HackTheBox - Tartarsauce
HTML-код
- Опубликовано: 16 сен 2024
- 01:10 - Begin of recon
03:00 - Discovery of Wordpress and fixing broken links with burp
06:50 - Start of WPScan
07:14 - Start of poking at Monstra, (Rabbit Hole)
13:05 - Back to looking at WPScan, Find Gwolle Plugin is vulnerable to RFI Exploits
16:30 - Reverse shell returned as www-data
18:08 - Confirming monstra was read-only
18:50 - Running LinEnum.sh to see www-data can run tar via sudo
20:30 - Use GTFOBins to find a way to execute code with Tar
22:00 - Begin of Onuma user, use LinEnum again to see SystemD Timer of a custom script
24:10 - Examining backuperer script
26:00 - Hunting for vulnerabilities in Backuperer
32:15 - Playing with If/Then exit codes in Bash. Tuns out exit(0/1) evaluate as True, 2 is false
34:20 - Begin of exploiting the backuperer service by exploiting intregrity check
36:40 - Creating our 32-bit setuid binary
39:16 - Replacing backup tar, with our malicious one. (File Owner of Shell is wrong)
40:54 - Explaning file owners are embedded within Tar, creating tar on our local box so we can have the SetUID File owned by root
42:30 - Exploiting the Backuperer Service via SetUID!
45:00 - Unintended Exploit: Using SymLinks to read files via backuperer service
The gobuster syntax has changed...gets me every time
try feroxbuster, it is better
If you're struggling to get WPScan to show the plugins, I believe its due to WPScan changes here: blog.wpscan.org/wpscan/deprecation/2019/11/25/old-wpscan-deprecation.html. I updated my WPScan (gem install wpscan) to 3.7.7, signed up for an API-Key and ran the command: wpscan --url 10.10.10.88/webservices/wp -e p --api-token --plugins-detection aggressive . I'm not sure if update was required (or maybe just the plugin-detection setting) but this worked for me.
Wow 17:30 - 18:05.
I never knew you could set stty (to get tab complete, also support watch) + setting terminal evn var (to clear, backspace, and use up history commands). This is great. I have been using rlwrap for a while, which is a quick way to be able to do everything that your use of stty does, BUT I could never tab complete. This rules!
BTW I tested to see if rlwrap would work with stty, it does not. Your tmux window will go on the fritz.. You must perform a plain ol' nc -nlvp, without rlwrap to utilize stty properly. Also note, if you do use stty with tmux, your pane size matters. Try not to adjust the size too much. Lastly to actually exit the nc session with stty enabled I had to reset my tmux pane. Just some caveats I wanted to share.
Thanks for sharing this! :D
Does OSCP exam has boxes like this ? :O like the priv esc part ?!
I too would like to know.
Absolutely stellar explanation!
Thanks Ippsec, great video. Fantastic box and I learned so much.
one of my favorite box
doing this box right now. Very thankful to you.
Ipp! Thank you for the videos they are great help and motivation while working on my OSCP.
I have a question as unfortunately I have no connections in the field. How much different is your methodology and approach while on an actual pen test?
They are pretty different. If you want to see what a traditional pentest is like check out Rastalabs or Offshore. A lot less bug hunting and a lot more lateral movement and hunting for interesting things.
The easiest way I can explain it is imagine you’re on a sports team. Your practice isn’t just grinding out games. It’s a bunch of small drills to focus on specific mechanics that help improve your overall skill. These machines are drills.
Not direct 1:1 but when hiring I’d prefer a junior that does CTFs, over a senior pentester that does not. Primarily because i enjoy working with people who enjoy solving puzzles and arent in it for the money. Not saying people who don’t do CTFs are in it for the money, just a probability thing.
Hey ippsec, can you please do some video on most common privesc methods and using burpsuite to do blindsql injection(no automated scanner)?
This is nice, but for the OSCP can we use wpscan and priv esc? I know not everyone watching is doing OSCP but I just had that question.
awesome video as always
13.23 , you can see there is a readme file location just above the highlighted line, which says that the version was changed from 1.5.3 to 2.3.10 to trick wpscan and thats what gives away the actual version of this plugin.
I love this box and your content continue : -)
Liked & subscribed. Great content 👌🏼
Got the box by unintended priv esc!was waiting for proper priv esc , Now I can sleep in peace :p
I was waiting for this for a long time. Had user, but couldnt get root. Wasn't able to exploit it in that 30 sec. Window.
I've used tail to check logs, burp to check HTTP headers and payload looks ok, but I keep on connecting to myself when invoke "wp-load.php"
Great video! I was stuck at last part and try to figure out what can I do for diff command. Thank you IppSec.
I used a Path Traversal Vulnerability to upload a PHP Reverse Shell to the parent directory of Monstra using the file uploader. I didn't even look at the WordPress because I thought it was a rabbit hole ;)
I would like to know how you did it? Since there wasn't any write permission for apache user in web root directory so how you uploaded file? The WP plugin RFI vulnerability also didn't upload the file itself but executed code remotely.
@@NomanRiffat Same, I also tried path traversal to wp-content (hoping it would be writable) but since there were no write permissions for www-data I couldn't do it.
There is a file uploader in Monstra. You could set the upload path in the GET parameter to the parent directory. To do this you had to bypass the insufficient security mechanism that should've prevented that. Here's my advisory to this: www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-027_monstra_cms.txt
I thought of doing that, but don't know which dir to write, but after seeing your comment again dig up, pretty nice way to get shell 👍
Hi there. Can you tell me how you manage to using Google to find this particular vulnerabilities? I can't seem to find it, trying to sharp my google-fu as well if you don't mind sharing!
I have updated my "wp-load.php" host and port accordingly but for some reason I keep on connecting to myself :(
This box was literally hell I wanted to die the whole time I was doing it
The new wpscan does not scan for the plugins, is it strange that after update tools get worse?
change the scan mode: --plugins-detection aggressive or mixed
Check the man page if you don’t know how to use the command.
after debugging my script for a while I noticed that php get executed into my machine used python simpleHTTP
on 16:22 how did you partition your terminal into 3 segments? I use terminal daily I always wanted to do it that way.
look at my tmux video
@@ippsec thank you for prompt reply.
I will check my apache logs to see if script gets execute on the victim machine :(
Being all over the place is fine right? I mean, that's how it is in the real world the correct?
Can someone suggest any videos or books to learn priv esc.
www.trustwave.com/Resources/SpiderLabs-Blog/My-5-Top-Ways-to-Escalate-Privileges/
Im a big fan but the RFI was lame honestly!!
Momstra has a LFI that is lit and u just passed the git issues of bug report and didn't see the most important one that lets u go back to a writeable dir to upload the file with php7 extension.. thats how I did it !
Nice! Completely missed that, background recon finished too quickly and i stopped looking at it.
@@ippsec and I also missed the WordPress way because I found that way of monstra easier and faster but still is file inclusion either way 😅
Respect for you man I really like the way you do things.
👏👏
You copy the Pleasesubscribe file and make the tar.gz folder and copy it into the hash file which the script makes. But when the script performs an integrity check , wont that check fail ? since the victim machines orignal /var/www/html folder wont have the PleaseSubscribe file ? and when it fails the script deletes the files it created in the /var/tmp folder.