HackTheBox - Mentor
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- 00:00 - Intro
01:00 - Start of Nmap
03:30 - Enumerating for virtual hosts with ffuf to find the api.mentorquotes.htb page
05:30 - Talking about FastAPI, attempting to utilize the endpoints but Authentication is required. Create an account
07:00 - Logging into the endpoint, discovering how to send authentication to the endpoints. Don't really gain anything
10:40 - Using ffuf to search for extra endpoints and discover /admin/ but can't do anything
14:00 - Running NMAP again with UDP to discover SNMP
17:10 - EDIT: Showing the minrate with nmap to scan UDP much quicker
18:30 - Using SNMP Walk
19:40 - Using SNMP-BRUTE to bruteforce other community strings
20:45 - EDIT: Showing Hydra and OneSixtyOne fail to enumerate the second community string
23:05 - Using SNMPBruteWalk to dump the SNMP Database, showing how much faster it is than SNMPWalk
25:00 - SNMP Shows running processes and arguments, there was a password passed via STDIN and we can get the password and login as James on FastAPI
28:15 - Accessing the Admin Endpoint, and figuring out what parameters it expects via error messages
30:50 - Discovering command injection in the backup endpoint
35:19 - Shell returned!
37:30 - Editing the User Endpoint in FastAPI to dump password hashes. Talking about Pydantic
40:45 - EDIT: Showing how we could background out reverse shell with nohup so we don't hang the webserver
47:15 - Cracking the hashes and getting svc's password and then logging into the server via SSH
53:00 - Doing some light forensics looking for files edited on the box shortly after linux was installed
56:45 - Finding a password in the snmpd password which gets us root
01:01:10 - Editing LinPEAS to add an extra regex to pull passwords out of SNMPd configuration
01:04:30 - Rebuilding the LinPEAS Shell script and then running LinPEAS to discover we now detect the password in SNMPD
01:06:40 - Forwarding PostGres to our server with chisel so we can dump the database
01:12:20 - Enumerating PostGres manually to dump users, then showing how to run code on postgres servers
01:16:30 - Setting up the FastAPI Environment on our local box, copying files from the docker
01:18:30 - Doing some light edits on the FastAPI Code, so we can run it within an IDE and set breakpoints
01:24:14 - Start of adding auth to the /user/ endpoint.
01:30:15 - Fixing our /auth/login endpoint to accept our new login request
01:37:20 - Getting the browser to accept our bearer token
01:45:30 - Fixing up the /user/ endpoint to work with our bearer token
01:50:20 - Getting the user decorator to return the User Object which makes it easy for our code to identify our group
I have been binge watching ippsec videos for the last month and I learned a lot! Thanks a lot for these tutorials
@ippsec congrats on 200k subs!! I remember I first met you like 7 years ago in Maryland when you visited Ben at his Cyberface meetup. You were telling everyone how to capture WiFi credentials using a Pineapple. You’re just as talented and helpful now as you were then and I’m so thankful for all you’ve done for the cyber community. Here’s to your next 300k subs!
Hey, I'm currently taking a Udemy course taught by you lol
Quadruple thumbs up for you ippsec! The linpeas modification and all the other tweaks with postgres and everything is just awesome!! Learning lots and lots from you. Thanks a lot!!
Awesome video! Thank you for posting 🙂
I love ippsec guruji..... awsown forgot... host header attack and cache poision... ❤
Tq for mentor....
Love the video!
Great video as always.
23:05 - I think is meant to be labelled as snmpbulkwalk instead of brutewalk.
1:00:30 - fyi if you do less -R it will interpret the control characters and render the output properly
Also out of interest is there any tips you would give for spotting when a tool is not picking something up. For example tried nmap, hydra and onesixtyone which meant for ages I just thought there was nothing more in SNMP and that it might be something I had to come back to later.
Is there anything which would give away to you that you needed to try something else against a service (in this case it was SNMP and using snmp-brute, but it could be anything.) Thanks!
Its always very funny seeing you not be familiar with some basic developer terms or frameworks (like when you forgot r is for retrieve in crud). Guess you're human after all 😅. Love the vids btw, keep it up
What a plot twist from hackthebox to how develop a secure fastapi api
Incredible!
legend
Super cool!
Nice bro 🙂
i have a question ippsec is it also possible to login as james by bruteforcing the secret of the jwt and then creating our own jwt? because we have the the required information to do it right?
Im assuming that internal was not discovered by Hydra and onsixtyone as it was on SNMPv2c. Public was the only v1 string and was picked up by both. It is likely that Hydra and onesixtyone only use SNMPv1.
youre amazing
[Interesting behaviours of HTB]
- When I submitted a flag on the seasons, it said "Wrong flag". But then I submitted the same flag immediately again and the flag got accepted.
- When I go to an Active machine, and immediately click on the "Walkthroughs" button... well, I can click on the "Walkthroughs" button which shouldn't happen. It says that I am unauthorized but I can submit a walkthrough on that panel. If I am slower, I cannot submit a walkthrough on that panel as it gets denied before I can click on the "Walkthroughs" button
Ippsec is the best MENTOR..!!
Noice ^^^
Thanks boss
what OS is that? did you customize it with Hack the box logs or its a VM made by HackTheBox, if its where i can download it from?
In the Parrot OS website there is a custom version for HTB
Push!
Thanks
@1:18:30 guys put on the binocular spectacle, you will need it, lol. Nice podcast from 1:18:30 onward.
How did you discover the password at 26:15 ? I was not going to soft through 9 000 lines of output, especially when I was not sure of what I was to look for, and you kind of just drifted to it.
By default SNMP does not show running processes. It is something that gets configured (or used to) because a lot of old monitoring applications would use SNMP to see if a process is running. But since SNMP showed running processes, chances are there was something there because the author would not just randomly enable it.
thanks a lot for the videos. 1q y my ffuf doesn detect the api vhost?
Did you forget to do -mc all?
@@ippsecI did mc -l, did every thing like u
@@ippsec im trying gobuster but no api vhost
i did mc -all *