HackTheBox - TwoMillion
00:00 - Intro
00:18 - Start of nmap, scanning all ports with min-rate
02:35 - Browsing to the web page and taking a trip down memory lane with the HackTheBox v1 page
04:00 - Attempting to enumerate usernames
05:10 - Solving the HackTheBox Invite Code Challenge
05:50 - Sending the code to JS-Beautify
06:45 - Sending a curl request to /api/v1/invite/how/to/generate to see how to generate an invite code
10:40 - Creating an account and logging into the platform then identifying what we can do
16:50 - Discovering hitting /api/v1/ provides a list of API Routes, going over them and identifying any dangerous ones
17:50 - Attempting a mass assignment vulnerability upon logging in now that we know there is an is_admin flag
22:30 - Playing with the /api/v1/admin/settings/update route and discovering we can hit this as our user and change our role to admin
24:30 - Now that we are admin, playing with /api/v1/admin/vpn/generate and finding a command injection vulnerability
26:15 - Got a shell on the box, finding a password in an environment variable and attempting to crack the user passwords
30:00 - Re-using the database password to login as admin, discovering mail that hints at using a kernel privesc
32:00 - Searching for the OverlayFS Kernel Exploit
35:00 - Finding a proof of concept for CVE-2023-0386, seems sketchy but GCC is on the HTB Machine so i don't feel bad about running it
37:27 - Running the exploit and getting Root, finding an extra challenge thank_you.json, which is can be done pretty much in CyberChef
42:20 - Looking deeper at the invite code challenge to see if it was vulnerable to Type Juggling (it was back in the day but not anymore)
43:30 - Testing for command injection with a poisoned username
47:20 - Didn't work, looking at the source code and discovering it had sanitized usernames on the non-admin function
Пікірлер: 68
I really don't understand how this machine is considered "Easy", and i'm terrified what will the "Medium" ones be...
@waybetter4462
3 ай бұрын
Welcome to the Hackthebox community!❤😅
The invite code thing is like looking at something you wrote when you were in high school. You remember that it really broke your brain when you did it initially, but all the experience you have gotten since then has made it beyond trivial.
I’m glad you said you had trouble solving the invite code back in the day because so did I lol
I am not the only one who had to lookup the invite code! Great box, brings back memories for sure
This was one of the best videos you made. I love seeing your methodology and problem-solving techniques in the face of the unknown, it gives me the strength to keep learning. Do more like this, please!
Do you go through the boxes before filming or are you just naturally talented? :) great video as always
this is a different level of amazing watching, after solving this - still learned a lot
Congrats on 200K
Great work - waiting for the next one
An ippsec vid on a Wednesday? This feels like when GoT episodes gets leaked 😂
Nicely done, thank you 👍
I love everything about this and can't wait for you to complete the cliffhanger!
@ippsec
Жыл бұрын
It will be slightly longer than I expected, it's a lot more complicated than I expected. But I'll certainly put something out there soon as I can. You can see I created an issue on Linux Exploit Suggestors repo :)
Hey Ippsec, I have a question regarding the regex in remove_special_characters. I have seen this regex used in many web applications, some as apart of ID sanitisation in dynamic queries. I got them impression from your video that it'd be possible to bypass this regex. Would it be possible to comment on it further? It might even be a good separate video. Thanks
Which computer and software do you use
Any idea where he uploaded the next part of the video "Beyond Root- Adding overlay FS"?
Bravo maestro)))
Wow thank u
Thnx!
so do you use everytime put, if you want to update smth?
Do you prefer ferobuster or gobuster?
I really missed "We have alreadyyyy rannnn itt "
I saw this machine getting released on HTB, now it's no longer present. Is it only for you to show us your approach to solving machine or?
@huntit4578
Жыл бұрын
Its Retired
@huntit4578
Жыл бұрын
You can still access it
Hey man do you know why i cant i get "Server Not Found" when i try to load up the site on that machine?
This box is so intimidating. If this is considered easy then I'm scared of what's to come
CHEF CRISP WUZ HERE!
Using JS-Beautify 1.15.1 and CyberChef, both seem to fail to de ofuscate the javascript min.js file
@colmcarroll3413
27 күн бұрын
I had the same issue but ChatGPT worked for me
Is it possible that you will solve the soccer box without using sqlmap? I've been really struggling with it, plus I think its a really interesting machine. Regards from Spain :)
@ippsec
Жыл бұрын
Nope I’ll use sqlmap. There are videos where I do Boolean injection without it
@ruthlozanorodriguez207
Жыл бұрын
@@ippsec Okay! Thanks eitherway for all the content you give us ☺
Do you have more videos of solving boxes without previous experience with them?
@ippsec
Жыл бұрын
Some of the Easy ones back in like 2021 probably. There was a time when I did them more blind, but I started reviewing boxes before they went live to players, so its hard to do a true blind play through.
@leakim4975
Жыл бұрын
@@ippsec Ok thanks. Love your content and Im always learning something new from every video! Keep doing your thing!
first time seeing that kracken what is it? a custom machine made by you or a new server to crack hashes?
@ippsec
6 ай бұрын
Its just a box I have on my network.
Push!
I didn't understand why we would need to add the hostname to the hosts file? And how do we get to that conclusion by entering to the website and getting the not found result? (I started HTB a few weeks ago, I'm still a noob, can someone explain me?)
@ippsec
4 ай бұрын
When doing these types of CTF’s there is no DNS Server. Some websites do virtual host routing, which makes DNS important. Editing the host file mimics having a dns server. I don’t remember how this box leaked the hostname but I’m sure if you watch from nmap, it’s probably around there. Normally it’s ssl certificates
@joaobeja2076
4 ай бұрын
It was from nmap! Thanks for the help !!
Oh no, my calendar must be two days off‼️😅
sir i am a free user of hack the box and i cant get the virtual machine in my windows for longer time is there any other option to get virtual machine for free inmy windows to work for the machines in hack the box sir
How do you display your own IP in your terminal prompt? Please let me know
@alexb9771
5 ай бұрын
ip a
how to copy text from tmux & pasting outside tmux ?
@james-wihz
Ай бұрын
for now my discovery is to used shift and select text I want to copy and right click to paste it. Wonder, how do you purely used command :)
Hi!
31:07 interesting..
why do we need a header? and why should the header be a cookie?
@ippsec
11 ай бұрын
Helps if you put a timestamp of where your question is. I don't know exactly what you are asking
@rockedwow7217
11 ай бұрын
@@ippsec sorry about that. the time stamp is 17:17
@tnwhitwell
11 ай бұрын
It’s because it’s an authenticated endpoint - you need the Cookie header for an authenticated session
AAA!
Oops! Go back to the old school :v
Ipp, you should create a box called "Your mom"
ssh kracken command not given output as how in video instead it gives failed to resolve hostname or Service anyone can help me with this
@ippsec
11 ай бұрын
Kracken is a box on my network, you can run hashcat on your computer
mice
Wtf?))
I'd like to understand more how the command injection vulnerability works.
I don't know why this box is rated as "Easy" it's pretty far from it
@dharanisanjaiy
Жыл бұрын
I guess, u r new to HTB platform 😂