HackTheBox - TwoMillion

Подписаться 241 тыс.

Просмотров 39 тыс.

50% 1

00:00 - Intro
00:18 - Start of nmap, scanning all ports with min-rate
02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page
04:00 - Attempting to enumerate usernames
05:10 - Solving the HackTheBox Invite Code Challenge
05:50 - Sending the code to JS-Beautify
06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code
10:40 - Creating an account and logging into the platform then identifying what we can do
16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones
17:50 - Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag
22:30 - Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin
24:30 - Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability
26:15 - Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords
30:00 - Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc
32:00 - Searching for the OverlayFS Kernel Exploit
35:00 - Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it
37:27 - Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef
42:20 - Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)
43:30 - Testing for command injection with a poisoned username
47:20 - Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function

Опубликовано:

3 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 68

@arenmanukyan8527 11 месяцев назад

I really don't understand how this machine is considered "Easy", and i'm terrified what will the "Medium" ones be...

@waybetter4462 3 месяца назад

Welcome to the Hackthebox community!❤😅

@Agr0dan Год назад

I’m glad you said you had trouble solving the invite code back in the day because so did I lol

@ITSecurityLabs Год назад

I am not the only one who had to lookup the invite code! Great box, brings back memories for sure

@joyemoticon Год назад

The invite code thing is like looking at something you wrote when you were in high school. You remember that it really broke your brain when you did it initially, but all the experience you have gotten since then has made it beyond trivial.

@Myk4my 6 месяцев назад

This was one of the best videos you made. I love seeing your methodology and problem-solving techniques in the face of the unknown, it gives me the strength to keep learning. Do more like this, please!

@cloudliving447 11 месяцев назад

this is a different level of amazing watching, after solving this - still learned a lot

@lool7922 Год назад

Great work - waiting for the next one

@JuanMountainBiking Год назад

Congrats on 200K

@solcloud Год назад

Nicely done, thank you 👍

@jojobobbubble5688 Год назад

I love everything about this and can't wait for you to complete the cliffhanger!

@ippsec Год назад

It will be slightly longer than I expected, it's a lot more complicated than I expected. But I'll certainly put something out there soon as I can. You can see I created an issue on Linux Exploit Suggestors repo :)

@souleymaneadellah1176 Год назад

An ippsec vid on a Wednesday? This feels like when GoT episodes gets leaked 😂

@dailyversesforgod Год назад

Do you go through the boxes before filming or are you just naturally talented? :) great video as always

@amieemaya9472 Год назад

Wow thank u

@lindacupples3381 Год назад

Hey Ippsec, I have a question regarding the regex in remove_special_characters. I have seen this regex used in many web applications, some as apart of ID sanitisation in dynamic queries. I got them impression from your video that it'd be possible to bypass this regex. Would it be possible to comment on it further? It might even be a good separate video. Thanks

@stanislavsmetanin1307 Год назад

Bravo maestro)))

@tudasuda5501 Год назад

Thnx!

@gee5889 Год назад

Which computer and software do you use

@papacanfly5639 2 месяца назад

Any idea where he uploaded the next part of the video "Beyond Root- Adding overlay FS"?

@dharanisanjaiy Год назад

I really missed "We have alreadyyyy rannnn itt "

@patrickFREE. 8 месяцев назад

so do you use everytime put, if you want to update smth?

@pabloalfaro2595 Год назад

Do you prefer ferobuster or gobuster?

@tg7943 Год назад

Push!

@deesick_ 3 месяца назад

This box is so intimidating. If this is considered easy then I'm scared of what's to come

@herc Год назад

I saw this machine getting released on HTB, now it's no longer present. Is it only for you to show us your approach to solving machine or?

@huntit4578 Год назад

Its Retired

@huntit4578 Год назад

You can still access it

@techtimefly 2 месяца назад

Using JS-Beautify 1.15.1 and CyberChef, both seem to fail to de ofuscate the javascript min.js file

@colmcarroll3413 Месяц назад

I had the same issue but ChatGPT worked for me

@user-zz1un8lb8g Год назад

Hey man do you know why i cant i get "Server Not Found" when i try to load up the site on that machine?

@Macj707 3 месяца назад

CHEF CRISP WUZ HERE!

@Ms.Robot. Год назад

Oh no, my calendar must be two days off‼️😅

@leakim4975 Год назад

Do you have more videos of solving boxes without previous experience with them?

@ippsec Год назад

Some of the Easy ones back in like 2021 probably. There was a time when I did them more blind, but I started reviewing boxes before they went live to players, so its hard to do a true blind play through.

@leakim4975 Год назад

@@ippsec Ok thanks. Love your content and Im always learning something new from every video! Keep doing your thing!

@255py8 7 месяцев назад

first time seeing that kracken what is it? a custom machine made by you or a new server to crack hashes?

@ippsec 7 месяцев назад

Its just a box I have on my network.

@ruthlozanorodriguez207 Год назад

Is it possible that you will solve the soccer box without using sqlmap? I've been really struggling with it, plus I think its a really interesting machine. Regards from Spain :)

@ippsec Год назад

Nope I’ll use sqlmap. There are videos where I do Boolean injection without it

@ruthlozanorodriguez207 Год назад

@@ippsec Okay! Thanks eitherway for all the content you give us ☺

@Simply_facts...-----382 10 месяцев назад

sir i am a free user of hack the box and i cant get the virtual machine in my windows for longer time is there any other option to get virtual machine for free inmy windows to work for the machines in hack the box sir

@filmyguyyt Год назад

Hi!

@joaobeja2076 4 месяца назад

I didn't understand why we would need to add the hostname to the hosts file? And how do we get to that conclusion by entering to the website and getting the not found result? (I started HTB a few weeks ago, I'm still a noob, can someone explain me?)

@ippsec 4 месяца назад

When doing these types of CTF’s there is no DNS Server. Some websites do virtual host routing, which makes DNS important. Editing the host file mimics having a dns server. I don’t remember how this box leaked the hostname but I’m sure if you watch from nmap, it’s probably around there. Normally it’s ssl certificates

@joaobeja2076 4 месяца назад

It was from nmap! Thanks for the help !!