HackTheBox - Broker

Подписаться 241 тыс.

Просмотров 25 тыс.

50% 1

00:00 - Intro
01:00 - Start of nmap
01:45 - Logging into ActiveMQ with admin:admin and then failing to use the exploit from 2016
04:00 - Doing a full nmap scan, then running script scans on the open ports
07:50 - Finding a page that talks about CVE-2023-46604, the latest activemq exploit
11:00 - Pulling down an exploit payload for this exploit, it is golang
12:30 - Modifying the payload to execute a reverse shell, instead of downloading and executing an elf file. Need to HTML Entity Encode the payload
16:30 - Reverse shell returned, seeing we can run nginx as root
17:20 - Building an nginx config that runs as root and shares the entire filesystem
23:08 - Enabling the WebDav PUT so we can upload files to the server and uploading an SSH Key
27:05 - Showing we could upload a cron entry aswell to get code execution

Опубликовано:

29 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 40

@alihajir1841 7 месяцев назад

Man you are awesome. I love the way you handle and understand things like it is nothing to you . I Wish i reach this level of professionalism.

@boogieman97 7 месяцев назад

You actually can. Ippsec reached this level by pure determination, tons of trial and error, a lot of reading, putting it into practice and most of all be curious and have the passion

@ippsec 4 месяца назад

+1 to @boogieman97 keep in mind I’ve been doing videos weekly for 5+ years. Which isn’t a long time at all, but more frequent than the average person. If you create a plan and stick with it I’m sure you’ll be near this level

@boogieman97 4 месяца назад

@@ippsec next to that correct me if I'm wrong, I've heard in one of your earlier videos that your carreer is far most autodidactic. Apart from that that might not be "long", it is about dedication and willingness to commit. Thats why I am highly appreciating Ippsec and of course subscribed, so if you agree folks do so as well 😃

@kaushikreddychinnasani 6 месяцев назад

Cron Job Priv Esc learnt today, Great video.

@The_Dark_Cats 7 месяцев назад

I didnt think to try entity encoding the xml and resorted to the curl command. Nice to know about that now. My question is did we have to have all three lines in the xml? Or could it have been done with one? Great video as usual!

@ptrckm 7 месяцев назад

its not even weekend wow love it

@ru31k32 7 месяцев назад

Nice way of opening a shell using cron job. :)

@petervsjim 5 месяцев назад

wow the dav method and cron are amazing

@KyserClark 7 месяцев назад

Thanks for the tutorial!

@chiragartani 7 месяцев назад

First .. now let me watch 😁

@094b3x1 7 месяцев назад

Thanks ippsec ❤

@tntxqx8281 7 месяцев назад

Awesome ippsec!!

@felixkiprop48 7 месяцев назад

thumb up💯

@Ak4sh07 7 месяцев назад

❤❤❤

@0xPr3d4T0r 26 дней назад

You are crazy good man 👍👌

@guillaumeentournee 26 дней назад

the privesc feels amazing

@sand3epyadav 7 месяцев назад

❤

@alanbusque6645 7 месяцев назад

Thanks

@gordona.freidman7308 7 месяцев назад

Thanks Ippsec

@tg7943 7 месяцев назад

Push!

@BLACKSTORM-ux9zi 7 месяцев назад

So basically is it a vuln in the class - ClassPathXmlApplicationContext which is part of the Spring framework? And this being used by ActiveMQ made it vuln as this class loaded a crafted XML config file

@WyldeZk 7 месяцев назад

Hey Ippsec thanks for the awesome video as usual. Are you planning to make videos on new HTB-Sherlocks when they’ll retire?

@ippsec 7 месяцев назад

I have not decided yet.

@yurilsaps 6 месяцев назад

@@ippsecI would appreciate a lot! Or if you know someone that you trust to make them also

@steenbot6413 6 месяцев назад

Hi Ippsec I was wondering if you could help? I am attempting this machine and I get into the activemq user initially through a meterpreter reverse tcp, then I get an interactive shell (python3 -c 'import pty;pty.spawn("/bin/bash")'. But when I try to edit the nginx.conf file with vi, the vi editor doesn't work properly and I can enter/exit insert mode or move around the text in the file with the arrow keys

@TekiZZ 7 месяцев назад

In this box the port 2112 lists archive system of the machine with elevated privileges on the navegator

@jmee7580 4 месяца назад

I have reset this box and gone through the same steps (i think) and there is no /root directory in /crontabs, also any file that gets uploaded doesnt have execute permissions(i changed permissions before uploading just in case). I uploaded the ssh keys just to login as root and check. Did they change the box?

@whilykitt 3 месяца назад

Do you have a tutorial or can you recommend one on getting more comfortable with Vi/Vim?

@TazEdits_ 6 месяцев назад

I got a 404 message not found error when I sent the file I tried send the packet without the poc xml and got a got a 200 get from server idk why

@GaelF30 Месяц назад

Im maybe late but i had the same problem. you have 404 because your poc-linux.xml file is on the CVE folder and your http server cant find it. just move poc-linux.xml to /home/[your account]/ i guess you started you http server on home directory like me :'(

@iWhacko 7 месяцев назад

I can't find the challenge on HTB? (yes I'm looking under retired)

@ippsec 7 месяцев назад

You may have a filter on your search.

@Fbarrett 7 месяцев назад

Ippsec you said on a earlier podcast that you were going to start doing videos on the basic foundations of Hackthebox. Is that still in the works? Thanks.

@ippsec 7 месяцев назад

I want to, just can't get the motivation. If you look at the technique videos, I think I've started covering things just not from a foundation perspective.

@Fbarrett 7 месяцев назад

thanks@@ippsec

@sanfordfloridarepairs9668 7 месяцев назад

Nothing

@user-ms6lq1lm1c 3 месяца назад

I did a completely different technique for privesc using share object .so (Files), since we can modify the prefix with nginx i just needed to craft a .so files in a module directory, rename it correctly (ngx_http_echo_module.so), run with sudo ===> got error but BAM suid /usr/bin/bash -p