Tier 2: Oopsie - HackTheBox Starting Point - Full Walkthrough

Просмотров 21 тыс.

% 312

Learn the basics of Penetration Testing: Video walkthrough for the "Oopsie" machine from tier two of the @HackTheBox "Starting Point" track; "don't forget to contemplate". We'll be exploring the basics of enumeration, service discovery, login bypass/cookie manipulation, insecure file upload, PHP shell, filesystem enumeration, SUID binary exploitation, path vulnerabilities, privilege escalation and more! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #HackTheBox #HTB #CTF #Pentesting #OffSec
Sign up for HackTheBox: hacktheboxltd.sjv.io/xk75Yk
↢Social Media↣
Twitter: _CryptoCat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: www.linkedin.com/in/cryptocat
Reddit: www.reddit.com/user/_CryptoCat23
RU-vid: ru-vid.com
Twitch: www.twitch.tv/cryptocat23
↢HackTheBox↣
affiliate.hackthebox.com/cryptocat-htb
hackthebox_eu
discord.gg/hackthebox
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundation/volatility/wiki/Linux
PwnTools: github.com/Gallopsled/pwntools-tutorial
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentesting-methodology
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
Start: 0:00
NMap scan: 0:16
FoxyProxy/BurpSuite: 2:02
Locate login page: 3:16
Try basic login bypasses: 4:55
Guest login: 5:35
Cookie manipulation: 6:40
Upload PHP shell: 7:24
File/Directory fuzzing (gobuster): 9:00
Command execution (revshell): 12:02
Upgrade shell (fully interactive): 14:25
Enumerate filesystem: 15:35
Recover passwords: 16:45
Catch up on question backlog: 17:49
Find bugtracker group: 20:10
Exploit SUID binary: 21:12
Escalate privileges (path vuln): 22:25
Submit user/root flags: 25:14
End: 25:31

Наука

Опубликовано:

13 янв 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 132

@mih4743 3 дня назад

Don't let the numbers fool you, this content is worth millions of views man. Even 2 years later, you're helping people with this. Thanks for the hard work 🙏

@_CryptoCat 2 дня назад

Thanks mate! Glad it helped and really appreciate the positive feedback 🥰

@DevSecOpsAI 4 месяца назад

thanks god for this video, I went on a rampage, finished the first two tiers within the first day and now I got stuck here for a few hours, got everything done in ~ 15 minutes but couldn't figure out the god damn insecure command *cat* LMAO! you are a life saver man!

@_CryptoCat 4 месяца назад

Ooooft! Glad it helped 🙂

@sarangkottummal5463 2 года назад

I love how you read all the comments and help people with their problems. Kind of new to this domain and your walkthroughs have been very helpful to me. Keep up the good work!

@_CryptoCat 2 года назад

tyty 🙏🥰

@prateekpandey3962 11 месяцев назад

Man you have helped me more than the website whose subscription I've paid for. You are awesome .

@_CryptoCat 10 месяцев назад

Awww thanks mate 💜

@JhinHoTak 19 дней назад

Way more helpful than the actual guided steps provided

@_CryptoCat 18 дней назад

🙏🥰

@user-ib8mz4bn9w 7 месяцев назад

Thank you so much crypto cat, i have learned so much from your walkthroughs, i did this lab like 85% of my own, i struggled with the SUID bit because it was new to me, and that thing you did with replacing the cat binary blew my mind, i put it on my notes!

@_CryptoCat 7 месяцев назад

Great to hear!! Thanks mate 💜

@d1qqn121 2 года назад

very nicely explained. thank you :)

@_CryptoCat 2 года назад

ty 🥰

@ubaidghante8604 2 года назад

thanks, waiting for the next machine👍🏻

@_CryptoCat 2 года назад

🥰🥰🥰

@2WheeledNomad 6 месяцев назад

Love your videos my man!! Really helpful! Keep it up!!!!!

@_CryptoCat 6 месяцев назад

Thanks bro! 👊

@BeefpwnPie Год назад

Thanks for the walkthrough, really helpfull to follow your thought process on how you approach this

@_CryptoCat Год назад

🙏🥰

@gokul6120 2 года назад

Thanks... 👍👍👍👍👍 For I learn many things from you !!

@_CryptoCat 2 года назад

awesome! thank you 🥰

@kylejf9059 2 года назад

Damn. I got all the way to the "what executable is vulnerable" and obviously it was "***" but the answer not elude me??? I couldn't get my vim to work either but I grabbed the second flag nonetheless, I'll return to this one though. Thanks again, I really try not to use these walkthroughs but after X amount of attempts, I've learned that you learn a lot more by not being too stubborn! I was however surprised at how rapidly I made my way through to that point though, so that was encouraging. Again, thanks for these, appreciate them a lot!

@Delijohn Год назад

Amazing work! Thanks

@_CryptoCat Год назад

🙏🥰

@ofpbluefalcon 9 месяцев назад

Ohhhhhh, that's why I couldn't use cat lmao I was like "did I break the box?"

@_CryptoCat 9 месяцев назад

😂

@Leptus87 2 года назад

Anther time I got here 24 k gold. You have very good pentester's workshop! Cheers!

@_CryptoCat 2 года назад

awesome! thanks mate 🥰

@bj76681 2 года назад

well explained :)

@Death_User666 5 месяцев назад

Thanks cryptocat

@_CryptoCat 5 месяцев назад

Very welcome! 🥰

@tomdev6701 2 года назад

Hi and thanks for this tutorial! Great job! What version of Burp are you using? Do you have a download link or procedure? Thanks in advance :)

@_CryptoCat 2 года назад

thanks mate! i'm using burp community version 2022.2.4 at the moment. i just use the one installed via parrot (sudo apt-get install burpsuite) so it's normally a little behind the latest version.

@akatech-ls5dq Год назад

well explained as always , but I've a question if you don't mind : Why cannot we directly add the path /bin/sh as an executable path for the command cat instead of opening a file and writing down the latter path ? many thanks in advance

@_CryptoCat Год назад

You won't have write access to /bin/ in order to overwrite /bin/cat *but* you could set the PATH to /tmp and then do "cp /bin/sh /tmp/cat" 😉

@lyubenpetrov6430 Год назад

Hi! Thank you so much for these videos and for responding to people in the comments asking for help. I wanted to ask you whether you've tried this technique on the machine Photobomb. I believe privilege escalation there should be quite similar. However, I am having some troubles there. I changed the $PATH variable to point to an exectubale of my own, running it spawns a shell indeed but it doesn't have root privileges. If you have done this box by any chance, lemme know. Thanks again for all the education!

@_CryptoCat Год назад

You're right, you can use path injection for photobomb. The way I did it was create a script called "find" in /tmp/ directory containing ""chmod u+s /bin/bash". Then I ran "sudo PATH=/tmp:$PATH /opt/cleanup.sh", followed by "/bin/bash -p" 😉

@junaidjaved4792 2 года назад

I learned alot.......... 💯💯💯💯💯💯💯

@_CryptoCat 2 года назад

great! that's the goal 😊

@Asset_007 Год назад

hey @CryptoCat appreciate your work its amazing do you know anything about nmap as in your scan it took only took 46 secs while my scan took atleast 40 mins on this one while the same on every scan. Its kinda irratating and time consuming do you anything as why its happening?

@_CryptoCat Год назад

Hmmm that is a huge difference! Are you using all the same flags? Could be related to your network connection or VPN connectivity to the HTB server 🤔 You could check out rustscan, which is faster generally but only TCP. Often I use masscan before nmap to scan all tcp/udp ports to find out whats open, before running a detailed nmap scan on those ports.

@Asset_007 Год назад

@@_CryptoCat do you have a mail account so that i text you personally as these problems are taken a lot of my time and its irritating in a long term because it stucks around 65 to 70 percent.

@_CryptoCat Год назад

@@Asset_007 I do have an email account but unfortunately barely have the time to make these videos, beside help people individually. Jump into the HTB discord, there's lots of people in there who will help you if you're stuck (me included, when I have some free time) 😉 discord.gg/hackthebox

@Asset_007 Год назад

@@_CryptoCat ok i'll try but just few minutes of your time may save hundred of my hours in the long term. just text me on my this account if you ever get the chance. thanks!

@Mfcourt Год назад

Can you please explain to me exactly what is happening when you suspend the bash shell into the background stty raw -echo and bring it into the foreground?

@_CryptoCat Год назад

Let me share this awesome video by 0xdf, he explains the workings in great detail: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-DqE6DxqJg8Q.html

@Mfcourt Год назад

@@_CryptoCat thank you so much, that was very informative!

@haydenbruinsma5091 Год назад

When I type export Term=xterm and enter it replaces it with ^W and I can't finish the command :(. I've never been able to upgrade my shell to the one you got.

@_CryptoCat Год назад

I use the "export TERM=xterm" as I'm using the default shell in ParrotOS (xterm). You might be using something different, try "export TERM=linux" instead.

@TheBG077 11 месяцев назад

Great walkthrough! When you click "walkthrough" on the HTB site, it should just link to your videos haha I keep running into this issue though, I can never seem to get a reverse shell to work. At 13:51, you send the request (with the shell code), and it hangs - when I do it, it says Not Found 404. I tried copying from the url and putting it in Burp, I hit CTRL+U like you do, and it still comes back with Not Found 404. What am I doing wrong?? :(

@TheBG077 11 месяцев назад

It turns out, the site somehow forgot that I uploaded the "shell.php" file. Once I re-uploaded it, it worked fine! :D Thank you again for all your walkthroughs and for helping everyone!

@_CryptoCat 10 месяцев назад

Haha I would like that very much! I see you solved your issue, great job 🙂

@aaryanbhagat4852 2 года назад

Liked your explanation but I do not get how after manipulating the cookie, it allowed us to upload files but still recognized as guest and did nit give access to the upload folder?

@_CryptoCat 2 года назад

good questions! i would of expected it to show "logged in as admin" in the top right hand corner as well, maybe this was just a hardcoded interface (always shows guest) 🤔 being admin doesn't give us access to the uploads folder (301) but we can access files in the uploads folder if we know the name; this makes a bit more sense since being an admin user wouldn't neccesarily provide access to all user uploaded files, depending on the context e.g. an Apple employee might have an admin user account for iCloud, but Apple wouldn't (hopefully) want to give all employees the ability to access the all the personal files uploaded by users. hope this answered your question 😊

@aaryanbhagat4852 2 года назад

@@_CryptoCat Yeah, makes sense.

@swagmuffin9000 22 дня назад

Hey, need a bit of help. Stuck at the reverse shell. I uploaded my php script, and got it to connect back to my box. When i run commands, it just gets stuck with no output. Not sure where to start troubleshooting.

@_CryptoCat 22 дня назад

Hmmm do you have the same problem using the official PDF walkthrough? Could try some other PHP shells, www.revshells.com is handy..

@swagmuffin9000 22 дня назад

@@_CryptoCatok, got it. Thank you for the help

@nickplays4292 8 месяцев назад

Yoo, beginner here. Did you go to university in cybersecurity/IT? How did you get all the info’s? Thanks a lot, currently going down this path 😊

@_CryptoCat 8 месяцев назад

Hey! I did an undergrad in computer science which was a good foundation but most of the hacking I did during that time was on CTFs (great way to learn). I did follow that up with a MSc in cybersecurity and a PhD so it was kind of a long process. Don't let that put you off though, there's plenty of high school kids better than me at CTFs these days 🤣

@nintendotyrelle 2 года назад

at this part 15:15 how do you stop the terminal from hanging. From my understanding '-echo' disables it so when I press enter after typing $export TERM-xterm it does nothing. How do i proceed ?

@_CryptoCat 2 года назад

hmmm maybe missing the "fg" command which foregrounds the session that we backgrounded with CTRL+Z? the "fg" doesn't show up when I type it, here's the full sequence: python3 -c 'import pty;pty.spawn("/bin/bash");' CTRL+Z stty raw -echo; fg; export TERM=xterm;clear; another option, which i regularly use these days is from navi: github.com/denisidoro/navi - it has a "stablized fancy beefy gordita crunch shell", which essentially sets up a fully interactive shell for you.. if you don't want to use navi, here's the command they use to create an interactive listener: "stty raw -echo; (echo 'python3 -c "import pty;pty.spawn(\"/bin/bash\")"';echo pty;echo "stty$(stty -a | awk -F ';' '{print $2 $3}' | head -n 1)";echo export PATH=\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp;echo export TERM=xterm-256color;echo alias ll='ls -lsaht'; echo clear; echo id;cat) | nc -lvnp 1337 && reset"

@nintendotyrelle 2 года назад

@@_CryptoCat Thanks the commands it worked. Could the problem have been that i use zsh ?

@_CryptoCat 2 года назад

@@nintendotyrelle ermmm possibly, although i don't recall having any issues when i used to use kali (zsh) as main OS 🤔

@tylertbone9 Год назад

@@_CryptoCat navi is the way. Thanks boss

@Vex7eX Год назад

@@_CryptoCat navi is an incredible tool! I also learned to use a lot of tools from your tutorial, thank you!

@mohsinumaya 10 месяцев назад

bro, su command not run. error show "must be run on terminal". kindly tell why

@_CryptoCat 10 месяцев назад

forum.hackthebox.com/t/su-must-be-run-from-a-terminal/1458

@dabbsonly7527 6 месяцев назад

hey CryptoCat, just wanted to say how awesome u r for still helping others after posting this video in a long time, I've been trying to pwn this machine for so many hours, I kept getting problems to deal with, I could've just searched every website and watched every video out there for the answers but I wanted to learn why I had the problems in the first place. And here I am, still haven't pwnd this, just watched how u did this and I wanted to copy u but I made it into a problem, at 15:12, after pressing fg, I typed what u did and pressed enter, and when I press enter, the terminal prints ^M which i don't understand why, can u help me on this??? Thanks

@dabbsonly7527 6 месяцев назад

never mind, I learnt what stty really does and tried to ruin my VM by mixing sane with raw, idk if I can combine the two and then used fg, all I know is at least the enter works but not the backspace. 😬😬

@_CryptoCat 6 месяцев назад

Hey, thanks mate! What OS are you using? Kali uses zsh shell which needs slightly different commands, can check this: zweilosec.github.io/posts/upgrade-linux-shell (about half way down the page is Kali commands)

@user-ef7lu1bl1n Год назад

I'm having trouble with the "export TERM=xterm" action, I can't use the enter key, I'm stuck here.

@user-ef7lu1bl1n Год назад

I noticed that you did not actually type "fg" and press Enter when you performed the "fg" step, what shortcut key did you use.

@_CryptoCat Год назад

I did type "fg" and hit enter, you just can't see it in the terminal. That's the final step that should make the terminal usable.

@bj76681 2 года назад

Hey buddy, I tried the revershell but its not giving any response. I did the same way you mentioned but it's not listening in NC. I don't get any further errors too. any idea how do I solve this issue?

@_CryptoCat 2 года назад

when you say "it's not listening in NC", it doesn't say it's listening, or you don't receive a connection to the listener? double check the previous steps, and PDF walkthrough. if no luck, check the HTB discord or forum for help troubleshooting 😉

@bj76681 2 года назад

@@_CryptoCat I don't receive a connection to the listener. I tested my system with another machine in the same network and the outbound connection is working fine through netcat. I even added the other machine IP to the ufw rule list still. still no luck :( the issue is with system

@bj76681 2 года назад

Hey @CryptoCat , I solved this issue. There was a problem with my Virtual box. I selected the network connected in NAT mode, that was the reason I was not getting nc sessions. I had to stop the firewall too to get the session. Then it worked and I hope this comment would help someone in future.

@_CryptoCat 2 года назад

@@bj76681 What did you change the network mode to? Normally it should be on NAT 🤔 Was it on "NAT Network" instead?

@hozehd8246 2 года назад

@@bj76681 Hello, im having the same type of problem i did all perfect and got cmd, tried other shells and restart kali, but i just dont get the connection, can you explain specific reason?

@gruvas5615 2 года назад

where did you get the shell.php file at 8:17 from? thx

@_CryptoCat 2 года назад

Quite often I'll just use a really simple shell.php containing: Then pass the system command as a get parameter, e.g. victim.oops/?cmd=whoami For reverse shells, this site is great: www.revshells.com 😉

@r0sh4n0 2 года назад

you can find it at kali webshells the moment u access it it will spawn a shell without the extra step of passing a parameter

@_CryptoCat 2 года назад

@@r0sh4n0 Good if you want to try for a remote shell first but normally I would use a simple webshell like specified above first to see if we have command execution, if not it's easier to troubleshoot that than a reverse shell which could of failed for many more reasons.

@r0sh4n0 2 года назад

@@_CryptoCat that's interesting, can you clarify a bit more why simple shell is better

@_CryptoCat 2 года назад

@@r0sh4n0 It's not that it's better really, it's just that many things can go wrong with a reverse shell and starting off simple is a good way to narrow down potential issues. Let's just say I think I've found an LFI vuln and I try to upload a reverse shell but it doesn't work.. I don't know at this stage whether the LFI attack failed OR my reverse shell failed. It might be that the LFI worked but I tried to use a netcat shell and nc is not installed on the system? Maybe netcat is on the system but the firewall blocked the outbound connection? So I could proceed to try different reverse shells; a python one, a bash one etc. Then I move on to try different ports, in case a firewall is blocking.. I spend a lot of time troubleshooting why my reverse shell is not working only to eventually find out the reverse shell is not the issue; the LFI vuln is not exploitable. If I would of started off with a simple webshell, it would of either: a) worked, so I proceed to try a reverse shell b) not worked, so I know not to waste time troubleshooting the various possible reverse shell issues

@hozehd8246 2 года назад

o, im having problem on the connection, i did all perfect and got cmd, tried other shells and restart kali, but i just dont get the connection, can you explain specific reason? someone talket about nat? something to do with the HTB VPN?

@_CryptoCat 2 года назад

It's a little hard to troubleshoot over YT, I recommend checking the discord group, you'll find a lot of helpful people there 😊 discord.gg/hackthebox

@hozehd8246 2 года назад

@@_CryptoCat i asked there after i asked this, but got no help

@_CryptoCat 2 года назад

@@hozehd8246 OK if you want to DM me screenshots on Twitter, with as much details about the issue and what you've tried so far.. I'll try to help!

@hozehd8246 2 года назад

@@_CryptoCat i dont know if i was the one messing up or something but i had to put the reverse shell to connect to the HTB VPN , and not me, kind of weird but thanks anyways. Btw should i start doing HTB "Starting Point" Tutorials on YT?

@_CryptoCat 2 года назад

@@hozehd8246 When you connect to the HTB VPN, you are being given your own IP address on the network, so that is the correct address for your reverse shell 😉 I recommend trying to work through starting point on your own, then if you get stuck for too long, check walkthroughs. If you finish the boxes without getting stuck, it's still work checking walkthroughs (videos or the official PDF) because you might see some different techniques 😀

@Sun_Q Год назад

Why can ../root.txt be used in bugtracker? Is this a bug or a loophole?

@_CryptoCat Год назад

This is the bug! bugtracker is running as root calling "cat" on /root/reports, so if we provide "../root.txt", it's executing "cat /root/reports/../root.txt" which is the same as "cat /root/root.txt". Since it's running as root, it has full permissions to do that 😎

@Sun_Q Год назад

@@_CryptoCat Thanks for the answer, your video is very helpful for me.😊

@_CryptoCat Год назад

@@Sun_Q 🙏🥰

@social-engineer7437 Год назад

how you even know how to do with that bugtracker? i stuck in that process for like an hour.

@_CryptoCat Год назад

You'll see those SUID vulns come up *a lot* in pentesting and CTFs so the path to exploit is similar. In terms of finding the vuln, you can either use the "find -perm" command or use a script like linpeas.sh or LinEnum.sh to flag potential vulns like this.

@social-engineer7437 Год назад

@@_CryptoCat but how do you know the path is ../root.txt? I mean I have no clue you can do that , and Dunno why it will work.

@_CryptoCat Год назад

@@social-engineer7437 Can you timestamp me bit you mean? HTB machines should have a user.txt flag in the user's home directory, then a root.txt flag in root directory.

@social-engineer7437 Год назад

@@_CryptoCat at 21:22 ../root.txt just came out of nowhere haha, do you mean it's a htb rule that root.txt flag will always be placed in specific directory? but i also wonder why bugtracker will accept os command as well.btw thanks for you help man.

@_CryptoCat Год назад

Yep, exactly! In Linux boxes, the root flag should always be located /root/root.txt. In Windows it's C:\Users\Administrator\Desktop oot.txt. In this case you can see around 21:16 that when ran the bugtracker binary, it tried to run "cat /root/reports/123" so if we'd provided the filename as "root.txt" it would tried to run "cat /root/reports/root.txt" so if we add the directory traversal, supplying filename as "../root.txt" it will try to run "cat /root/reports/../root.txt" AKA "cat /root/root.txt" 😎

@ihatemaths7220 2 года назад

Yo🖐️

@_CryptoCat 2 года назад

yoyo 👋

@AJ_23510 4 месяца назад

Everything worked for me till the end, and then for some reason cat user.txt would not work. I typed it in and hit enter and nothing was showing... Why does this issue occure?

@_CryptoCat 4 месяца назад

user.txt file didn't exist? Could try to search filesystem in case it moved, or restart the box :/

@DubThaDetailer 10 месяцев назад

The /cdn-cgi/login URL doesn't appear for me in Burp. Why is that?

@_CryptoCat 10 месяцев назад

Hmmm you could check the scope settings and filters set in the HTTP history tab. Maybe try to turn intercept on as well and make the request (in case something is getting lost in HTTP history).