HackTheBox - Traverxec

Показать описание

01:00 - Running nmap against the box, port 80 is running a unique webserver (nostromo)
03:00 - Lets check out the website before we throw any exploits
06:37 - Launching metasploit then exploting Nostromo but sending the exploit through burpsuite to see what it is doing
10:34 - Code Execution worked, for some reason the proxies command didn't work the first time
11:18 - Explaining why the script does a GET request before throughing an exploit (Exploit Verification)
13:40 - Editing the payload to send a Bash Reverse Shell
15:40 - Running LinPEAS
17:20 - Running LinEnum in Thorough mode
19:22 - Going over LinPEAS Output
22:16 - Going over LinEnum Output
23:00 - Discovering a HTPASSWD Password, then using hashcat to crack it
26:45 - Looking at the HTTP Configuration file to discover public_www directory in home directories
27:30 - Explaining Linux Permissions on Directories and why we can do a ls in /home/david/public_www but not /home/david/
34:50 - SSH into the box as David
35:20 - Discovering David can sudo journalctl,
37:10 - Demonstrating that the pipe operator doesn't run as an elevated user when doing sudo
38:00 - Privesc by removing the pipe and then running !bash. Explaining why this works by tracing parent processes to see journalctl is just executing pager which is symlink'd to less
40:50 - Comparing the Directory traversal exploits (MSF and non-MSF) to see a weird bug adding %0d bypassed the /../ whitelist check
49:30 - Downloading the source code to nostromo (patched and unpatched versions) and analyzing the patch to see why %0d worked.
50:27 - Using find and grep to md5sum all the files to figure out what has changed.
53:26 - Using diff to compare two files

IppSec

Рекомендации по теме

Комментарии

Ippsec thanks so much for the content you keep releasing i started pentesting about 6 months ago a complete beginner i watched how you tackled each box and right now I've done about 9 boxes that are active in hack the box

Thanks sir you always motivate beginners pentesters like me

ianmusyoka

Thanks so much for adding awesome additional content when there's an easy box like this.

brettnieman

38:08 When I removed the pipe after the sudo command the journalctl would not go into Less, but just finish. A lot of people had that. The trick was to make the terminal smaller than 5 lines, then it would stay in Less. What could it be that Ippsec didn't have to do this?

lennartluthi

Using find, grep & md5sum at 50:27 was interesting, but for me a much simpler approach would be `diff -r 196-src-dir 197-src-dir`
Love your videos. Amazing work. So much great content.

marky

The last 10 minutes are the gem of the video! Thanks for going through the CVE!

Thmyris

I played with this box a lot to get root (this was my first box) and finally I gave up on it, because I totally stucked at that jourmalctl point, now I understand, thanks for showing and explaining how things works :)

HunSnakestyle

Wait what? Why did you not have to resize your terminal? Mine just exited less straight away, spent some time figuring that bit out...

atomicsp

IppSec should have way more likes and follows.

lloyd-wright

Vim supports ‘-‘ to read from stdin so ‘diff a b | vim -‘ would have done what you wanted at 53:53
Love your vids!

noway

Tnx bro. Your videos are very helpfull for me . Even more than you could imagine.

aminhatami

I guess there is a Python script too for the nostromo exploit

priyanshukumarpu

@ippsec Question, manpage of nc says the following: -l, It is an error to use this option in conjunction with the -p, -s, or -z options.
Same goes for:
-p source_port
Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option.

Was just wondering why you us nc with -lvnp, which I am doing as well since watching your videos. Thanks!

redpanda

just subscribed! I'm new to the game! thank you for the tutorials!

brianpmcg

On some machines, "sudo -l" requires entering the password but for some of them, this is not true. Why?

temirzhanyussupov

I need you advice am interesting on this but what u are using is Kali
It was fine with me tell the last update when i install it on my mac the wifi not working tried couple of methods and nothing work ..

The question here can i use ubuntu as what you are showing in your video ??
Is there big different if i use the tools but on ubuntu or you recomend Arch bec Kali not working

AlMontasar

This all makes so much sense and I love you

archersterling

this is good. 💗🧜‍♀️🧚‍♀️ Never get enough.

Ms.Robot.

My gobuster tool don't have -u option..it gives me error ...what can I do

ePrfssr

Where can I get the handy `kracken` image you're using for cracking passwords?

i_sometimes_leave_comments

OMG ! Can anybody tell me why this happens ?
When I run "/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service" this command in full screen terminal it gives me error(which is it just "cat" it and not run it in "less").... But when I use small screen on terminal and run the exact same command it runs in "less" and I get to root. Why this weird stuff is happening ?

evildead

HackTheBox - Traverxec