Тёмный

Hack The Box - Control 

VbScrub
Подписаться 11 тыс.
Просмотров 2,1 тыс.
50% 1
ВидеоПоделитьсяСкачатьДобавить в

My walkthrough of the Control machine on HTB.
Other videos mentioned in this one:
Port Forwarding Explained: • Port Tunnelling/Forwar...
VbRev Reverse Shell GUI: • Making A Reverse Shell...
--------------------
HTB: hackthebox.eu
My Twitter: / vbscrub
My Blog: vbscrub.com

Опубликовано:

 

3 окт 2024

Поделиться:

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист
Посмотреть позже
Комментарии : 34   
@zanzeber
@zanzeber 4 года назад
I prefer this format personally as opposed to just showing your final working solution but either way I'm enjoying your content 👍
@vbscrub
@vbscrub 4 года назад
Thanks for the feedback
@Aminedemetz
@Aminedemetz 4 года назад
this is what real pentesting looks like , great video mate , the priv esc part i would say was hard to even enum the proper services , keep up the good work
@DHIRAL2908
@DHIRAL2908 4 года назад
Lol, that crackstation thing is really fast and useful! Learned a lot from you sir!
@vbscrub
@vbscrub 4 года назад
yeah I think they just have a list of existing hashes and their original values, so there's no actual cracking going on in real time, so its just a quick database lookup for them. Obviously only works for hashes they already have in their database though
@heheboi4447
@heheboi4447 4 года назад
The explanation about SQL injection was awesome ✨✨
@vbscrub
@vbscrub 4 года назад
I wasn't sure if that was going a bit overboard and everyone already knew that stuff, but glad to hear it was worth doing
@brettnieman3453
@brettnieman3453 4 года назад
Great video as always. Nice to be able to use your new tool! It was a nice change doing things live a bit.
@vbscrub
@vbscrub 4 года назад
thanks! Yeah I think I'll do a mixture in future of some machines where I already know what I'm doing and some with more live struggles
@brettnieman3453
@brettnieman3453 4 года назад
@@vbscrub Perfect!
@westernvibes1267
@westernvibes1267 4 года назад
There was actually a lot of talking going on about the x-forwarded-for header at the time the machine got released. I stumbled upon one of the blog post the day before i attempted this machine. Got really lucky and the hard turned into an medium machine after that. :D
@vbscrub
@vbscrub 4 года назад
oh haha sounds like you got pretty lucky then
@DavidWarrington
@DavidWarrington 4 года назад
Great to see somebody using a windows machine for HTB. That service enumeration was painful via Kali, come back enter-pssession all is forgiven
@vbscrub
@vbscrub 4 года назад
haha well as you can see it was pretty painful for me on windows too, but yeah I wouldn't fancy the extra hassle of doing it from a different OS too
@ReubenSammut
@ReubenSammut 4 года назад
Interesting way of how you scripted service and permission enumeration. I was lucky to have found wuauserv immediately and everything worked... but not before I had started the service before having changed the binPath. So I started trying to find other services. By the time I got to enumerating the 10th service, wuauserv had stopped running, so I could use it again. I guess there was some sort of script which reset both the service and its binPath. Also, I tend to use nc as the bin for the service. A trick I found is having a second nc command in my clipboard so when I get the first shell back from the service, I run the second one. When the service dies (since it does not respond to service control), I still have my second shell which is running as the same user but independent from the service. This trick is similar to how to daemonize a process in linux, where you perform a double fork. Regarding the proxy header enumeration, I managed to leak the source of admin.php through an sql injection in view_product.php.
@vbscrub
@vbscrub 4 года назад
yeah I did think later that maybe there's a script resetting the image path for this service, as it seems kinda weird that windows would periodically do that. Glad to hear the service stopped fairly quickly for you after starting it with the legit image path though. For the proxy header enum I'm not sure what you mean, because can't we only access that view_product.php AFTER getting through the part that requires the correct HTTP header?
@ReubenSammut
@ReubenSammut 4 года назад
@@vbscrub So if you look at the sources, you'll find a file (if i recall correctly it's called functions.js) where you get to know about view_product.php. Only admin.php requires the X-Forwarded-For header.
@vbscrub
@vbscrub 4 года назад
@@ReubenSammut ohhh cool, did not realise that. So then do you even need the HTTP header? From what I remember the admin page doesn't seem to do anything other than forward you on to the view_product page where we do the rest of the attack from. So if you can access that directly, don't you bypass the HTTP header requirement completely?
@ReubenSammut
@ReubenSammut 4 года назад
@@vbscrub While I have used the X-Forwarded-For header to see the admin page, I believe I ended up doing the whole SQL injection with the file write on view_product.php. I don't recall using search_product.php for sql injection. In fact I only got to know about the possibility of injecting into it after watching IppSec's video.
@vbscrub
@vbscrub 4 года назад
@@ReubenSammut oh sorry I was confusing view_product with search_product. So you're saying you could have done the whole thing without needing to know about the HTTP header? I wonder if that was intended or not. I feel like probably not lol
@priyanshukumarpu
@priyanshukumarpu 4 года назад
Why x- forwarded for : 127.0.0.1 didn't worked?
@vbscrub
@vbscrub 4 года назад
because the web server was set to just allow access from that 192.168 address we found in the source code (which is not the web server itself, so 127.0.0.1 wouldn't help)
@MrJasonPlayz
@MrJasonPlayz 4 года назад
For some reason, the "Get-ServiceAcl" cmdlet on my powershell throws a "CommandNotFoundException" error! I'm not exactly sure how to get past this. Could this be because of Powershell 7?
@vbscrub
@vbscrub 4 года назад
did you download it from the website I copied it from and import it into your session? This is where I copied it from: rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ Then just saved it as a .ps1 file and imported it into my current PS session with dot sourcing, e.g: . .\filename.ps1 (notice the first dot then a space, then the .\path)
@MrJasonPlayz
@MrJasonPlayz 4 года назад
@@vbscrub Oh no, I didn't do that stage 😅 That will be it. Thanks for the reply, really nice videos b y the way!!
@heheboi4447
@heheboi4447 4 года назад
Nice 🔥🔥🔥
@manikkoirala9576
@manikkoirala9576 4 года назад
video quality 360p?
@vbscrub
@vbscrub 4 года назад
you were too early :)
@manikkoirala9576
@manikkoirala9576 4 года назад
@@vbscrub haha yup one of your biggest fan :)
@ahmadmaulana3622
@ahmadmaulana3622 4 года назад
Edit : NVM :))
@vbscrub
@vbscrub 4 года назад
I think you're thinking of another machine called Remote, not this one which is called Control ;)
@ahmadmaulana3622
@ahmadmaulana3622 4 года назад
@@vbscrub oh yeah, misplaced those 2 box :))
Далее
Hack The Box - Nest | HTB Machine I Made Myself
47:30
Hack The Box - Nest | HTB Machine I Made Myself
Просмотров 2,5 тыс.
Hack The Box - Sniper
24:33
Hack The Box - Sniper
Просмотров 3,1 тыс.
Сын Цзю Угомонил Мексиканца За 30 Секунд!
01:00
Сын Цзю Угомонил Мексиканца За 30 Секунд!
Просмотров 19 тыс.
СНЯЛ ВСЕ ОГРАНИЧЕНИЯ В ДОТЕ И СЛОМАЛ ИГРУ😰
38:08
СНЯЛ ВСЕ ОГРАНИЧЕНИЯ В ДОТЕ И СЛОМАЛ ИГРУ😰
Просмотров 498 тыс.
ПИ ДИДДИ (ч. 2): Джастин Бибер, мемуары бывшей девушки, Алия, песня "She Knows"
1:28:32
ПИ ДИДДИ (ч. 2): Джастин Бибер, мемуары бывшей девушки, Алия, песня "She Knows"
Просмотров 1,2 млн
открыли бесплатный магазин техники - все по 0 рублей ч4 - удивили мужика.
01:00
открыли бесплатный магазин техники - все по 0 рублей ч4 - удивили мужика.
Просмотров 428 тыс.
Kerberos Explained (In 3 Levels Of Detail)
41:42
Kerberos Explained (In 3 Levels Of Detail)
Просмотров 53 тыс.
DEF CON 32 - Disenshittify or die! How hackers can seize the means of computation - Cory Doctorow
49:50
DEF CON 32 - Disenshittify or die! How hackers can seize the means of computation - Cory Doctorow
Просмотров 124 тыс.
Impacket GetUserSPNs & Kerberoasting Explained
18:58
Impacket GetUserSPNs & Kerberoasting Explained
Просмотров 26 тыс.
Hack The Box - Monteverde
21:21
Hack The Box - Monteverde
Просмотров 1,6 тыс.
#uv IS the Future of #Python Packaging 🐍📦
25:16
#uv IS the Future of #Python Packaging 🐍📦
Просмотров 10 тыс.
Is this the best OSINT tool out there?!
17:10
Is this the best OSINT tool out there?!
Просмотров 348 тыс.
Port Tunnelling/Forwarding Explained
11:56
Port Tunnelling/Forwarding Explained
Просмотров 6 тыс.
Hack The Box - Intelligence
32:47
Hack The Box - Intelligence
Просмотров 2,5 тыс.
The Value of Source Code
17:46
The Value of Source Code
Просмотров 53 тыс.
GetNPUsers & Kerberos Pre-Auth Explained
21:06
GetNPUsers & Kerberos Pre-Auth Explained
Просмотров 19 тыс.
Сын Цзю Угомонил Мексиканца За 30 Секунд!
01:00
Сын Цзю Угомонил Мексиканца За 30 Секунд!
Просмотров 19 тыс.