HackTheBox - Monitored
ฝัง
- เผยแพร่เมื่อ 19 มิ.ย. 2024
- 00:00 - Introduction
01:00 - Start of nmap
02:40 - Examining the webpage, not finding much
05:30 - Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data
08:20 - The process list is in SNMP, explaining how to read this data
12:40 - Grepping interesting processes discovering there's a bash script that has user credentials in arguments! Attempting to log into Nagios with it
14:00 - The SVC Account couldn't log in on the GUI, Looking for how to login via an API
15:45 - Logging into Nagios, discovering it is version 5.11.0 which is vulnerable to a SQL Injection
17:40 - Manually exploiting this Error Based SQL Injection with XPATH
26:45 - Using Burpsuite Intruder to dump the TABLES, then edit the columns in burpsuite to show tables easily
33:40 - The APIKEY is too long to display, using SUBSTRING to grab the APIKEY in multiple requests
35:45 - Finding a way to register a new user with our API KEY and make them an administrator
39:00 - Creating a Nagios Check to send us a shell
41:20 - Showing how to perform the SQL Injection through SQLMap
49:00 - Finding the MySQL Password of Nagios
51:00 - Discovering the Nagios user has a bunch of sudo rules
57:00 - (Root method 1) Exploiting GetProfile through creating a SymLink
59:00 - (Root method 2) Overwriting the Nagios Binary than using Sudo to restart the service to get a root shell
'we are not known for taking notes here' - Ippsec, 2024
I laughed out loud on that one 😂
I can't imagine no more a Saturday without your videos ❤❤
Just wanted to say that doing it 'manually' helps me learn! Thanks for deciding to it manually!
As someone preparing for OSCP in less than 2 weeks my heart was full when you said lets just do it manually. Thank you ❤
Man this is so hard 😢😢😢 did you do the challenege labs ?
I've been signed up for longer but yeah some of them. @@traderH
45:58 there's a `-hh` for a more verbose help on sqlmap. That likely hides your `--force-ssl` flag.
Always love your videos, well explained❤️❤, love from Bharat🇮🇳❤❤
Great video, enjoyed the manual sql exploit.
I imagine if we are careful enough and did our homework, we could add a reverse shell to the nagios functionally (run nagios then reverse shell, etc.)
I am korea vig fan of your. Thank you always
Thanx!
What is your device setup like @IppSec? Is it like bare metal ubuntu and all the security stuff you do is on VM's or some other kind of setup? Thank you in advance!
Parrot OS HTB VM
@@sponge5643 Sorrry but that was not the question lol. I know he uses Parrot OS HTB. But the question was is it in VM or not, and if it was in VM, what does he use as his main OS and does he use all his cybersec 'tools' as VM's only or what is his setup like
@@Eskimostyle IIRC he uses VMs for everything, in some windows videos where he'll switch to a windows VM you can see he uses VMWare and has the parrot VM there alongside the windows one
@@megaREAL900 do you know his main OS?
@@Eskimostyle no clue
Push!
How are you executing sudo -l without being prompted to put in the password?
zero and one, like that
You can add --top-ports 10 is much faster than normal udp scan
Very true but you are only scanning the top 10 ports rather than the top 1,000.
I’ve seen ipp use the min-rate option to speed it up too (can be more unreliable)
@@olivernichols7493 i am talking about udp scan not tcp
51:15 I feel like this all the time :):)
I'm not understanding why you've used SNMP but nmap didn't show it 😮
Snmp is UDP, not TCP. Default nmap only shows tcp
@@ippsec aaah you're right, I missed that. thanks so much!
first!
25 cents, Ipp