HackTheBox - ForwardSlash

Always waiting for this notifications every Saturday thanks for the work Ippsec.... hacker community appreciates your efforts

"while we poke at the server manually, we have something that is automatically poking at the server "
Thank you Ippsec for all your lessons.

What's going on RUclips
This is "Doctor ippsec"
Here you can find the autopsy report of every hackthebox

Make a course with your own custom virtual machines, upload to udemy or make your own site and cash in. You certainly have the knowledge for that.

The moment he says "i think you will like this video"
I am like sir i like your every video

Thank you for the Master Class Sensei Ipp

Happy guru purnima (teachers day ) ippsec ❤love from nepal

The script development part is awesome

Awesome, I like your way using tmux and vim. Also like you speed movement. You are motivating me thanks

Really man thanks for ur videos

Thank you for sharing!

Thank you❤️❤️❤️ darling.

I love your color scheme may I ask what is it?

I love how unnecessary, but relatable, writing that python script was.

Got the LFI through XXE directly on the backup.forwardslash.htb/dev/index.php page. Used Username admin for my user and observed that i could access /dev/index.php. Got the index.php for this page with the same php wrapper in XML through XXE.

For the crypto, if you look at the decrypt function, you can work out that it only depends on the key (k) and the message (m) in the following way:
For len(k) == 1, you get:
out[i] = m[i] - m[i-1] - k[0]
For len(k) == 2, if you work it out, you get:
out[i] = m[i] - 2 * m[i-1] + m[i-2] - k[0]
For len(k) == 3, after working it out again, you get:
out[i] = m[i] - 3 * m[i-1] + 3 * m[i-2] - m[i-3] - k[0]
As to how you can work it out, this is how I did it for len(k) == 4 (note that ta, tb, and tc are temporary variables for m in the new loops, and thus m is always the original input to the decrypt function):
k[3]:
ta[ i] = m[ i] - k[3] - m[i-1]
ta[i-1] = m[i-1] - k[3] - m[i-2]
ta[i-2] = m[i-2] - k[3] - m[i-3]
ta[i-3] = m[i-3] - k[3] - m[i-4]
k[2]:
tb[ i] = ta[ i] - k[2] - ta[i-1]
= m[ i] - k[3] - m[i-1] - k[2] - m[i-1] + k[3] + m[i-2]
= m[ i] - 2 m[i-1] + m[i-2] - k[2]
tb[i-1] = ta[i-1] - k[2] - ta[i-2]
= m[i-1] - k[3] - m[i-2] - k[2] - m[i-2] + k[3] + m[i-3]
= m[i-1] - 2 m[i-2] + m[i-3] - k[2]
tb[i-2] = ta[i-2] - k[2] - ta[i-3]
= m[i-2] - k[3] - m[i-3] - k[2] - m[i-3] + k[3] + m[i-4]
= m[i-2] - 2 m[i-3] + m[i-4] - k[2]
k[1]:
tc[ i] = tb[ i] - k[1] - tb[i-1]
= m[ i] - 2 m[i-1] + m[i-2] - k[2] - k[1] - m[i-1] + 2 m[i-2] - m[i-3] + k[2]
= m[ i] - 3 m[i-1] + 3 m[i-2] - m[i-3] - k[1]
tc[i-1] = tb[i-1] - k[1] - tb[i-2]
= m[i-1] - 2 m[i-2] + m[i-3] - k[2] - k[1] - m[i-2] + 2 m[i-3] - m[i-4] + k[2]
= m[i-1] - 3 m[i-2] + 3 m[i-3] - m[i-4] - k[1]
k[0]:
out[i] = tc[i] - k[0] - tc[i-1]
= m[ i] - 3 m[i-1] + 3 m[i-2] - m[i-3] - k[1] - k[0] - m[i-1] + 3 m[i-2] - 3 m[i-3] + m[i-4] + k[1]
= m[ i] - 4 m[i-1] + 6 m[i-2] - 4 m[i-3] + m[i-4] - k[0]
Note that this only holds up whenever you don't loop back (so for length 4, i >= 4), because then the values would already been updated and you'd need the values from the new temporary variable, which means they are depending on more keybytes.
So you can brute-force over the keylength and first key byte. To do that using the calculations above, you just need to know which message bytes to combine. This you can calculate by putting which message bytes to use as a list.
For key length 1, it's [1, -1] (= 1 * m[i] - 1 * m[i-1]).
For key length 2, that would be [1, -2, 1] (= 1 * m[i] - 2 * m[i-1] + m[i-2]).
For key length 3, it becomes [1, -3, 3, -1] ( = 1 * m[i] -3 * m[i-1] + 3 * m[i-2] - m[i-3]).
Now you can see that you can calculate this list (t) as follows:
t[2] = t[1] - (t[1] >> 1) = [1, -1] - [0, 1, -1] = [1, -2, 1] and
t[3] = t[2] - (t[1] >> 1) = [1, -2, 1] - ([1, -2, 1] >> 1) = [1, -2, 1] - [0, 1, -2, 1] = [1, -3, 3, -1],
where the >> means rolling the list. This can be extended to t[i] = t[i - 1] - (t[i - 1] >> 1) to know which message bytes you need to use for key length i.
Using this, you can build a brute-forcer that loops over the keylength, calculates which message bytes need to be combined for that keylength, and then brute-force the first byte (for each keylength). You'll get most of the plaintext, except the first couple of bytes as they rely on more keybytes.

Ah, the good old SSRF + XXE chain... ;)

Did you publish something about your terminal theme which looks like to be very useful ?

thanks

you are unbelievable :) ...

If I am a beginner is HtB good to start?

You can replace
```
try:
os.makedirs(path)
except:
pass
```
with
```
os.makedirs(path, exist_ok=True)
```

I have something for you, because you are so wonderful. A gift. I call it Alphabet soup: you HTB with mics on in group mode, (zoom?), and let everyone help out. Although I know this may only slow you down. I will leave this for you.

What happened to the cho cho choo? :(

i currently doing my internship as SDE, But not interested in what i was doing. Wanted to do something cool like u did like pentration testing, bug bounty. Can you do a video where to start. I have watched your videos but can't reach like basic things.

Can you plz make Brainpan also? it will really help us!

But ipp why Forwardslash,
there are so many boxes older than this ,this is not even completed two months

Got so far so quickly (LFI through profile pic) - Wasn't able to break the cipher though :(

how to find .PHP without guessing ???

please reveal the face, i wanaa know how my god looks like 😆😂♥️

Hi Gibson

Is it okay if I didn't understand everything?lol

He's not showing his face because he is a secret genius 15 year old

Can you please correct your cursor ? It is really confusing with a dollar sign

Use visual studio code bro

Bro you sound like hacker kermit