HackTheBox - Traverxec
HTML-код
- Опубликовано: 10 апр 2020
- 01:00 - Running nmap against the box, port 80 is running a unique webserver (nostromo)
03:00 - Lets check out the website before we throw any exploits
06:37 - Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing
10:34 - Code Execution worked, for some reason the proxies command didn't work the first time
11:18 - Explaining why the script does a GET request before throughing an exploit (Exploit Verification)
13:40 - Editing the payload to send a Bash Reverse Shell
15:40 - Running LinPEAS
17:20 - Running LinEnum in Thorough mode
19:22 - Going over LinPEAS Output
22:16 - Going over LinEnum Output
23:00 - Discovering a HTPASSWD Password, then using hashcat to crack it
26:45 - Looking at the HTTP Configuration file to discover public_www directory in home directories
27:30 - Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/
29:50 - Discovering an encrypting SSH Key for David in public_www, downloading the file via netcat then cracking the key with sshng2john.py John
34:50 - SSH into the box as David
35:20 - Discovering David can sudo journalctl,
37:10 - Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo
38:00 - Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less
40:50 - Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check
49:30 - Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked.
50:27 - Using find and grep to md5sum all the files to figure out what has changed.
53:26 - Using diff to compare two files
Ippsec thanks so much for the content you keep releasing i started pentesting about 6 months ago a complete beginner i watched how you tackled each box and right now I've done about 9 boxes that are active in hack the box
Thanks sir you always motivate beginners pentesters like me
Good job bro💪🏻
Hello Ian. How much did you know prior to starting pentesting? Did you know anything on security? Sys admin? Any other CS-related fields? Do you have a degree in CS? I am asking because I very much admire IppSec's videos and I often find myself wondering how much work it would take for me to learn it all.
@@Cullinan000 i had no background in cybersecurity i was just looking for walkthroughs on HackTheBox machines on youtube and came across ippsec's channel started watching his easy box which later i advanced to the more difficult ones that's now been over a year and a half
And it worked for me I've published few exploits on exoloitdb and right now I've solved over 30 boxes
Watching his videos is a gain for sure can't wait for the one being released tommorrow 💪💪
The last 10 minutes are the gem of the video! Thanks for going through the CVE!
Thanks so much for adding awesome additional content when there's an easy box like this.
This is awesome
We all appreciate this work you do!
This all makes so much sense and I love you
Using find, grep & md5sum at 50:27 was interesting, but for me a much simpler approach would be `diff -r 196-src-dir 197-src-dir`
Love your videos. Amazing work. So much great content.
I played with this box a lot to get root (this was my first box) and finally I gave up on it, because I totally stucked at that jourmalctl point, now I understand, thanks for showing and explaining how things works :)
just subscribed! I'm new to the game! thank you for the tutorials!
Tnx bro. Your videos are very helpfull for me . Even more than you could imagine.
Thank you again for the videos.
Amazing!!! Thanks for this
I love your videos I have learned a lot
You are awesome sir !!!
Vim supports ‘-‘ to read from stdin so ‘diff a b | vim -‘ would have done what you wanted at 53:53
Love your vids!
Thank you ippseq
Really good box
IppSec should have way more likes and follows.
Mmmmmmm this is good. 💗🧜♀️🧚♀️ Never get enough.
Ty very much sir for the video!
Hey Please keep going
BTW thank you
As always,, great explanation.
a simple note: if u want to run LinEnum in thorough mode, you don't need to edit the script, just enable the '-t' flag :)
Yeah that would involve writing to the disk. I don’t think you have access to argv when executing it via nc/curl/etc
@@ippsec I didn't know that we don't have access to argv when executing nc, however the box has wget installed ;)
38:08 When I removed the pipe after the sudo command the journalctl would not go into Less, but just finish. A lot of people had that. The trick was to make the terminal smaller than 5 lines, then it would stay in Less. What could it be that Ippsec didn't have to do this?
I actually attempted the command and gotten root without having to resize, because I like to keep the terminal mid sized and vertical. But I agree with you it should be less than 5 as it says in the command n5, however if you try going 4 or 3 it won't work only 2 and 1 which is weird
maybe "stty rows" was assigned a lower value in ippsec's terminal
This comment saves my relationship. Thanks
@ippsec Question, manpage of nc says the following: -l, It is an error to use this option in conjunction with the -p, -s, or -z options.
Same goes for:
-p source_port
Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option.
Was just wondering why you us nc with -lvnp, which I am doing as well since watching your videos. Thanks!
Probably just habit -- No idea why I combined the two but at this point its just muscle memory.
GREAT
i was on my way to pro lol i gusse i lost the points of this box....thanks ippsec for the video
♥️
I need you advice am interesting on this but what u are using is Kali
It was fine with me tell the last update when i install it on my mac the wifi not working tried couple of methods and nothing work ..
The question here can i use ubuntu as what you are showing in your video ??
Is there big different if i use the tools but on ubuntu or you recomend Arch bec Kali not working
Wait what? Why did you not have to resize your terminal? Mine just exited less straight away, spent some time figuring that bit out...
Thanks for this I was going insane trying to figure out why in the world mine was just dumping me to the terminal, any idea why resizing the terminal made a difference?
Where can I get the handy `kracken` image you're using for cracking passwords?
On some machines, "sudo -l" requires entering the password but for some of them, this is not true. Why?
In the sudoers (sudo visudo) file, check for a line near the bottom that says something like
My gobuster tool don't have -u option..it gives me error ...what can I do
why i cant connect to 10.10.10.165
help needed
why would you use metaspolit when there IS a no metaspolit version avaliable ... ?
Where did you learn how to hack?
OMG ! Can anybody tell me why this happens ?
When I run "/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service" this command in full screen terminal it gives me error(which is it just "cat" it and not run it in "less").... But when I use small screen on terminal and run the exact same command it runs in "less" and I get to root. Why this weird stuff is happening ?
I believe if your term window can support all of the data the journalctl provides, you exit gracefully from less and journalctl. Gaining a shell will work on your Kali machine as well...# sudo journalctl -xe followed by !/bin/sh....
@@toddjacobsen6492 Yes actually gaining shell on my kali works. But when I run the command as david user in full screen terminal it doesn't work except when I run command as david user in small screen it works !
@@evildead7845 , the functionality/output of journalctl is the same on your Kali box...if the log messages are less than the term window rows, journalctl exists gracefully without less.
Example....run journalctl -u sshd.service on a full term window...on Kali...
@@toddjacobsen6492 Okay I understood now ! Thanks ! Have a good going !
I guess there is a Python script too for the nostromo exploit
Yeah... That's how I did
Yeah i did too with that pytgon script
exactly how i done it! much easier github.com/theRealFr13nd/CVE-2019-16278-Nostromo_1.9.6-RCE
@ippsec can u tell me.. how you split the terminal screen... It is very handy... Please reply
use tmux bro
There's a tmux video on my channel. Watch it.
ruclips.net/video/Lqehvpe_djs/видео.html
Thanks a lot
@@ippsec bro i have problem with copy past on tmux ..!! outside the tmux i cant paste..!! any suggestions..!!
For finding directories or files in directories with only execute permissions(Only works if we know the name of file/directory) -
find / -type d -perm -a+x 2>/dev/null | while read LINE; do ls -al "$LINE/public_www"; done 2>/dev/null
Does not outputs the absolute path. I don't know how to do that. Let me know if anybody knows ...
Nervmon
first view first like first comment
FIRST!
First! The final step was bs x)
Watch the video, then let me know if you still think that. I didn't think any part of this box was bs :)
@@ippsec Last part is bullshit cause for some reason and for some users journalctl will just cat instead of using less. So for this to work you had to know that journalctl doesn't less unless you have enough space on your screen. Log file was tampered with and didn't display as many lines as you did, that's why it didn't work for me the first time.
@@Raekh_ in a tmux session, the size of the pane isn't important :)
@@shellbr3ak443 it is! I just tried it again. When I don't shrink, it cats. When I do, it runs less.
@@Raekh_ Thanks for this - I couldn't figure out why it wasn't working for me - I made my tmux session smaller and it went to less.