HackThebox - Wifinetic
HTML-код
- Опубликовано: 3 авг 2024
- 00:00 - Introduction
01:00 - Start of nmap
02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 - Taking a look at the backup, discovering a password in the wireless config
06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 - Explaining why Reaver has this capability is interesting
14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 - Start of building a bash script to spray a single password across valid users with su
22:00 - Converting our script into a Bash Function so its easier to run without touching disk
24:55 - Talking about WPS and how this exploit worked
25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.
Using only one binary for the password spraying part was very insightful!
I actually think that it's better than using cat, grep and awk at the same time, when it comes to detection.
Thank you for taking the time to explain all of that and also for going much further than just solving the box!
The beyond-root-segment taught me a lot I didn't know. I appreciate you always going the extra mile.
"never do math online" :)
also: awk -F':' '/sh$/ {print $1;}' /etc/passwd (no need to specifically check last column since it's also the end of the whole line)
Absolutely fantastic explanation. This was a learning experience.
freakin cool, it was really great understanding what's happening under the hood when we use reaver!
So dope! Well done!
Loved the explanations while writing that bash script
Of all the things I should remember from watching the best walk throughs on the internet, I can't get "cat spray" out of my brain.
Can you do a setup tour? I'd be interested in seeing what you work with and your kraken machine too.
Dud you are soo good a this, it’s crazy. I’m more and more thinking about stopping doing software and do security just because of those vids
I love your content Ip, I just wish I didn't have to double my volume to hear you. :P
Loved the post root part thank you
Thanks for the video and learning experience!
Above and Beyond!
That's great
I enjoy the extra bits after root
Did you made a typo with the maths at the end? I'm confused 😭😅
yea he was wrong xD
Push!
awsome ippsec
The Great idea
May I ask (at 11:01) why Netadmin was selected as a process of interest? There were several user accounts listed all with processes started by root. What's so special about netadmin? I noticed that all of the others except _laurel had a PPID of 1. Thanks.
when i did this box. i tried every user which was listed on /home 😂😂😂
But you have a point. and i really wanna know about this
Just because that is who we are running as. The chance of root starting a process we can write to is greater.
Thanks @@ippsec :-) Still watching and still learning. Thanks for replying
Hello ipp, dis you have the chance to use Caido tool, it's like burp suit and it has an integrated AI, can do a video about it ?
Why don't you use --open in nmap scanning
Filtered/closed could be useful in rare cases (especially in CTF).
For example if there is a firewall, it could tell you the port could be open but only accessible from the inside of the box (through things like SSRF), or a port knocking (a port that needs to be knocked to pass from filtered to open).
It is what I guessed, but maybe I am wrong !
Love ippsec,but we have not proper pentest knowledge , please help us
!
1st comment 🎉
@aubcodell Interesting
Boring box !
Not worth 250$
Ipp, please post the write-up for cybermonday. I implore you 🥺
Cybermonday is still active… he can’t do that
@@_fr3d_ sniff sniff
Lol its intresting box you can play with