descriptor. I hadn't seen the core dump thing until recording the video.
@Pentestingwithspirit 2 жыл бұрын
Ahhh really was it morning back then?, I thought it was really a long day for you because the way you fumbled at 46:35 haha that was funny when you were not able to talk. But I guess I get you, sometimes while making these videos we starts fumbling. But thank you for creating this great walkthrough.
@ippsec 2 жыл бұрын
@@Pentestingwithspirit Haha yeah, normally I would edit something like that out when I get tripped up. However, I was trying to do it with minimal/no editing since it was an easy rated box.
@Akshay1165 2 жыл бұрын
Is your name shubham ?
@cristianmorillas2247 Жыл бұрын
Thanks bro!
@earthlyelder 2 жыл бұрын
Thank you bro
@jaopredoramires 2 жыл бұрын
amazing privesc on this one
@snulch 2 жыл бұрын
Great walkthrough but I couldn’t get the root SSH private keys. When I do grep BEGIN “filename” it doesn’t come up with anything. Anyone got any ideas?
@captainsalazar7166 2 жыл бұрын
how to upload web challenges to HTB sir? I need to know this because I develop CTFs and I want to contribute to HTB or become a kind of part of it.
@davidnagy4723 2 жыл бұрын
hey. again could you pls write in the video title what lvl the box is that you'r doing? im a begginer and i'd very much like to learn new things but rn i think i could only deal with easy boxes myself so from like hard boxes im not sure if i could learn much as its just too complicated probs
@gabrielsantos19 2 жыл бұрын
Go to his channel, then playlists
@Eric-EMP 2 жыл бұрын
You Sound like John Hammond 🥰🥰
@ZakariaHABRI 2 жыл бұрын
24:00 Anyone know where I can read about stealth entries ? And potentially how to counter them.
@samu5167 2 жыл бұрын
i'm not a pro hacker but you should be aware of what processes are running and if you see something unfamiliar you should check what it does
@fuegopuro5933 2 жыл бұрын
Ippppppppppsseeeeeeeeeeeeeeeecccccccccc!!!!!!!
@declanmcardle 2 жыл бұрын
(@21:30 Looks up what Ctrl-B = does in tmux...or is it just a typo...)
@theone3428 2 жыл бұрын
ctrl + B isn't a thing, ctrl + b is the default prefix key, but he hit it in Burp, so all of that is irrelevant.
@russellwaite 2 жыл бұрын
You got access in under 10 minutes but it took me an hour... I need to get better.
@rdarkmind 2 жыл бұрын
first
@theone3428 2 жыл бұрын
Easy user, medium priv esc at least.
@delayslot5601 2 жыл бұрын
PwnKit was not patched on this box, got root this way a few days before box became retired
@_hackwell 2 жыл бұрын
I was lazy enough to just get the root flag from the core dump 😁
@STFUandFY 2 жыл бұрын
Can someone enlighten me, why the root key was in the crash report 🥴
@ippsec 2 жыл бұрын
The program allowed users to read files as root. We crashed the program after reading the key, so it was still in memory.
@sudosuraj 2 жыл бұрын
I never remember your face!
@ZanzaYTP 2 жыл бұрын
You need to update nmap to 7.92
@defyteryt2452 2 жыл бұрын
This box is should be in medium rate I really struggling with the exploitation part
@pepax3 2 жыл бұрын
I did this box few days ago, ig i got lucky cuz i dont have vip so i couldnt do it rn
@muhammadghareeb399 2 жыл бұрын
.
@jaopredoramires 2 жыл бұрын
ipspec
Android Penetration Testing: #androidsecurity | QuickSetup-Genymotion,AndroidVirtualDevice,Burpsuite
SecureMonk
Рет қаралды 418