HackTheBox - Perfection

Показать описание

00:00 - Introduction
00:50 - Start of nmap
02:50 - Discovering the Weighted Grade Calculator which we will exploit
04:50 - Using FFUF to enumerate all bad characters and discovering we can't send any symbols
07:10 - Quick bash one liner with JQ to URL Encode each line of our wordlist
09:30 - Discovering a New Line character breaks the search for Bad Characters, then getting a shell on the box
14:40 - Shell returned, looking at the source code and seeing the "Bad Character" filter was really a regex whitelist
18:50 - Discovering mail that says the password format in the database
21:50 - Using hashcat Bruteforce mode to crack the password

IppSec

Рекомендации по теме

Комментарии

22:50 take a look at the "Using 'p' (Nth instance of a character) with positional rules" section on the Hashcat wiki page you were on (closer to the bottom of the page)

echo ippsec | hashcat --stdout -j '$_ f /_ Dp $_'

$_ = append character _ to end
f = duplicate word reversed
/_ = memorize position of first instance of _
Dp = delete character at position p
$_ = append character _ to end (again)

output is ‘ippsec_cesppi_’

ricefarmxr

I learned pen-testing largely from these videos. Three years ago, I got my first pentesting job and somehow promptly forgot all about IppSec. Until today. It's such a great feeling, to know that all my studies paid off. I can finally understand the full content of these videos! Yipee!!

otgwt

I didn't know you could brute force with hashcat like that. I always learn something new!!

NatteeSetobol

Babe, wake up, new IppSec video dropped

AUBCodeII

❤🎉 another sweet drop from the Wizard of the Matrix.

Ms.Robot.

Thanks, as always your explanations are gold!

juandelpuerto

ippsec you’re one of my heroes but the way you pronounce ubuntu kills me lmao

bread_girl_jane

Hey ippsec. Thanks for amazing content as always. I was just curious y do you use separate machine for cracking ? Can you share specs of your "kracken" machine. Looking to build one

muhammadather

Hey Ippsec i have a question that i guess is unrelated to this particular video but i know your the man to ask.. so i'm trying to figure out why if i type echo "password" | md5sum the output or string is totally different to the string i would get on say md5 hash generator online? Maybe i am being stupid but i guess i won't know if i don't ask.

Martin-Pentest

Aside from HTB and TryHackMe, what tools should I be playing around with on my computer in order to break into Cyber? I have a few ideas: Kali Linux, Linux GUI, Windows command prompt. What else should I download?

kingzedge

makes it look so easy. This box would take me 5h to crack probably.

kvdp

I assume hashcat checks file each iteration instead of remembering it's content

shxpr

Really great content, i just wanna ask if you could do more mobile app hacking

ManuGram

ffuf supports OS commands to encode input

seMcln

Hard to tell he ever had a speech impediment now

jhncnnr-sec

hey my burpsuite browser can't connect to the website

raphaelriera-vb

can you make video about how can you have option to which search engines do waan search for it or give me name of softwer so i can to. if anyone know in chat will you help me into this 3>.

_Mann_Kasodariya

Hey Ippsec, yesterday I got a new VIP sub for HackTheBox for a year. Haven't done any of the Sherlocks earlier until today. I really liked the LockPick3 Sherlock! Have you done that one yourself already ?

boogieman

HackTheBox - Perfection