Tier 2: Markup - HackTheBox Starting Point - Full Walkthrough

Подписаться 35 тыс.

Просмотров 9 тыс.

50% 1

Learn the basics of Penetration Testing: Video walkthrough for the "Markup" machine from tier two of the ‪@HackTheBox‬ "Starting Point" track; "don't forget to contemplate". We'll be exploring the basics of enumeration, service discovery, Masscan/NMap, brute-forcing login credentials (ffuf), XXE, post-exploitation (uncovering plaintext credentials, winpeas), privilege escalation (permission issues) and more! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #HackTheBox #HTB #CTF #Pentesting #OffSec
Sign up for HackTheBox: hacktheboxltd.sjv.io/xk75Yk
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
RU-vid: / cryptocat23
Twitch: / cryptocat23
↢HackTheBox↣
affiliate.hackthebox.com/cryp...
/ hackthebox_eu
/ discord
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Masscan/NMap: 0:24
Brute force login (ffuf): 4:31
Explore HTTP site: 8:48
Research XXE: 10:32
Test payloads: 14:32
Fuzz LFI wordlist (Burp Intruder): 15:55
Recover private SSH key: 20:00
Enumerate filesystem: 21:48
Run winPEAS.exe: 23:11
Investigate PrivEsc: 29:40
Overwrite scheduled BAT script: 31:45
Submit root flag: 36:00
End: 36:51

Наука

Опубликовано:

3 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 63

@TheBG077 10 месяцев назад

Excellent walkthrough as always! I was able to get a good bit into this one without needing a guide, so we're getting there! Thank you again for your guidance, and for taking the time to answer questions from everyone....you're a blessing to the community! :D

@_CryptoCat 10 месяцев назад

Awesome! Thank mate 🙏🥰

@_techwaves 2 года назад

great walkthroughs! I learned a lot from you

@_CryptoCat 2 года назад

awesome! thanks for the support mate 🥰

@Vex7eX Год назад

Thank you for your selfless tutorial!!!

@Californ1a 2 года назад

For the tools that have taken their releases out of the repo and moved to github's releases tab, there is a github releases API you can curl to get the list of binaries (assets) in the latest release, and then loop through those assets in the json response to get the download URLs and grab all those. Little more in-depth than just a git pull, but it can work.

@_CryptoCat 2 года назад

Thanks mate, will have to get that setup soon! I have a script which recursively updates all git repos, should be able to integrate it with that 😊

@Death_User666 5 месяцев назад

You have talent sir

@_CryptoCat 5 месяцев назад

🙏🥰

@GunZFoX Год назад

If someone is stucked getting the reverse shell at the end, just try to log in via SSH as "Administrator" with the credentials Winpeas found. It's always worth giving it a try ;)

@philcrocker9358 Год назад

Did it take anyone ages to get the final net cat shell to come through? Every like 10 seconds the job.bat file obviously resets itself, but never connected back. A bit confused because whilst its the best bit, it's not a massively complex bit as most of the hard stuff had been done earlier. 😂 The walkthrough says its an unstable exploit so it might take many tries with failure, but I've legit written to the job.bat file about 90 times now, without it calling back to my listener. When it gets to 100 I may cry.

@_CryptoCat Год назад

Did it work eventually?! 😅

@reu3437 Год назад

Im facing the same problem. My netcat is not getting the reverse shell also. Quite frustrating lol

@orvalz Год назад

@@reu3437 I have the same problem haha

@kylejf9059 2 года назад

Again, I was pretty lost here. I was doing my xxe / xee a little wrong and I'd of been lost otherwise. Also, it didn't occur to me to look for the file after. Once again, learned a lot. *that* default password also worked but I still followed to the end as I wanted to see the point of what we were meant to learn rather than that shortcut. Many thanks:) Edit: I also tried to cheat and steal all the flags from Burp lol. It worked for one of them.

@_CryptoCat 2 года назад

Nice one mate, you're flying through them 😉

@kylejf9059 2 года назад

@@_CryptoCat thanks to a lot of help from yourself, just trying to build the experience and variety of stuff up so I can be somewhat 5% competent going forward. Thanks again 👍🏻

@_CryptoCat 2 года назад

np you are doing great! keep it up 🥰

@manolete1516 Год назад

take your like boss!!!

@_CryptoCat Год назад

🙏🥰

@ismailmatrix1 Год назад

How do you automatically get the intercepted request on Burp Suite without having to press Forward multiple times? Usually I turn on FoxyProxy and on Burp, I put "Intercept" to "On" and then when I login the browser hangs because Burp Suite intercepts it, but then I press Forward to make the POST request, get the response, press Forward again, etc

@ismailmatrix1 Год назад

I got it now. It automatically tracks requests in the Proxy > HTTP History whether you turn Intercept on or not

@DoDo-uw2no 2 года назад

Hey, great walkthrough! I was wondering why you just didn't use the credentials winPEAS gave you to ssh as admin? That's what I did when I frist did the box. After looking at the official writeup and your video I am thinking that it might be a mistake from HTB to store credentails like that... since otherwise the privelege escalation seems too simple. What do you think?

@_CryptoCat 2 года назад

Honestly I can't remember it very well now, were you able to just login as Admin and skip the scheduled task bit at the end?

@DoDo-uw2no 2 года назад

@@_CryptoCat Yea haha. At 28:35 you find the password in the video. You could just ssh in as Administrator and finish the box. I guess it was a mistake on HTBs side...? But I'm not sure. Whatever it is. I just was a bit sad that I didn't have to do the "real" exploit when I read their write up and found out I finished on "easy mode". Just wanted to ask if there is a reason you didn't try. I thought you wanted to show the more "elegant" way to privesc instead of the bonobo way of just copy paste xDD

@_CryptoCat 2 года назад

@@DoDo-uw2no Haha yeh I'm guessing that was a mistake 😂 Nicely done though.. work smart, not hard 😉

@kazhiroma9736 Год назад

I might have to snatch that masscan and nmap Alias that’s quite creative. Correct me if I’m wrong but essentially you are using masscan to scan all ports since it is faster then feeding the open ports to nmap so nmap only has to scan ports that are open

@_CryptoCat Год назад

Exactly! NMap is so slow with UDP, and rustscan doesn't do UDP at all so I use masscan to scan them all quickly. However, I have had plenty of occasions where masscan missed ports that were detected on a regular NMap scan, probably due to the speed. The script is here btw if you want to use it: github.com/Crypto-Cat/CTF/blob/main/pentesting/gen_nmap.py

@kazhiroma9736 Год назад

@@_CryptoCat appreciate the reply and the link man. Have you tried messing around with the timing on nmap at all like T5 for example? How would you say masscan compares in terms of accuracy/speed. Really appreciate it btw.

@_CryptoCat Год назад

@@kazhiroma9736 Yeh, tbh you can get pretty good results with NMap on higher speed settings. You'll get better with rustscan, but only for TCP. I've just got a long habit of using the masscan + NMap script so I stick with it, most of the time. I also like Tiberius's autorecon project, it can be nice to kick that off when a new HTB machine comes out, then focus on manual enumeration while it's running in the background ☺

@Darkres700 Год назад

How did you get the last shell? It keeps me rewriting the job.bat file and I havent been able to get a shell

@_CryptoCat Год назад

Been a while since I did this so I'd advise just double check the video steps and/or official PDF walkthrough. Probably some small thing somewhere 😆

@net_setup Год назад

hello, I was stuck on this box for the last few days because I could not get the shell to connect after I did the echo to change the job.bat file. it would not connect for me at all. so I uploaded the winPEASx64.exe ....I ran that and was able to see the Administrator password...so I tried logging in using the SSH and was able to get to the root.txt file. hope that helps anyone if they are stuck.

@oliverludwig6148 Год назад

I often speed up educational videos to maintain focus. This time I'm slowing it down, so I don't have to micromanage time, and can actually follow, what's going on.

@_CryptoCat Год назад

Great! Hope it helps 😊

@reu3437 Год назад

On the last part, when i use ps while in powershell, i dont see wetvutil running. Is this normal?

@_CryptoCat Год назад

Hey, it's been a while since I did this box. I would suggest to double check the official PDF writeup if the steps in the video aren't matching up.

@thomashedrick8446 4 месяца назад

Had trouble sending the XML payload in the POST request. It would not display the file contents ive tried so many times.

@thomashedrick8446 4 месяца назад

I spent hours trying to get the payload to work I feel stupid.

@_CryptoCat 4 месяца назад

Did you get it working? If you're using burp repeater, make sure the content-type header is correct (for XML) and that you have a newline at the bottom of the request.. If you are still having issues, timestamp the video where you're stuck and let me know what the response is, e.g. 200 OK? Any error messages?

@thomashedrick8446 4 месяца назад

@@_CryptoCat I did indeed get it working, I feel bad for using the walkthrough but I will say that is a tough box for being rated as "Very easy" I am still stuck on the box Im trying to get a reverse shell now it called back to my attacker machine but it wasnt a elevated shell.

@_CryptoCat 4 месяца назад

@@thomashedrick8446 Don't feel bad mate! It's always best to spend some time on a challenge before referring to the walkthrough but eventually it becomes counter-productive if you aren't making progress. Then you are best of checking the solution and learning from it for future. How much time you should spend before checking hint/solution will depend from person to person but instantly checking walkthroughs or refusing to ever check walkthroughs are both bad approaches 😉

@MarcelN1980 Год назад

Perfect! Just one observation: since you've already got a password when running linpeas (the Autologon Credentials for Administrator), why didn't you just use that?

@_CryptoCat Год назад

Thanks! It's been a while.. didn't I try it in the video? 😅 If not, I'm pretty sure I tried it in my first run through the box (before recording) and it was incorrect.

@axelvirtus2514 2 года назад

cant do reverse shell,wevtutil not running and not in the tasks

@_CryptoCat 2 года назад

Don't think I used a reverse shell for this one? Which part of the video are you stuck at?

@axelvirtus2514 2 года назад

@@_CryptoCat wevtutil its not running on my system and no connection when i use nc nvlp port

@_CryptoCat 2 года назад

@@axelvirtus2514 Can you give me the timestamp of where you are stuck in the video? I don't remember using a netcat reverse shell on this one, I thought solution was SSH? I don't have time to review the whole vid, if you can point me to the part you're stuck at it will help.

@axelvirtus2514 2 года назад

@@_CryptoCat tnx already did this with ssh

@axelvirtus2514 2 года назад

@@_CryptoCat Hey Crypto i need help from you, exercise ecdsa weakness from pentesterlab.Do you use any social media?

@user-ef7lu1bl1n Год назад

I found it interesting that if you access the box directly using the IP address without adding the IP address and domain name to the hosts file, the PHP file is always "index.php" when viewing the source code. I can't understand it.

@user-ef7lu1bl1n Год назад

You can try using ip to access the box and then look at the source code.

@_CryptoCat Год назад

It might show index.php in the address bar but you shouldn't be able to see PHP code using "view source"

@user-ef7lu1bl1n Год назад

@@_CryptoCat I see. Thank you for your answer. But in that case, the source code is different from the video, and Daniel is not in the source code.