HackTheBox - UpDown
Рет қаралды 17,810
Күн бұрын00:00 - Intro
01:00 - Start of nmap
01:30 - Testing the webhook, examining the request the server makes
05:30 - Trying other URL Wrappers to see how the application behaves
08:10 - Finding the .git sub directory, running git-dumper to extract source code
10:55 - Finding and explaining the LFI Vulnerability
12:10 - Attempting to use the php filter to extract source code, does not work, turns out there's another website
14:00 - Discovering there is a special header requried to access the DEV Website
16:00 - Configuring BurpSuite to add the header for us
18:15 - Explaining the LFI And why we are going to use a phar file to get code execution
22:30 - Attempting to get a shell, when executing our file we get a ERROR 500. Simplify the payload to see it works.
26:00 - Examining phpinfo to see disabled functions, and discovering system() was blocked
27:00 - Converting the dfunc-bypasser script to PHP, so we can just upload it to the server and have it tell us what is available
29:15 - Showing off github co-pilot, turns out it didn't exactly give me what I wanted.
31:00 - Uploading our script to check dangerous functions and identifying we can use the proc_open() function
32:00 - Creating a script to send us a reverse shell, more github copilot finishing our code for us
35:20 - Exploring the developer home directory, finding a setuid python binary that uses input(), exploiting to get developer user
39:30 - We can run easy_install with sudo, getting root
40:30 - Explaining the Code Execution without dropping a file, by using gadgets with php filters to create text for us
@Sjums Жыл бұрын
With git you can add `-p` to `git log` to see all changes with each commit. For smaller changes it's very easy to look through changes for a repo. Additionally you can do `git log -p -- some/path-or-file.php` to show only the log (and changes) for certain directories or files :) Have fun and thanks for the great content!
@fewr.x Жыл бұрын
To open your cwd in vscode (at 9:13), use 'code .' as 'code' doesn't specify a file/folder path to open and instead restores the last session. Also, the setting 'security.workspace.trust.enabled' can be used to disable workspace trust if the popup is annoying.
@joyemoticon Жыл бұрын
Nice the first video to handle LFI2RCE with php filters. A game changer for many boxes.
@elrich3068 Жыл бұрын
Ippsec can you bring back doing live easy or meduim boxes.Really enjoy your thought process. I know scripted videos is more cleaner and time efficient for both you and the viewers, but I learn alot more from live/black boxes.
@dewlemons Жыл бұрын
Doing write ups or walkthroughs for live boxes is against the rules pretty sure.
@claytonreardon42069 Жыл бұрын
I think OP is referring to the videos where Ipp will post a video of him doing the box the first time, as opposed to videos where he's already done the box and then just takes us through. I also agree with OP, seeing the way you approach a box and tackle problems in itself can be very educational. I'd love to see more of that.
@elrich3068 Жыл бұрын
@@dewlemons No, I meant he does the box live(without any preparations).I know you only supposed to post write-ups on retired machines not live boxes.
@elrich3068 Жыл бұрын
@@claytonreardon42069 Exactly.
@Myk4my 5 ай бұрын
I laughed a lot with ippsec making this machine, the comedy tone in some parts was very good.
@solcloud Жыл бұрын
Thank you for video! That php filter chain trick is cool 🙂
@sand3epyadav Жыл бұрын
Once again i love ippsec , easy to explain.... i know how to pwned this box. But i am addicted without watching your video i can't live...
@uvaissaifi6728 Жыл бұрын
Really knowledge video 🙂❤️❤️
@markuche1337 Жыл бұрын
Great video🔥
@ellerionsnow3340 5 ай бұрын
This one was a bit confusing. The proc_open reverse shell, it was nice you were able to write it yourself. I had trouble searching online a rev shell for proc_open.
@kibaman333 3 ай бұрын
You'd want to search for "php proc_open command execution" instead of reverse shell, since you'll be inputting the revshell command inside the php code.
@dylanraharja2678 Жыл бұрын
Hey, I want to ask how you were able to copy whilst scrolling in tmux, which key were you holding while you were highlighting?
@uvaissaifi6728 Жыл бұрын
Big fan bro
@monKeman495 Жыл бұрын
awesome
@mozzamileltayeeb2948 Жыл бұрын
What the extension you used in vscode to get auto complete code like this 32:00 ? or maybe you don't use extension?
@Fleeenz Жыл бұрын
It’s called GitHub Copilot
@Ms.Robot. Жыл бұрын
❤️ 😳🤯🤩
@user-oj3ij6rl6p 4 ай бұрын
nice
@user-vu4tf3eb9l Жыл бұрын
Why would the file delete itself unless you open a nc to your machine first?
@bobbobety Жыл бұрын
it's in the source code - once it checks all the lines in the script to see if they are "online", the file is deleted. By listening on nc and not responding, you cause the server to "hang" for a period while it tries to work out if you're online, and that gives you the time to do what you need to do.
@tg7943 Жыл бұрын
Push!
@alwan7777 Жыл бұрын
🤖👽👽👽
@css2165 Жыл бұрын
can you teach us how to make malicious linux kernel modules?
@lebleb8603 Жыл бұрын
@Cephandrius Maxtori is it worth the hype?
@lirothen Жыл бұрын
if you have permission to load kernel modules, you're already root. If you're restricted to CAP_SYS_MODULES, grab kallsyms and hook something useful with kprobes. Adding extra legwork, kernel modules must match the exact version of kernel the user is running, and sometimes require a signature that's verified up the chain by the bootloader. It's not very practical to me. Would be more practical to make a bpf program for information extraction and then get root through userspace normally.
@css2165 Жыл бұрын
@@lirothen i agree it would be easier to go the userspace way, however, i think a video about linux kernel modules would be very informative
@eclipssed4x Жыл бұрын
You are way too Smart 🤓 man ♂️
@nomercy7101 Жыл бұрын
How vocode teach code? Ai? I want to know about that..
@OmerFarukBilgiseven Жыл бұрын
why you always use port 9001 ?
@joeymelo2882 Жыл бұрын
Because it's over 9000. kzbin.info/www/bejne/iZqweYeBZpqDn80
@elrich3068 Жыл бұрын
Over 9000.
@neunzehnvierundachtzig Жыл бұрын
Everyone who watches Ippsec Loves port ✨ 9001 ❤️
@tntxqx8281 5 ай бұрын
Me either
@codermomo1792 19 күн бұрын
I prefer using a port like 443, especially for Windows machines(because of the fire wall)
@EricHogue Жыл бұрын
I think the way I did the RCE was simpler. I uploaded a .phar file with PHP code in it. Then I directly accessed it in '/uploads/SessionID/rce.phar'. No need to go through the LFI.
Programming Rainbow
Рет қаралды 1,5 М.