HackTheBox - Kotarak
ฝัง
- เผยแพร่เมื่อ 27 ก.ย. 2024
- For the unintentional method, I'm just downloading a file versus doing it live on the box because I wanted to save doing it live for another video.
A really good SSRF Presentation: • #HITBGSEC 2017 SG Conf...
01:38 - Start of nmap
03:40 - Accessing port 60000
06:20 - Manually enumerating ports on localhost via SSRF
07:00 - Using wfuzz to portscan localhost via SSRF
10:00 - Tomcat creds exposed & Uploading tomcat reverse shell
13:40 - Return of shell
14:20 - Extracting NTDS + SYSTEM Hive
20:20 - Using HashKiller to crack the hashes
21:30 - Escalating to Atanas & Identifying wget vulnerability
27:10 - Starting exploit
33:22 - Exploit failed, light debugging
35:40 - Issue found, not listening all interfaces
39:35 - Root shell returned.
40:10 - Unintentional Root Method (Edited Footage, IP Change)
![[🔴LIVE] งานประกาศรางวัล MAYA TV AWARDS 2024 : มายามหาชน](http://i.ytimg.com/vi/nwmWYXXVwBY/mqdefault.jpg)
I learn a lot with your videos. Nice job
I recommend for the next box either Minion or Tally. Also thanks for the video it better helps me understand how CTFs work which I'm finding very fun to do and less frustrating now.
Only do retired machines, which is based upon difficulty/release date. The ones you mentioned are close to retiring but won't be next.
Is there a way to know which machine will be retired next, before the announcment when a new machine will come?
m10x.de ya if you click on the machine it should say how old it is I cant remember how long until it's retired but the one on top of list gets close to being retired
@m10x.de nope. The announcement of new page is when the retired machine is set in stone. My "early information" isn't always correct, that's why I accidentally recorded Kotarak 2 weeks ago and was briefly posted before Node
IppSec ah thanks dude
Great stuff ! Thank you, Sir!
Well if that's representative of OSCP exam's machines this is going to be tough
its not
I have been thinking the same thing... Did you ever sit for the OSCP?
when trying to parse the ntds using impackets, for me gets stuck at the Target system bootkey and doesn't finish it off ....
tbh this was a nice and hard box
not what you are thinking :3
tmux in tmux ... we need to go deeper ! How about fibonacci spiral made of panes? ;)
good vid btw!
is your name ippSec because you wanted to make IPSec more secure by adding one more p (Protection)
Nope. Ipp's just a name i use online, but hard to register due to 3 characters either being registered or not allowed.
after getting and upgrading the shell is anyone experiencing the shell freezing or slow in response?
Awesome one
you are so smart
I think the best way to do full port range scan is to use masscan tool, isn't it? I just wonder. You always use nmap for full port scan. masscan is much faster. Correct me if I'm wrong, I'm just a regular guy :D
Massscan can cause some issues in a VM and saturate network links. I generally use it if I'm looking for a particular service across a large network. However, for a port scan I prefer to do nmap which has retries and such built in to help ensure accuracy. For single hosts, I'd prefer to wait the few minutes and have an accurate scan.
You mentioned log poisoning when you get a callback from the server early on. You were running a python web server and mentioned that you didn't see a useragent so you deduced that log poisoning wasn't the solution. Python web server doesn't show useragents, iirc. Netcat does. If you want to test for usersgents or to get more info when a server calls back you should run both netcat and python
Whats that addon/extension for firefox you use for the proxy?
Found it, FoxyProxy
I feel like I saw this video just the other day... Briefly ;)
I have a problem running impacket....it keeps telling me I need 4 arguments no matter how many arguments i put
I would like to know your understanding, if I would have done an all port scan using nmap I would have not thought of doing an all port scan again using ssrf, what makes you think "I should enumerate ports again using ssrf"?
👏👏👏
does SimpleHTTPServer tell you the user agent info? th-cam.com/video/38e-sxPWiuY/w-d-xo.html
i tried to my firefox to browse it, but it always return '- -' without user agent info.
is nc on the box? you literally just used it to send the files over :)
I’d guess Regular nc, not the one with a -e flag. Comes with tcpdump I believe
18:29 all you check is nc right?
Is "authbind" something that is commonly installed on tomcat servers? How would one know if authbind is installed?
what linux command tells you which version of a program you are running?
more importantly, think about as an administrator when you might want to give users the ability to open ports but don't want to give that user full admin rights. Web server might be a common version of that.
@@CAlex-yk5bg I am having the exactly same wonder. Now, I thank you for point it out, I need a different view to think as an admin, that is a really awesome prospective to help me hacking. Thank you so much.
BTW, what do you mean by your first sentence? Are you suggesting I should've check tomcat version where I can get a hint for authbind?
@@wutangdaug he is saying run "authbind --version" to answer "How would one know if authbind is installed?". Looks like authbind is a common program. It might've showed up if you ran LinEnum.sh or something.
But --version does not seem to print out the version of auth bind. "man authbind" shows the manpage. But there is no command to print its version. Anyhow the point was to find out if it exists on the system and just running the command "authbind" confirms that it is installed.
Also, having a hard time understanding setting the listening IP to 0.0.0.0? Why is this viable for the exploit to work?
It would help if you linked to the time. My best guess is the IP Address was set to the IP of eth0, however HackTheBox utilizes tun0. Setting it to 0.0.0.0 just says all interfaces.
There was listed a service AJP on port 8009. This might indicate that the website might be vulnerable to ghostCat - basically LFI. Can be exploited to get Tomcat passwords
I don't think this actually works in the box -- yes it is vulnerable to Ghostcat but the only file that should be able to be leaked is /WEB-INF/web.xml. Everything else is restricted.
There's a video of yours that has a bit in where you're running an audio analysis on a file for steganography. I am trying to find it as I cannot remember the name of the tool you used for that?
Check out Shrek
Thanks again for nee video
Ur every video teaching me something new.
Keep it up..👍👍
how can i contact u