HackTheBox - Monitored IppSec 2024-05-11 | 00:00 - Introduction01:00 - Start of nmap02:40 - Examining the webpage, not finding much05:30 - Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data08:20 - The process list is in SNMP, explaining how to read this data12:40 - Grepping interesting processes discovering there's a bash script that has user credentials in arguments! Attempting to log into Nagios with it 14:00 - The SVC Account couldn't log in on the GUI, Looking for how to login via an API15:45 - Logging into Nagios, discovering it is version 5.11.0 which is vulnerable to a SQL Injection17:40 - Manually exploiting this Error Based SQL Injection with XPATH26:45 - Using Burpsuite Intruder to dump the TABLES, then edit the columns in burpsuite to show tables easily33:40 - The APIKEY is too long to display, using SUBSTRING to grab the APIKEY in multiple requests35:45 - Finding a way to register a new user with our API KEY and make them an administrator39:00 - Creating a Nagios Check to send us a shell41:20 - Showing how to perform the SQL Injection through SQLMap49:00 - Finding the MySQL Password of Nagios51:00 - Discovering the Nagios user has a bunch of sudo rules57:00 - (Root method 1) Exploiting GetProfile through creating a SymLink59:00 - (Root method 2) Overwriting the Nagios Binary than using Sudo to restart the service to get a root shell
HackTheBox - Napper IppSec 2024-05-04 | 00:00 - Introduction00:55 - Start of nmap, showing -vv will cause the output to contain TTL04:40 - Checking out the website05:23 - Doing a VHOST Bruteforce to discover the internal domain and discovering credentials on a blog post07:30 - Checking out the NAPListener blog post, which gives us a way to enumerate for the NAPLISTENER Implant10:30 - Showing the Backdoor code to discover how it works12:30 - Building a DotNet Reverse Shell and renaming the method to Run, then using Mono (mcs) to compile14:45 - Converting the DLL to base64 and getting NAPLISTENER to execute it19:20 - Discovering a draft blog post talking about them getting rid of laps and building a custom solution that uses elastic24:00 - Setting up a tunnel with Chisel so we can talk to Elastic25:55 - Using curl to enumerate Elastic30:20 - Reversing the Golang binary with Ghidra42:30 - Creating a Golang Binary to grab a document (seed), then using search to grab the blob, and decrypting it with AES-CFB47:30 - Connecting to Elastic, using a Proxy56:00 - Grabbing the Seed with the Golang Elastic Library1:03:00 - Grabbing the Blob with Golang Elastic Library1:09:45 - Using the Seed to generate our 16 byte key1:13:53 - Creating a decrypt function1:16:30 - Getting the PlainText then using RunasCS to get a reverse shell as the Backup User, which is administrator
HackTheBox - Devvortex IppSec 2024-04-27 | 00:00 - Intro01:00 - Start of nmap03:45 - Discovering dev.devvortex.htb is a Joomla Page, showing JoomScan and enumerating version manually through manifests07:00 - Looking for Joomla Exploits for version 4.2.6, discovering a way to view application config as an unauthenticated user09:40 - Start of deep dive into the exploit, looking at commits on the day the advisory said this was patched10:50 - Showing the fix just shows it is a mass assignment vulnerability, looking at how this works17:10 - Showing fuzzing for arguments with ffuf would have caught this26:18 - Logging into Joomla, then placing a shell in the Joomla Templates32:15 - Logging into the database, cracking a hash to gain access to another user35:30 - Taking a look at sudo discovering apport-cli, gtfobins comes up with nothing, looking at the version to discover an exploit within how it uses PAGER
HackTheBox - Surveillance IppSec 2024-04-20 | 00:00 - Introduction01:00 - Start of nmap02:45 - Discovering an exploit for Craft CMS, it doesn't work out of the box because of a typo on exploit-db looking into this exploit06:00 - Walking through the Exploit Script11:45 - Getting a shell on the box with the script that was on Github14:45 - Logging into the CraftCMS Database, finding the password17:30 - There is a backup of the database in the storage directory, which contains an old password for Matthew 22:45 - Linpeas shows us configurations for ZoneMinder, which lets us into another table of the database25:20 - Setting a port forward so we can access ZoneMinder, then updating the password so we could login (not needed but fun to do)29:20 - Showing an unauthenticated exploit in ZoneMinder31:40 - The ZoneMinder user can run zoneminder scripts with sudo33:30 - Finding a command injection in ZMUPDATE, getting shell as root42:20 - Showing ZoneMinder lets you set the LD_PRELOAD which is another way to get root55:50 - Showing the intended way to exploit ZoneMinder to get a shell as the ZM User, authenticated RCE
HackTheBox - Hospital IppSec 2024-04-13 | 00:00 - Introduction01:00 - Start of nmap03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files13:48 - Uploading a php shell, discovering there are disabled functions blocking system17:15 - Using dfunc bypass to identify proc_open is not disabled and then getting code execution23:00 - Reverse shell returned on the linux host26:00 - Uname shows a really old kernel, then doing CVE-2024-1086 which is a NetFilter exploit between kernels 5.14 to 6.6, getting root and then cracking the hash to get drwilliams password29:20 - Talking about Man Pages and how they are organized to identify $y$ is yescrypt33:40 - Logging into RoundCube, discovering an email that indicates that drwilliams runs GhostScript with EPS Files, looking for exploit36:00 - Building a malicious EPS File with a powershell reverse shell43:40 - PRIVESC 1: Uploading a shell in XAMPP and getting system52:30 - PRIVESC 2: Discovering an active session, using meterpreter to get a keylogger running and stealing the password1:01:50 - While we are waiting for keys to be typed, lets inject a Reverse VNC Server so we can watch the screen1:10:08 - PRIVESC 3: Showing we could just remote desktop as Chris Brown and then view the password
HackTheBox - Codify IppSec 2024-04-06 | 00:00 - Introduction01:00 - Start of nmap02:50 - Playing with the Javascript Editor, discovering filesystem calls are blocked04:45 - Discovering the sandbox is vm2, going to github discovering it is discontinued with known security issues06:30 - Getting code execution, then a reverse shell09:50 - Discovering a second website with a database, cracking hashes in the database12:50 - Discovering Joshua can run a bash script with sudo15:00 - Looking at the Bash Common Pitfall guide which shows the error in the if/then logic in the bash script15:55 - Explaining why the bash if/then is exploitable when user input is on the right side and unquoted18:30 - Bypassing authentication in the script with a *, then looking at processes and seeing mysql censored the password on ps20:50 - Running pspy which will grab the cmdline arguments before mysql has a chance to rewrite argv21:50 - Showing HIDEPIDS in /etc/fstab to hide processes of other users24:30 - Writing a program that can spoof argv on linux26:30 - Showing how we grab the memory location of argv27:30 - Looping over each argument, so we could overwrite a specific one if we wanted to29:15 - Showing our process run with a blank process33:30 - Making our program ps output blend in more
HackTheBox - Rebound IppSec 2024-03-30 | 00:00 - Introduction01:07 - Start of nmap then checking SMB Shares04:05 - Using NetExec to do a RID Brute Force and increase the maximum to 1000007:00 - Using vim g!/{string}/d to delete all lines that do not contain something to build wordlists10:40 - Using ASREP Roasting to perform a Kerberoast attack without authentication17:40 - Using NetExec to run Bloodhound as ldap_monitor25:30 - Discovering Oorend can add themself to the ServiceMgmt group, which can take over the WinRM Account28:30 - Spraying the password of the ldap_monitor account to discover it shares oorend's password34:20 - Showing BloodyAD to add Oorend to ServiceMGMT then abusing the GenericAll to Service Users, so we can reset WinRM_SVC's password40:30 - Showing a more opsec friendly way to take over WINRM_SVC by abusing shadow credentials so we don't change the accounts password50:00 - As WINRM_SVC we cannot run some commands like qwinsta or tasklist. Using RunasCS, to switch our login to a non-remote login which will let us run these commands54:10 - Performing a Cross Session attack with Remote Potato to steal the NTLMv2 Hash of another user logged into the same box we are59:20 - Using NetExec to read GMSA Passwords as TBRADY1:04:00 - Using findDelagation.py to show constrained delegation from the GMSA delegator account1:11:20 - Using RBCD.py to setup the Resource-Based Constrained Delegation so we can get a forwardable ticket to abuse delegators delegation and impersonate users1:18:20 - Using our ticket that impersonates DC01 and performing secretsdump and then getting Adminsitrator's hash so we can login
HackTheBox - Analytics IppSec 2024-03-23 | 0:00 - Introduction01:00 - Start of nmap03:20 - Discovering Metabase, noticing the HTTP Headers are different. Checking TTL just to see if it decrements from the main web page.07:00 - Searching for an exploit for metabase, then enumerating version 09:30 - Manually exploiting Metabase by pulling the setup-token, then getting injection on the /setup/validate endpoint through the JDBC Driver15:50 - Reverse shell returned18:30 - Discovering credentials in the environment variables, then ssh into the box20:12 - Googling the kernel to discover its vulnerable to GameOverlay24:00 - Explaining the gameoverlay exploit (CVE-2023-23640, CVE-2023-32629)25:50 - Stepping through the exploit manually to understand how the overlay fs works, and what the exploit did to abuse it28:10 - Looking into the permissions of the binaries that were created
HackTheBox - Manager IppSec 2024-03-16 | 00:00 - Introduction01:00 - Start of Nmap03:20 - Checking out the website, deciding there isn't much of interest here05:10 - Running Kerbrute with a userlist to identify valid users05:50 - Showing what Kerbrute is doing with NetExec09:00 - A better way to enumerate valid users, RID Bruteforce, showing it with NetExec10:50 - Using RPCClient to show how RID Bruteforce works14:00 - Using NetExec to bruteforce users with the password of their username17:55 - Showing off the NetExec Database19:30 - Switching over to testing accounts for MSSQL Access with NetExec21:20 - Using Impacket's MSSQLClient to access the MSSQL Server and running XP_DIRTREE to find a backup on the webserver23:20 - Finding a credential for Raven in the backup file26:50 - Using Certipy to find out the server is exploitable to ADCS ESC7, then exploiting it
HackTheBox - AppSanity IppSec 2024-03-09 | 00:00 - Introduction01:00 - Start of nmap, showing 5985 isn't in the top1000 so doing a full port scan04:40 - Taking a look at the MedDigi website07:07 - Taking a look at the Signup Request seeing AcctType09:30 - Changing the AcctType to 2 and getting a different privilege14:00 - VHost enumeration shows the portal.meddigi.htb domain, using our pre-existing session from the main page on this domain to bypass login17:52 - Discovering SSRF in the Prescriptions page19:40 - Discovering the File Upload requires a PDF but checks the magic bytes so we can make a PDF Header on our file and upload ASPX Web Shells25:30 - Going back to the SSRF and discovering we can use time-based queries to identify ports listening on localhost28:30 - Using FFUF to filter by duration to show us the requests that don't take a long time38:22 - Discovering port 8080 shows our upload location, then navigating to it and getting a shell42:22 - Finding DLL's the webserver uses, they are dotnet so copying them to a windows box so we can use dnspy and finding a password45:40 - Using netexec to try the password against all users, then logging in as devdoc53:00 - Looking at the ReportManagement.exe, opening it up in Ghidra56:50 - Using chisel to forward port 100 to our box so we can access ReportManager59:30 - Strings shows that externalupload.dll is right next to the Libraries string1:00:15 - Looking at imports, see CreateProcessW, then going to where the binary calls that process1:03:30 - Doing Dynamic Analysis with ProcMon, creating all the directories/files the program wants1:18:50 - Eventually see it looking for files in the Libraries Directory when doing the upload command1:21:45 - When externalupload.dll exists, we can see it doing a CreateProcess call, creating a DLL that sends a reverse shell1:26:30 - When the DLL is in the libraries and we run upload, we get a shell
HackTheBox - CozyHosting IppSec 2024-03-02 | 00:00 - Introduction01:00 - Start of nmap03:10 - Identify JSESSIONID with nginx, but nginx appears to be configured correctly06:00 - Googling the error message to identify the page uses SpringBoot, using a SpringBoot wordlist to find actuators!10:30 - Using the Sessions Actuator and seeing a session for kanderson, logging in to get to the admin interface14:15 - Finding RCE in the ExecSSH Page23:20 - Shell on CozyHosting, looking at running services26:00 - Examining the CozyHosting Jar to identify PostGres credentials then dumping the users table and cracking hashes33:00 - Josh can run SSH with sudo, using proxy command to get root34:10 - Explaining what ProxyCommand is
HackTheBox - Visual IppSec 2024-02-24 | 00:00 - Introduction00:50 - Start of nmap02:00 - Examining the request the server makes to us04:15 - Using docker to run a Gitea Instance06:20 - Using docker to install a DotNet Container (make sure its the SDK!)09:00 - Using the dotnet CLI to create a project and adding a solutions file to it13:00 - Having the webapp download our repo, then looking at PreBuildEvents to execute commands before it is compiled16:00 - Talking about why this PreBuildEvent exists19:20 - Looking at why our build failed21:30 - Adding a nishang reverse shell to the prebuild event 26:40 - Reverse Shell Returned!29:45 - Writing a webshell as Enox, to get a shell as the Apache Service User34:00 - Using FullPowers to restore our tokens while will enable the SeImpersonate privilege36:00 - Grabbing a good PHP Reverse Shell Script that supports Windows!39:15 - Using GotPotato to abuse the SeImpersonate Privilege and run code as system
HackTheBox - Drive IppSec 2024-02-17 | 00:00 - Introduction01:00 - Start of nmap02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django07:50 - Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but not view the ID itself14:00 - Accidentally deleting something important when FUZZING, always be careful of what you are doing with tools16:45 - Discovering the /block endpoint allows us to view any file, discovering a file with credentials which lets us log into the server23:00 - Setting up a SSH Tunnel to access port 3000, which is Gitea. Discovering an old commit that has the password to decrypt backups32:00 - Logging into the box as Tom, discovering the DoodleGrive Binary, opening it up in Ghidra38:45 - Looking at the Sanitize_String command, to see what characters we cannot use41:40 - Exploiting DoodleGrive via SQL Injection with the EDIT command, this is easy to exploit because SetUID's preserve environment variables47:40 - Got root, our path is messed up which makes the shell hard to use, however fixing the path is easy50:45 - Exploiting DoodleGrive via LOAD_EXTENSION, by dropping a library and using char() to avoid the sanitize string function54:00 - Our SQL Extension C Code1:02:36 - Failing to use WriteFile() guessing this is because of the size of our input, may incorrectly say buffer overflow here.1:16:20 - Exploit DoodleGrive via Binary Exploitation! Explaining the Overflow and Format String Vulnerability we will use1:19:30 - Creating a python script to find where the Canary exists in memory via the Format String Exploit (%i$lx)1:23:30 - Proving this is the canary by stepping through the program in GDB use $fs_base to examing fs1:25:30 - Finding where we can overwrite the canary with pattern create1:27:55 - Creating a python script to exploit this binary1:43:40 - Converting our pwntools script to use SSH so we can exploit the binary on the target
HackTheBox - Builder IppSec 2024-02-12 | 00:00 - Introduction00:45 - Start of nmap01:45 - Looking at Jenkins Advisory 3314 (CVE-2024-23897), which has a File Read vulnerability in the CLI. Then downloading the Jar03:00 - Explaining the Vulnerability with a quick demo06:00 - Creating a really nasty bash script to fuzz many of the Jenkins Paramaters to see which produce the most number of lines13:45 - Script working, discovering which commands let us export the entire passwd file15:00 - Using docker to pull the latest version of Jenkins, in order to see how it stores credentials21:40 - Extracting the Password Hash for Jennifer and cracking it to get logged into Jenkins24:45 - Showing Jenkins Script Console, a fun way to get code execution on Jenkins. But this isn't the path25:50 - Going into the Credentials Store for Jenkins, discovering a SSH Key is there. Exporting it and then using the Script Console to decrypt it35:00 - Flailing around, trying to export all the secrets needed to decrypt the SSH Key... Don't get it working unfortunately but thought it was good to leave in here.01:00:36 - Exporting the SSH Key through a Jenkins Pipeline
HackTheBox - Keeper IppSec 2024-02-10 | 00:00 - Introduction01:00 - Start of box02:00 - Checking out Request Tracker, login with default creds06:30 - Finding a password in the users description on RT09:00 - Googling how to get keepass passwords from memory11:00 - Talking about how this exploit actually works, its because of the textbox!15:00 - Using strings on the dump file to show how the password looks in memory20:30 - Searching the keepass, finding a putty private key23:00 - Converting the putty key to openssh26:00 - Grabbing root
HackTheBox RegistryTwo IppSec 2024-02-03 | 00:00 - Intro01:00 - Start of nmap03:10 - Enumerating port 5000/5001 to see a Docker Registry and Auth Server06:10 - Creating our auth token for the Docker Registry08:45 - Adding the SSL Cert to our certificate store, then doing a docker pull to download and run the container13:00 - Discovering JSESSIONID Cookie, attempting the weird directory traversal bug of /..;/ (nginx directory didn't have a trailing slash on the location)16:45 - The Examples directory has a sessions example that lets us modify the session, doing this to get a File Disclosure vulnerability then downloading the WAR file hosting the app27:45 - Opening the WAR in JD-GUI then examining the source code, discovering we can change our user to admin by editing the session33:30 - Pointing the RMI.HOST back to us, then use YSOSERIAL to host a malicious server42:50 - YSOSERIAL-MODIFIED Docker is up, using YSOSERIAL to start a JRMP Listener and host a malicious payload46:45 - Shell on the container, showing where IPv6 addresses are stored (/proc/if_inet6) and that we could have gotten this with the file disclosure which allows for bypassing the firewall, did not need to do the ysoserial step for this next one.52:51 - Looking at the source code again, discovering we can use the RMI to perform file operations on the host56:00 - Start of creating the RMI Client Java App1:09:18 - Running into an error using our decompiled code. Having our exploit just reference the class files (before decompilation)1:25:00 - Finishing up our exploit script, then writing an SSH Key1:36:60 - Looking at running processes, discovering the RMI Server restarts every 3 minutes, then running PSPY discovering a quarentine.jar1:43:00 - Looking at the initial JAR again, discovering it will give out a config. Using RECAF so I can just replace code in the jar without recompiling1:48:00 - Looking at the Quarantine Service, which pulls a config from the RMI Server then runs CLAM AV1:51:40 - Having CLAM AV scan /root, and flag every file as a virus sending it to /dev/shm
HackTheBox - Clicker IppSec 2024-01-27 | 00:00 - Introduction01:02 - Start of nmap and discovering NFS, which is hosting source code to the webserver05:50 - Showing off the NFSClient Golang binary by Mubix, does not work here because NFS is Read-only07:40 - Viewing the website for the first time, so we have an idea of what source code we are looking at09:00 - Looking at the source code, Snyk doesn't give us anything11:45 - Looking at database queries and finding a Mass Assignment Vulnerability13:30 - Discovering we need to assign ourselves to Admin14:45 - Using a line break, to bypass the check against the Key, allowing us to pass in the Role17:48 - Showing another way to set our Role To Admin through SQL Injection in the Value21:52 - Viewing the Administration page, discovering how the export function works25:00 - We can place PHP Code in NICKNAME for our user, which then the export function writes to a php file which then executes30:12 - Running LinPEAS, discovering a SetUID Binary (execute_query)36:00 - Examining execute_query in Ghidra, discovering a File Disclosure Vulnerability42:00 - Grabbing the SSH Key for Jack44:27 - Jack can sudo run /opt/monitor.sh, and set the environment. We can use LD_PRELOAD to hijack dynamically compiled binaries.50:15 - Showing the intended way by setting a proxy to CURL, allowing us to change the data the server sends and trigger an XXE
Hiding Spam with uBlock Origins IppSec 2024-01-21 | My uBlock Rule by the end of the video, definitely change the bad words:! Twitter Bad Wordstwitter.com##[data-testid="cellInnerDiv"]:has-text(/ the | and | or /i)! Discover more / More Tweets - Conversation view suggestionstwitter.com##[aria-label="Timeline: Conversation"] [data-testid="cellInnerDiv"] h2:has-text(/^(Discover more|More Tweets)$/):upward([data-testid="cellInnerDiv"])twitter.com##[aria-label="Timeline: Conversation"] [data-testid="cellInnerDiv"] h2:has-text(/^(Discover more|More Tweets)$/):upward([data-testid="cellInnerDiv"])~divThe reddit post, not tweet lol: reddit.com/r/uBlockOrigin/comments/13twvuu/comment/jmg78ak/?utm_source=share&utm_medium=web2x&context=3Github Page: github.com/gorhill/uBlock/wiki/Dashboard:-My-filters00:00 - Introduction talking about why I block it on the browser not platform. 01:00 - Creating the rule to hide tweets that contain words02:00 - Discovering we didn't filter words, but strings. So "the" would block "therefore", since the is a substring.02:59 - Making it case insensitive 03:30 - Showing where the data-testid came from04:20 - Showing some more filters, showing the reddit post not tweet (lol)
HackTheBox - Bookworm IppSec 2024-01-20 | 00:00 - Introduction00:50 - Start of nmap04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality.08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allows us to add notes to other people's items by creating a second account16:00 - Creating a Python Script that will automatically poison items in peoples basket (cart)28:00 - Backet Poisoner script is completed28:50 - Creating a JavaScript payload, explaining why I'm doing await, fetch, and helper functions.40:15 - Having the XSS Payload fetch profile, look for orders, then perform a get on all orders to examine the order page. Then send us the HTML of that page49:55 - Creating a Python Flask Server that will save all of the orders the XSS Payload sends us56:00 - Examining orders, discovering there is a "Download Everything" URL. Didn't show it but there is no IDOR Vulnerability here, need to have the XSS Trigger it. Exfilling /etc/passwd01:12:00 - Extracting database.js, which contains the database information. The password lets us onto the system as Frank01:15:52 - EDIT: Examining the source code to show why downloading a single book was not vulnerable. Talking about setting ROOT on res.download of express01:21:04 - Enumerating the box as Frank discovering a second web application listening on 300101:30:00 - Looking at the source code to the book converter. 01:36:20 - Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it doesn't get us anything01:42:18 - Finding Arbitrary File Write vulnerability in the Book Converter by abusing SymLinks to bypass an File Extension Check.01:51:50 - Shell as Neil who can run the GenLabel binary with Sudo, examining it to discover a SQL + PostScript Injection01:57:10 - Using the SQL Injection to Inject a FileWrite command in the PostScript file which then gives us Arbitrary File Write as root
Automating a File Disclosure Vulnerability to Crawl Website Source IppSec 2024-01-18 | Check out snyk.co/ippsec00:00 - Introduction 00:40 - Going over the file disclosure vulnerability we are using for the example (Zipping box from HTB)03:50 - Showing the python script created in the file to exfil files one at a time05:40 - Talking about why we created a file disclosure crawler, running it and opening VSCode07:05 - Showing Snyk detecting vulnerabilities09:55 - Going over the script we made on stream
Beyond Root - Crawling PHP Webapps After File Disclosure IppSec 2024-01-16 | In Zipper, we had a File Disclosure vulnerability. In the video we had made it so we could manually specify files to extract. I want to have it automagically crawl the website extracting all the source code. Figured I'd just stream myself making it.
HackTheBox Zipping IppSec 2024-01-13 | 00:00 - Introduction01:00 - Start of nmap02:50 - Discovering a likely LFI in product.php but cannot use filters, likely because there is a file_exists() check05:30 - Playing with the File Upload functionality08:40 - Talking about the PHAR wrapper in PHP, showing it will bypass the file_exist and we can go into the ZIP to bypass the .pdf check10:55 - Uploading the phar archive, and getting RCE through the LFI and PHAR wrapper16:40 - Showing the intended File Disclosure vulnerability, by uploading a zip with a symlink18:00 - Creating a python script to automate the file disclosure vulnerability, making it easier for us to download files28:30 - Script completed, looking at the PHP Code, then showing another unintended solution with a zip file and null byte37:30 - Explaining what happened with the null byte40:00 - Showing the intended solution with the null byte, talking about how we can bypass this regex with CRLF Injection due to lack of multi-line48:00 - Dumping the SQL Database with a union injection51:15 - Dropping a file from MySQL and then including it with the LFI to get a shell58:00 - As Rektsu we can execute a binary with sudo, running strings discovers a hard coded password. Strace reveals it loads a library that doesn't exist, so we can use MSFVenom to create a malicious library
HackTheBox - Sau IppSec 2024-01-06 | 00:00 - Intro00:40 - Start of nmap02:00 - Examining the website, playing with the basket, trying SSTI/SQL Injection special characters04:30 - Looking at the settings, discovering we can perform a SSRF and get the response back. Grabbing localhost:8006:10 - The local website runs maltrail 0.53, examining the exploit then manually exploiting it to get a shell09:10 - Shell returned, checking if we really needed to encode the payload13:00 - When systemctl runs status, it sends us to less which we can escape out of and run as root
HackTheBox - Coder IppSec 2023-12-16 | 00:00 - Introduction01:00 - Start of nmap03:30 - Exploring the file share07:15 - Finding Encrypter.exe, which is a dotnet encrypter. Discovering the seed is based upon time, modifying it to decrypt using metadata from the encrypted file to get the seed.15:30 - The encrypted file was a Keepass Database, looking into it and seeing credentials and a uthenticator backup19:45 - Installing the "Authenticator" app and seeing the backup format is the same21:30 - Explaining why we want to just bruteforce AES vs Argon2id25:50 - Creating a program in javascript to bruteforce the AES by decrypting and examining the contents of what was decrypted40:40 - Cracking program done, then logging into TeamCity45:45 - We can't modify the files on TeamCity but we can use the personal build, supply a dif and get it to execute code that way49:50 - Defender blocked nishang reverse shell, doing some quick obfuscation to bypass defender and get a shell55:50 - Discovering Teamcity keeps track of personal builds, looking at old ones and discovering powershell credentials. Decrypting the Secure String to get e.black's password1:08:00 - Running the bloodhound python collector in a Docker1:17:40 - Writing a bloodhound query to show Organization Units in active directory, then using Get-ACL to see unique privileges to each OU1:24:15 - Explaining the attack path, e.blake can manipulate ADCS, s.blade can add machines to a specific OU. We can create a vulnerable ADCS Template and exploit this with Certifried1:31:30 - Creating and publishing the Vulnerable Certificate. Cloning computer, then modifying msPKI-Enrollment-Flag1:53:30 - Doing an easier vulnerable template, to make this box vulnerable to ESC1. Set msPKI-Enrollment-Flag, msPKI-Certificate-Name-Flag,
IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock IppSec 2023-12-16 | 00:00 - Introduction07:50 - Analyzing the files we have11:45 - Using Impacket to dump local creds16:28 - Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while22:15 - Looking at the Prefetch files to see what programs have been run29:00 - Looking at the Teamviewer log file38:15 - Looking at the Firefox History to see when they downloaded TeamViewer46:15 - Looking at the Chainsaw hunt output... Probably not ideal since some logs didn't copy well.1:00:39 - Going over Sysmon logs with JQ to search and filter1:03:50 - Showing a trick with jq so we can grep entire events to avoid writing a select filter1:14:10 - Looking at powershell, discovering some encoded commands which is where the bitlocker question is1:21:00 - Using EvtxECmd to try parsing the logs, discovering the log was empty...1:27:50 - Looking at when the system time was changed based upon security log1:45:00 - Having trouble finding the SID of the user, using registry hives to get this information1:54:50 - Using date to help us convert date formats
Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock IppSec 2023-12-11 | 00:00 - Going over the Scenario01:30 - Talking about why I'm using Zeek and running it in a docker05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log11:50 - Looking for a single IP that sent multiple SSH Banners13:20 - Creating an alias for zeek-grek (alias zeek-grep='grep -e "^#" -e'), which lets us easily filter logs17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC236:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time42:30 - Editing our zeek config to also extract_files, then looking at the ransomware download53:15 - Looking at the files downloaded over FTP1:07:00 - Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon1:18:10 - Finding when the port knock happened
HackTheBox - Authority IppSec 2023-12-09 | 00:00 - Introduction00:58 - Start of nmap03:30 - Taking a look at the website05:50 - Using NetExec to search for file shares and discovering the Development share is open. Using smbclient to download everything08:00 - Exploring the Ansible Playbooks in the Development Share to discover encrypted passwords (ansible vault)10:00 - Converting the Ansible Vault Hashes to John/Hashcat format so we can crack them13:30 - Decrypting the values and getting some passwords, one of which lets us log into PWM (webapp)19:50 - Adding a rogue ldap server into the PWM Config, then clicking test config will send us the password for the ldap account27:00 - Running Certipy to find the server is vulnerable to ESC1, we just need to enroll a computer28:00 - Using NetExec to show how the MachineAccoutnQuote, confirming we can enroll machines29:00 - Using Impacket to add a rogue computer30:00 - Using Certipy to perform the ESC1, it works but smart card login isn't enabled so we can't log in right away.33:30 - Looking at the error message, finding we can PassTheCert to LDAP which then will let us get admin37:15 - Using PassTheCert to add ourselves to the Domain Administrator group39:25 - Showing PassTheSert to set_rbcd, which will enable our rogue computer the ability to sign krb, allowing us to impersonate the administrator
HackTheBox - CyberMonday IppSec 2023-12-02 | 00:00 - Introduction00:55 - Start of nmap, playing with the webapp discovering it is Laravel PHP App06:50 - Discovering /assets is a redirect to /assets/, indicator of the Nginx off by slash [MasterRecon]11:50 - Using the Nginx off by slash to download .env and .git to get the source code to the app14:00 - Start of code analysis15:55 - Finding a Mass Assignment vulnerability in the update functionality21:50 - Taking some time to explore if there are ways to find Mass Assignment without looking at the code or guessing27:30 - Looking at the Webhooks-api-beta website, playing with the request and discovering we need to send it JSON30:40 - Playing with the JWT, Discovering its a RS256 encoded, doing an Algorithm Confusion attack to sign the token with the RSA Public Key41:50 - Playing with the Webhook and discovering a SSRF, which we can also do protocol smuggling since we can write to the HTTP Method46:30 - Looking at the Redis Migrate functionality which confirms we can interact with Redis. Also stand up redis on our box with docker52:28 - Inserting a poisoned laravel cookie into redis we created with phpggc, troubleshooting all the encoding issues we have. Browsing the page deserializes our cookie and gets RCE1:17:50 - Reverse shell returned, examining the mysql database and redis keys1:30:10 - Uploading a static nmap to scan the docker containers finding a docker registry, downloading the api container to get the source code1:49:35 - Source code analysis on the webhook code, discovering a file disclosure and hardcoded API Key2:02:50 - Dumping the environment variables, getting the DB Password which is also a user password, ssh as john2:08:30 - John can run docker compose on a sanitized docker file, there are a few ways to bypass this check2:12:10 - Showing we can pass in a raw device, which works without adding any special capabilities to the docker container but it is very very dangerous2:30:30 - Showing we can also pass in a volume as RO and give the capability and AppArmor policy to allow the container to remount this as RW
HackTheBox - Pilgrimage IppSec 2023-11-25 | 00:00 - Introduction00:55 - Start of nmap03:00 - Uploading an image file and trying to identify how the upload works06:20 - Running Git-Dumper to download the exposed .git directory, taking a look at the source code09:45 - Looking at the ImageMagick version (7.1.0-49) and seeing it is vulnerable to CVE-2022-4426813:30 - Generating a malicious image and downloading the sqlite database19:30 - Doing a PS and seeing inotifywait is being used to run a bash script when files created in web directory21:35 - Showing why the bash script is not vulnerable28:00 - Finding a binwalk exploit for version 2.3.2, which takes advantage of path traversal in PFS files32:50 - Taking a look into the exploit to see how it works35:30 - Showing the PFS File Format
HackTheBox - Sandworm IppSec 2023-11-18 | 00:00 - Introduction01:00 - Start of nmap03:10 - Finding their public key, then sending an encrypted message that contains a XSS Test payload06:50 - Creating a PGP Key and sending our public key, so they can send an encrypted message back08:40 - Decrypting the message they sent to us09:50 - Signing a message, but not encrypting it for them to verify and see they give us the metadata back12:40 - Testing a SSTI Payload in the username of the key, and seeing it will dump the config15:25 - Finding a SSTI Payload with Jinja2 that gives code execution... First attempt fails19:23 - Testing a different SSTI Payload and getting code execution21:40 - Reverse shell returned, discovering we are in a jail, attempting to get chisel up and running and failing26:55 - Finding admin.json which contains another credential and we can use this to SSH into the box28:00 - Logging into MySQL and attempting to crack the hashes 31:00 - Identifying that a file in the cargo directory for atlas is being updated every 2 minutes. Running pspy to identify what is happening35:55 - We can write to one of the libraries cargo using to build, putting a reverse shell in43:50 - Identifying that Atlas can run Firejail as root, finding a exploit for Firejail and getting root
Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To IppSec 2023-11-17 | 00:00 - Introduction01:10 - Going over the questions03:50 - Examing the forensic acquisition files07:10 - Dumping the SAM Database to get hashes of the local accounts12:25 - Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV15:35 - Analyzing the IIS Access Log22:30 - Showing the files the attacker accessed in the Access Log27:00 - Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran36:10 - Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events42:30 - Analyzing the MFT JSON Output to discover when a file was written to disk52:10 - Looking at the Powershell Console History to get what commands were ran55:27 - Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server1:02:30 - Going over the chainsaw hunt on security event log1:11:40 - Looking at Security.json and using some jq-fu to show specific data1:21:50 - Looking at the strings from the memory dump, to see commands ran and the actual webshell1:26:30 - Showing the Defender log with Chainsaw
HackTheBox - Download IppSec 2023-11-11 | 00:00 - Introduction01:00 - Start of nmap05:30 - Playing with the download file functionality, discovering the UUID is the file on disk and not column in database by prepending a slash09:00 - Finding a File Disclosure vulnerability, extracting application source code, getting source code of the app13:15 - Start of signing our own cookies, examining the sig cookie to discover it is 40 bytes which is likely sha116:00 - Playing with Cyber Chef to discover how the cookie is signed18:50 - Creating a python application to create and sign cookies so we can become other users24:30 - Becoming other users and looking at all uploaded files32:50 - Explaining the ORM Injection, looking at Prisma Documentation to discover how we can perform boolean injection37:00 - Showing the proof of concept payload, and then making the script loop to extract the entire password field44:00 - POC Script done, but it is slow. Adding concurrency/threading with asyncio/await to our script to speed it up48:50 - Modifying the script to dump multiple users, and finding WESLEY's password56:00 - Explaining how the Boolean Injeciton script works59:50 - Looking at the running processes, discovering root is running su and a new pty is not being created, which makes this vulnerable to the tty pushback attack1:02:45 - Explaining the TTY Pushback attack1:10:20 - Gettinng the PostGresql credentials from the systemd file which lets us write to the postgres home directory, which enables us to perform the TTY Pushback attack against root
HackTheBox - Broker IppSec 2023-11-09 | 00:00 - Intro01:00 - Start of nmap01:45 - Logging into ActiveMQ with admin:admin and then failing to use the exploit from 201604:00 - Doing a full nmap scan, then running script scans on the open ports07:50 - Finding a page that talks about CVE-2023-46604, the latest activemq exploit11:00 - Pulling down an exploit payload for this exploit, it is golang12:30 - Modifying the payload to execute a reverse shell, instead of downloading and executing an elf file. Need to HTML Entity Encode the payload16:30 - Reverse shell returned, seeing we can run nginx as root17:20 - Building an nginx config that runs as root and shares the entire filesystem23:08 - Enabling the WebDav PUT so we can upload files to the server and uploading an SSH Key27:05 - Showing we could upload a cron entry aswell to get code execution
HackTheBox - Topology IppSec 2023-11-04 | 00:00 - Introduction01:00 - Start of nmap02:30 - Discovering Discovering the LaTeX Equation Generator Page04:10 - Attempting to get code execution, discovering a WAF. Building a wordlist and using FFUF to identify potentially dangerous commands that aren't blocked07:45 - Discovering lstinputlisting is not blocked, which will let us read files10:45 - Using FFUF to bruteforce subdomains, show the automatic calibration, so you don't need to manually specify filters13:25 - Looking for the Apache Config for the Dev subdomain, as it likely has a htpasswd file we can get a password from15:25 - Showing the alternate path to get RCE, Bypassing the filter by encoding characters in hex with ^^18:50 - Talking about the catcode command and a failed path at evading a filter with this, but it pointed me towards superscript21:40 - Looking at the wikibooks latex page and seeing ^ is superscript by default, so we don't need the catcode22:20 - Testing the bypass with a valid command to make sure it works24:00 - Writing a file27:35 - I failed at typing my PHP Shell, standing up my own PHP Server so I can see the error29:30 - PHP Script is written, getting a reverse shell grabbing the htpasswd and kracking33:30 - Copying LinPeas and disabling FAST mode, so it looks for unique processes36:30 - Discovering a cron that is running GNUPLOT37:50 - Looking at GNUPLOT commands and discovering it has a SYSTEM Command42:00 - We aren't getting a reverse shell, running the command ourself to see STDERR and discovering commands are case-sensitive43:00 - Root shell returned, just playing with GNUPLOT to show we can write to a file
HackTheBox - Gofer IppSec 2023-10-28 | 00:00 - Introduction01:00 - Start of nmap03:40 - Running gobuster to discover the proxy.gofer.htb subdomain05:20 - Enumerating SMB to find a note which gives an email address to send a malicious document to and hints at HTTP Methods being filtered08:45 - Discovering the proxy.gofer.htb domain responds differently to POST vs GET requests, then gobustering setting our method to POST11:55 - Finding a SSRF in the proxy, then playing with protocols to discover it accepts GOPHER requests16:40 - Showing we can get around the localhost/127.0.0.1 blacklist by encoding the IP Address in HEX, then showing why gopher requests are cool21:30 - Sending a SMTP Request via gopher to send an email with a link to a malicious file27:55 - Making a ODT Document with a macro that executes on-open and sends a shell34:50 - shell as jhudson36:30 - Going over LinPEAS, discovering TCPDump has capabilities to allow any user to capture packets44:40 - Opening the capture in Wireshark and showing the TBuckley sent his password to the proxy, then SSH as him46:57 - Executing the notes binary, looks like a traditional UAF Problem, playing with it blindly50:30 - Opening the binary in Ghidra to show deleting the username only calls free, does not unset the pointer53:19 - Running the binary in GDB, then setting breakpoints and showing USER and NOTES have different pointers when setting them one after another.56:00 - Showing what happens when you create the user, free the memory, then create the note (Both USER and NOTE now point to the same point in memory59:38 - Having an issue when doing it, turns out to be because we placed our shell in /dev/shm which is mounted NOSUID
Automating Boolean SQL Injection and Evading Filters IppSec 2023-10-24 | Sign up for Snyk at snyk.co/ippsec00:00 - Talking about why I like SQL Boolean Injection01:47 - Opening up the source code to the web app02:00 - Snyk sponsor segment, talking about how it can find and fix vulnerabilities in your code in real time04:30 - Demonstrating validating boolean injection with an or statement07:00 - Showing a small python client I made for this video to play with the SQL Injection, then showing subqueries09:20 - Showing how to enumerate columns in the database via brute-force guessing because we can't use information_schema11:25 - Going over the LIMIT statement so we can control which row we are looking at, then showing LIMIT 2 offset 1 is the same as LIMIT 1,1 15:00 - Showing the SUBSTR command so we can guess individual characters in a column/row17:05 - Talking about converting a string to number in mysql which makes it possible to guess bad characters21:45 - Start of creating our script, talking about the 3 functions we need, then creating one to dump the number of rows in a column29:40 - Automating getting the length of a column in our row32:40 - Automating exfilling the actual data and implementing a binary search/divide and conquer algorithm to speed our request up46:00 - Debugging our script47:35 - Found the error, messed up the column name. Showing the algorithm we made to bruteforce characters with the BETWEEN49:00 - Putting all the functions together to automate dumping all the data54:50 - Showing SQLMap has troubles with this, especially because the function (GEOGRAPHY_AREA) it uses to fingerprint the app won't work because it contains a bad character (_)57:10 - Cleaning up and explaining the code a little bit
HackTheBox - Jupiter IppSec 2023-10-21 | 00:00 - Introduction03:40 - Using gobuster to enum05:45 - Discovering Raw SQL in the HTTP Request, doing some enumeration to discover it is PostreSQL08:00 - Looking at the PostgreSQL Copy command, which allows for running commands, getting a shell12:45 - Got a shell as the PostgreSQL user15:08 - Got a SSH Shell as the PostgreSQL user, then finding port 8888 and enumerating that port17:00 - Discovered a Jupityr Notebook, using find to discover what users are doing on the box and seeing Juno has network-simulation.yml18:45 - Putting a shell on Network-Simulation.yml and getting a shell as juno23:45 - Shell as Juno, looking for jupityr files and discovering the token, which enables us login to Jupityr notebooks and get a shell as 28:45 - Jovian can run sattrack as as root (via sudo), running strace to discover that it reads the config from /tmp31:30 - Editing the sattrick config to download an authorized_keys file to root's .ssh directory33:15 - Pretending /root/.ssh didn't exist, getting a shell through cron
HackTheBox - Intentions IppSec 2023-10-14 | 00:00 - Introduction01:00 - Start of nmap02:30 - Looking at the login request, guessing it is Laravel based upon XSRF being in cookie and header08:10 - Playing with updating genre and viewing feed to discover an error10:04 - Opening up SQL Fiddle to explain what I think is going on, its using FIND_IN_SET14:20 - Discovering space is a bad character and when this happens using the -- comment is bad17:48 - Manually dumping the database with union statements25:18 - Using SQL Map showing this SQL Injection30:54 - Going over our recon and discovering a v2 admin login endpoint which lets us login with the password hash38:28 - Logged in as an admin (Steve)42:10 - Talking about Exploiting PHP Object Instanatiations then exploiting ImageMagick1:01:20 - Shell returned, downloading .git, looking at commits and finding Greg's password1:07:05 - Talking about the Scanner Binary and showing how we can leak the file one byte at a time1:10:07 - Creating a python program to run the scanner binary thousands of times to leak files one byte at a time
Looking into the Looney Tunable Linux Privesc CVE-2023-4911 IppSec 2023-10-09 | 00:00 - Introduction talking about what the Looney Tunable exploit is and my thoughts on the severity of the exploit02:30 - Start talking about how the vulnerability works04:00 - The POC String to identify if a box is vulnerable, it doesn't actually exploit but quickly identifies if a vulnerable glibc is installed05:45 - Important parts I wanted to point out in the technical writeup.09:00 - Downloading a good POC written in python, then glancing over the code to make sure there isn't anything malicious13:37 - Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x6618:50 - Analyzing the main shellcode in Ghidra, showing it does a lot more21:50 - Putting the Shellcode into an elf binary, so we can analyze it with gdb29:50 - Logging into HTB's TwoMillion machine to run this exploit31:45 - Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit34:50 - Looking at how Elastic got lucky and detected this exploit with their default ruleset36:00 - Looking at how CrowdSec detects it36:55 - Looking at the more recent Elastic rules to see the more thorough check for this exploit40:40 - Showing all the segfaults in /var/log/kern.logHighlighted Links:- Qualsys Blog Post: blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so- Qualsys Tech Details: qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt- Exploit POC Tweet: twitter.com/bl4sty/status/1710634253518582047- Elastic Initial Detection Tweet: twitter.com/RFGroenewoud/status/1709866613292282101- Crowdsec Detection Tweet: twitter.com/Crowd_Security/status/1709959368467157244
HackTheBox - PC IppSec 2023-10-07 | 00:00 - Introduction01:05 - Start of nmap03:00 - Googling the port number, and reading more about gRPC04:45 - Install GRPCurl so we can access the gRPC interface06:30 - Enumerating the grpc interface10:30 - Registering a user and logging in13:45 - Using Verbose with GRPCurl to get extra information which includes an JWT 16:20 - Discovering an SQL Injection in the SimpleApp.GetInfo, enumerating the database to discover SQLite19:45 - Enumerating the SQLite Database (similar to Information_schema with mysql)21:45 - Using Group_Concat with a union injection to dump all users and passwords, then SSH into the box24:45 - Discovering PyLoad is running on localhost, setting up an SSH Tunnel to access it26:00 - Finding a public POC and running it to exploit PyLoad
SQL Injecting Beyond Strict Filters - Union Without Comma IppSec 2023-10-02 | 00:00 - Introduction01:57 - Showing the trick and explaining why its important to understand the methodology behind finding the technique and not just the technique itself03:50 - Going over the Flask App05:45 - Showing Snyk highlighting the SQL Injection, then talking a little bit about Snyk and why it is awesome.08:00 - Running the webserver and explaining why DEBUG mode should always be disabled09:30 - Running SQLMap to inject into the URL Parameter11:00 - Manually discovering the SQL Injection through good enumeration, and showing a Burpsuite URL Encoding Quirk12:50 - SQLMap showed nothing, Run SQLMap again but this time make sure it starts with a valid result to see it does find something13:20 - Going into the code to show why exploitation is hard, I'm using Pydantic to do strict typing and input filtering17:36 - Showing how SQLMap discovered there were 4 columns without using a comma, thanks to the ORDER BY method18:55 - Enumerating for bad characters with FFUF by putting characters after the SQL Comment21:30 - Showing SQLFiddle, which is a great way to play and test SQL Queries24:05 - Eliminating comma's from the Union Injection with (select * from (select 1) as a join (select 2) as b)26:00 - Testing the SQL Injection against our web application28:55 - Securing the code and fixing the SQL Injection via prepared statement31:30 - Showcasing Github Copilot Chat to help fix our code35:00 - Fixing a XSS Issue, then rerunning Snyk to show all vulnerabilities are fixed
HackTheBox - Format IppSec 2023-09-30 | For some reason, the last video got stuck encoding on YT's side and was 360p. Reuploaded and it worked the second time.00:00 - Introduction01:00 - Start of nmap04:00 - Downloading source code from gitea04:30 - Examining the website via browser to see what it does07:30 - Making sense of how the sitebuilder works14:20 - Examining the source code, discovering a file disclosure24:00 - Creating a python script to automate the File Disclosure48:00 - Script is done, downloading nginx configs. Then trying to find any directory we can write a PHP Script to55:00 - Looking at how the site adds a pro license to users58:50 - Explaining how we can do a protocol smuggling attack and access the REDIS socket to manipulate our user1:05:19 - Showing that the plus is not being URL Decoded in the path of a URL but %20 is1:08:48 - Uploading a PHP Script to get code execution1:13:55 - Dumping the REDIS Database and getting cooper's password1:17:10 - Looking at the License Python script cooper can execute with sudo and seeing a Python Format String vulnerability
HackTheBox - Aero IppSec 2023-09-28 | 00:00 - Introduction00:56 - Start of nmap04:20 - Looking for Windows Exploits around Themes and discovering ThemeBleed (CVE-2023-38146)06:30 - Creating a DLL that exports VerifyThemeVersion and then compiling from Linux10:50 - Showing the exports of the DLL to confirm it is there, then hiding the ReverseShell export12:30 - Testing our DLL from our windows computer13:30 - Creating the malicious Windows Theme17:20 - Setting up a SOCAT forward to send port 445 from our linux box to our Windows Box19:20 - Updating the IP Address in our DLL and then getting a shell22:10 - Downloading the PDF by converting it to base64 and then copy and pasting it to our box23:45 - Researching CVE-2023-28252, which is a Windows Local Privesc in the Common Log File System (CLFS) and patched back in April 202326:30 - Opening the CLFS Exploit up in Visual Studio and placing a Powershell Web Cradle to send a reverse shell and getting Root32:30 - Beyond root: Changing up the DLL we used for the foothold to just execute code upon DLL Attach and not export anything.
HackTheBox - Snoopy IppSec 2023-09-23 | 00:00 - Introduction01:00 - Start of nmap, discovering ssh/dns/http02:30 - Taking a look at the website04:00 - Discovering a message about DNS, taking a look at the DNS and discovering zone transfers are enabled09:40 - Identifying the website is running with PHP Enabled, then running gobuster13:00 - Attacking the file download and discovering File Disclosure15:35 - We got lucky discovering the File Disclosure filter bypass, using FFUF which would be make catching this more consistent19:30 - Automating the File Disclosure by creating a python script24:30 - Looking at files on the target, discovering the DNS Configuration which has the RNDC Key to update DNS30:40 - Looking at the NSUPDATE Man page and then adding a the DNS Record mail.snoopy.htb and pointing it to us34:24 - Using python to run a SMTP Server and then having Mattermost's forgot password email us the password reset39:50 - Using the Mattermost bot to provision a server via SSH which causes it to SSH back to us42:30 - Backdooring PAM with pam_exec and a bash script to log passwords of users logging into our box, and grabbing CBROWN's password50:40 - cbrown can run Git apply as sbrown, looking for exploits around it and discovering CVE-2023-23946. 1:08:50 - sbrown can run clamscan in debug mode as root1:11:45 - Looking at CVE's in clamav and discovering an XXE in the DMG Parser (CVE-2023-20052)1:23:30 - Downloading a DMG File (sublime), then modifying the XML to put an XXE in, scanning, then exfiltrating the root ssh key
HackThebox - Wifinetic IppSec 2023-09-16 | 00:00 - Introduction01:00 - Start of nmap02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames05:00 - Taking a look at the backup, discovering a password in the wireless config06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw13:15 - Explaining why Reaver has this capability is interesting14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password15:30 - Start of building a bash script to spray a single password across valid users with su22:00 - Converting our script into a Bash Function so its easier to run without touching disk24:55 - Talking about WPS and how this exploit worked25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
HackTheBox - Pikatwoo IppSec 2023-09-09 | 00:00 - Introduction01:00 - Start of nmap03:15 - Identifying all the technologies used in the box10:45 - Looking at OpenStack Keystone Authentication and discovering CVE-2021-3815512:15 - Pulling up API DOCS to see how to login to Keystone, then testing lockout14:00 - Taking the Burpsuite Request, sending it to FFUF and using a trick to try each password multiple times25:30 - Attempting to access Swift as a vendor to bypass auth, using GoBuster and discovering an Android directory with Pokatmon app in it35:10 - Start of analyzing the Pokatmon App, examining DNS, setting up a MITM with Burpsuite and Socat40:15 - Using Frida to disable TLS Certificate Pinning on Flutter45:20 - Discovering the App Signs every request, grabbing the certificate out of the app, and signing our own request49:20 - Performing an SQL Injection, getting an email address then looking for vulnerabilities in Forgot Password on the main website58:48 - Discovering CVE-2021-43557 in APISIX, which gives us an idea to URLEncode Paths to bypass blacklists and gaining access to the /private/ directory which has a /forgot-password we can use to reset Roger's password1:04:45 - Logging into the docs, gaining access to the API and finding an LFI1:09:45 - Looking into CVE-2021-35368, which is a ModSecurity Bypass that allows us to abuse the LFI1:18:10 - Using NGINX's temporary files with our PHP LFI to gain code execution1:27:55 - Shell returned on Pokatdex-API, exporting Kubernetes secrets1:34:20 - Discovering an APISIX admin key and exploiting this service by creating a route that executes code1:59:20 - Shell returned on the APISIX box, discovering credentials we can SSH with2:11:10 - Explioting the CRI-O with Kubernetes to set a kernel param to execute a script when a core dump is created (CVE-2022-0811)
HackTheBox - MonitorsTwo IppSec 2023-09-02 | 00:00 - Intro01:02 - Start of nmap01:50 - Discovering Cacti version and finding a vulnerability03:50 - Sending the payload from the description, discovering we need to set the X-FORWARDED-FOR05:00 - Incrementing Host_ID and Local_Data_Ids and discovering different output06:15 - Discovering with local_data_ids set to 6 and host_id set to 1, we can get code execution06:50 - Showing the python exploit and showing it blindly spray, looking at the Metasploit module for some more info10:40 - Getting a reverse shell11:30 - Using Script to set up our PTY since python is not installed13:40 - Connecting to the MySQL Database and then cracking passwords18:25 - SSH into the box with Marcus and discovering mail on the box20:20 - Discovering Docker is old and vulnerable to CVE-2021-4109121:55 - Looking at the docker overlayfs directories, discovering we can go in them, finding the web container23:10 - Using CapSH to escalate privileges on our docker container so we can make Bash a SetUID Binary24:50 - Executing bash -p to get root
HackTheBox - OnlyForYou IppSec 2023-08-26 | 00:00 - Introduction01:00 - Start of nmap03:20 - Discovering beta.only4you.htb03:55 - Downloading the source, scanning with Snyk and discovering a File Disclosure vuln05:15 - Demonstrating that os.path.join in python will do unexpected things if a path begins with slash07:30 - Failing to get /proc/self/environ, not sure why we failed here09:20 - Grabbing the nginx configuration to discover where the websites are stored, using the File Disclosure Vuln to leak source of main website11:15 - Discovering a vulnerability when sending mail12:10 - Talking about how we will bypass the bad character check, the Re.Match will only match the start, not entire string16:10 - Getting code execution from the contact form18:45 - Reverse shell returned, looking for databases, and discovering a few ports listening on localhost22:30 - Uploading Chisel so we can access ports 3000 and 800125:40 - Start of Neo4j Injection, discovering we are in a contains statement30:00 - Going to HackTricks and discovering we can use LOAD CSV to leak data out of band32:25 - Leaking the labels, then grabbing users and hashes38:30 - Logging in with John, discovering we can use sudo with pip to download a tar off GOGS40:25 - Creating a malicious python package for us to download, then uploading to gogs44:10 - Showing that the pip download command will execute setup.py and getting root
HackTheBox - Mailroom IppSec 2023-08-19 | 00:00 - Introduction01:00 - Start of nmap, discovering two different OS's02:30 - Running Gobuster to bruteforce VHOST03:30 - Discovering XSS but nothing we can really do with it 04:00 - Enumerating Gitea, discovering a repo with some source code05:40 - Opening the code with VS Code and Snyk. Discovering a RCE Vulnerability but requires login07:30 - Discovering an EAR (Execute After Read) Vulnerability on Authentication09:10 - Start of building our Javascript payload to exploit NoSQL Injection, download the internal page12:40 - Explaining the NoSQL Injection, then testing with a login bypass16:30 - Discovering what happens on invalid logins20:40 - Getting the length of the password25:30 - Bruteforcing the password with boolean logic30:00 - Logging in via ssh with the credentials we got from the nosql injection, looking at the local linux mail to get 2FA Link33:20 - Logged into the dashboard, can hit the RCE Endpoint now to get a shell as www-data which gets us matthews creds40:20 - Discovering a keepass file, running PS enough we can see KPCLI Runs41:30 - Running STRACE against KPCLI to intercept syscalls42:40 - Specifying we only want to see READS, and can intercept keys sent to KeePass and get the password46:10 - Going into the Mongo docker container and running mongodump to dump all the users
HackTheBox - Busqueda IppSec 2023-08-12 | 00:00 - Introduction01:00 - Start of the nmap04:20 - Copying the request in burpsuite to a file so we can use FFUF to fuzz06:00 - Just testing for SSTI06:45 - Found two bad characters, putting a comment after a bad character to see where it is failing08:20 - Discovering we can append to the string, then trying for executing code with print to test for eval statements10:00 - Getting a reverse shell15:00 - Reverse shell returned17:00 - Looking at apache virtualhosts to discover a hidden vhost that is running gitea19:00 - Finding creds in the .git folder which lets us run sudo22:00 - Inspecting the docker containers to discover passwords in environment variables which lets us log into gitea as administrator and view the script we are running as sudo25:30 - Discovering the system-checkup.py script is not using an absolute path, so we can execute a shell script in our CWD as root
