HackTheBox - Broker
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- 00:00 - Intro
01:00 - Start of nmap
01:45 - Logging into ActiveMQ with admin:admin and then failing to use the exploit from 2016
04:00 - Doing a full nmap scan, then running script scans on the open ports
07:50 - Finding a page that talks about CVE-2023-46604, the latest activemq exploit
11:00 - Pulling down an exploit payload for this exploit, it is golang
12:30 - Modifying the payload to execute a reverse shell, instead of downloading and executing an elf file. Need to HTML Entity Encode the payload
16:30 - Reverse shell returned, seeing we can run nginx as root
17:20 - Building an nginx config that runs as root and shares the entire filesystem
23:08 - Enabling the WebDav PUT so we can upload files to the server and uploading an SSH Key
27:05 - Showing we could upload a cron entry aswell to get code execution
![[LIVE] : ONE ลุมพินี 68 | คู่เอก "พระจันทร์ฉาย vs โจนาธาน"](http://i.ytimg.com/vi/F3IM3w-XchI/mqdefault.jpg)
Man you are awesome. I love the way you handle and understand things like it is nothing to you . I Wish i reach this level of professionalism.
You actually can. Ippsec reached this level by pure determination, tons of trial and error, a lot of reading, putting it into practice and most of all be curious and have the passion
+1 to @boogieman97 keep in mind I’ve been doing videos weekly for 5+ years. Which isn’t a long time at all, but more frequent than the average person. If you create a plan and stick with it I’m sure you’ll be near this level
@@ippsec next to that correct me if I'm wrong, I've heard in one of your earlier videos that your carreer is far most autodidactic. Apart from that that might not be "long", it is about dedication and willingness to commit. Thats why I am highly appreciating Ippsec and of course subscribed, so if you agree folks do so as well 😃
Cron Job Priv Esc learnt today, Great video.
I didnt think to try entity encoding the xml and resorted to the curl command. Nice to know about that now. My question is did we have to have all three lines in the xml? Or could it have been done with one? Great video as usual!
its not even weekend wow love it
Nice way of opening a shell using cron job. :)
wow the dav method and cron are amazing
Thanks for the tutorial!
First .. now let me watch 😁
Thanks ippsec ❤
Awesome ippsec!!
thumb up💯
❤❤❤
You are crazy good man 👍👌
the privesc feels amazing
❤
Thanks
Thanks Ippsec
Push!
So basically is it a vuln in the class - ClassPathXmlApplicationContext which is part of the Spring framework? And this being used by ActiveMQ made it vuln as this class loaded a crafted XML config file
Hey Ippsec thanks for the awesome video as usual. Are you planning to make videos on new HTB-Sherlocks when they’ll retire?
I have not decided yet.
@@ippsecI would appreciate a lot! Or if you know someone that you trust to make them also
Hi Ippsec I was wondering if you could help? I am attempting this machine and I get into the activemq user initially through a meterpreter reverse tcp, then I get an interactive shell (python3 -c 'import pty;pty.spawn("/bin/bash")'.
But when I try to edit the nginx.conf file with vi, the vi editor doesn't work properly and I can enter/exit insert mode or move around the text in the file with the arrow keys
In this box the port 2112 lists archive system of the machine with elevated privileges on the navegator
I have reset this box and gone through the same steps (i think) and there is no /root directory in /crontabs, also any file that gets uploaded doesnt have execute permissions(i changed permissions before uploading just in case). I uploaded the ssh keys just to login as root and check. Did they change the box?
Do you have a tutorial or can you recommend one on getting more comfortable with Vi/Vim?
I got a 404 message not found error when I sent the file I tried send the packet without the poc xml and got a got a 200 get from server idk why
Im maybe late but i had the same problem. you have 404 because your poc-linux.xml file is on the CVE folder and your http server cant find it. just move poc-linux.xml to /home/[your account]/
i guess you started you http server on home directory like me :'(
I can't find the challenge on HTB? (yes I'm looking under retired)
You may have a filter on your search.
Ippsec you said on a earlier podcast that you were going to start doing videos on the basic foundations of Hackthebox. Is that still in the works? Thanks.
I want to, just can't get the motivation. If you look at the technique videos, I think I've started covering things just not from a foundation perspective.
thanks@@ippsec
Nothing
I did a completely different technique for privesc using share object .so (Files), since we can modify the prefix with nginx i just needed to craft a .so files in a module directory, rename it correctly (ngx_http_echo_module.so), run with sudo ===> got error but BAM suid /usr/bin/bash -p