HackTheBox - OnlyForYou
Рет қаралды 14,458
Күн бұрын00:00 - Introduction
01:00 - Start of nmap
03:20 - Discovering beta.only4you.htb
03:55 - Downloading the source, scanning with Snyk and discovering a File Disclosure vuln
05:15 - Demonstrating that os.path.join in python will do unexpected things if a path begins with slash
07:30 - Failing to get /proc/self/environ, not sure why we failed here
09:20 - Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website
11:15 - Discovering a vulnerability when sending mail
12:10 - Talking about how we will bypass the bad character check, the Re.Match will only match the start, not entire string
16:10 - Getting code execution from the contact form
18:45 - Reverse shell returned, looking for databases, and discovering a few ports listening on localhost
22:30 - Uploading Chisel so we can access ports 3000 and 8001
25:40 - Start of Neo4j Injection, discovering we are in a contains statement
30:00 - Going to HackTricks and discovering we can use LOAD CSV to leak data out of band
32:25 - Leaking the labels, then grabbing users and hashes
38:30 - Logging in with John, discovering we can use sudo with pip to download a tar off GOGS
40:25 - Creating a malicious python package for us to download, then uploading to gogs
44:10 - Showing that the pip download command will execute setup.py and getting root
@ChristopherPelnar 9 ай бұрын
IppSec's opening nmap statement before every box is comparable to Bruce Buffer's, "Let's get ready to rumble!!!!!!!!!!"
@fabiorj2008 11 ай бұрын
Excellent. Very cool box and writeup
@_7RAW 11 ай бұрын
It’s a walkthrough not write up 😊
@PhilocyberWithRichie 11 ай бұрын
Great thanks for sharing! the last part was pretty hard
@Rogerson112 11 ай бұрын
Love you!
@StevenHokins 11 ай бұрын
Awesome box
@mistacoolie8481 11 ай бұрын
brutal
@chrisbowel3084 11 ай бұрын
First Comment
@jimjim8125 11 ай бұрын
awesome box! how did you do to make a reverse proxy on ssh without reconnecting again to ssh?
@somerandomwithacat750 11 ай бұрын
He used the internet
@christophsarnowski9849 10 ай бұрын
start ssh with "-o EnableEscapeCommandline=yes" (or put that into your ssh config file), then in the ssh session, press ~C
@tg7943 11 ай бұрын
Push!
@qdza 11 ай бұрын
do you solve the labs before recording or is it all live?
@buckbarrette898 11 ай бұрын
你的那个visual studio检查漏洞的插件叫什么名字额?请麻烦告诉一下,好吗?
@gokul6120 11 ай бұрын
What have you done with Firefox that open a linke in new tab..
@spacenomad5484 11 ай бұрын
OMG I didn't realize the first RE only matches the BEGINNING... I spun up a bind DNS server and served a TXT record with my payload after the include: because that's a wildcard match :D :D :D
@user-dk4hw9if1z 11 ай бұрын
How did he know to do VHOST with gobuster near the beginning?
@orpheus0108 11 ай бұрын
Always good to have some recon going in the background to see if there are other subdomains the server will route to. On this box, I found the vhost in the source before I remembered to launch my own recon. Also, it's a good idea to rerun Nmap scripts after you add a discovered vhost to your host file so that Nmap can follow the redirect. I've almost missed ".git" directory on another box because for some reason my feroxbuster didn't find it but rerunning Nmap with the vhosts added to /etc/hosts found the .git
@AUBCodeII 11 ай бұрын
Only for me, Ipp? 🥺
@VologodskoNovgorodski 11 ай бұрын
Only for fans...
@nirlevy8079 11 ай бұрын
Hi there! For me, bypassing the "Hacking Detected" in the LFI I URL encoded the ../ and it worked! than, I had access to any file in the machine
@PrakashKumar-se1qk 11 ай бұрын
I tried the similar URL encoding, but it got identified %2e%2e%2fetc%2e%2e%2fpasswd
@LegitZero 10 ай бұрын
@@PrakashKumar-se1qku need to put a “/“ at the beginning as that’s the bypass in the source code