HackTheBox - Bizness
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- 00:00 - Introduction
01:00 - Start of nmap
03:00 - Seeing JSESSIONID and NGINX trying the off by slash exploit to get access to /manager, doesn't work here
04:30 - Dirbusting with FFUF because the lack of 404's messed with gobuster
07:40 - Discovering the OfBiz Version, looking for exploits
09:00 - Going over the Authentication Bypass in OfBiz
12:40 - Downloading YSOSERIAL and building a Docker so we don't have to worry about Java Versions
14:30 - Building a ReverseShell Payload that works with YSOSERIAL
18:40 - Reverse shell returned! Looking at OfBiz and finding out it uses the Derby Database
22:30 - Copy the Derby Database then using IJ from Derby-Tools to dump the data
26:40 - The hash in the database is a URL Base64 Encoded, decoding it reveals it has a length of 40 which is normal for Sha1Sum. Decoding it then cracking with hashcat
![[MIRRORED] LISA - ROCKSTAR 🎸 MV version #LISA #BLACKPINK #ROCKSTAR](http://i.ytimg.com/vi/-U58DuCCtZk/mqdefault.jpg)
💪🙏👏🏽what a MAGNIFICENT video! Excellent👏👏🏻
It took me a while to figure this out, but you can also use John the Ripper to crack a salted hash.
First, we need to create the file with the hash and salt, in the format $. I'll name it admin.hash:
b8fd3f41a541a435857a8f3e751cc3a91c174362$d
After that, we need to identify the format to be used:
john --list=subformats | grep -i sha1 | grep -i '\$s'
The command above shows us that we want to use the dynamic_24 and dynamic_25 formats:
Format = dynamic_24 type = dynamic_24: sha1($p.$s)
Format = dynamic_25 type = dynamic_25: sha1($s.$p)
Since we don't know whether the salt is added before or after the string before calculating the hash, we have to test both formats.
Finally, we need to run john with both formats:
john admin.hash --wordlist=rockyou.txt --format=dynamic_25
After running john with the dynamic_25 format, we find out the the cleartext password that, prepended with the salt "d", generates the hash above.
Really well done and thanks for the detailed explanation. Keep up the amazing work ❤❤
that was a nice one, thanks for everything set in the dark mode especially if you watching it in the dark....awesome really
It would not be possible for a beginner to discover this part of the hash, I believe that saying that this machine is easy was really a mistake on the part of the staff
Well I mean the whole easy/medium/hard rating system is totally relative.
What is hard for a beginner with absolutely no experience might be easy for a beginner with some experience.
I would probably still say this is easy because you can get the password hashed very quickly with little to no understanding of how the exploit is working. The hash stuff is just research.
Yeah what @chap_sec said - there’s multiple ways to get how it’s hashed. Opensource, blogs, etc. If this individual piece was a crypto challenge it would be labeled as easy.
Easy is not meant for a true beginner, you’re better starting at academy, starting point, or challenges.
Also boxes are meant to be done in teams not individual, a small hint goes a long way to making this very solvable. If you have trouble need to expand your social network which will help tenfold down the line
@@ippsec I confess I didn't know about that part. My crypto skills are pretty basic.
From your point of view, would it be more productive to focus on the challenges and, after gaining experience, play the machines?
And I ask this regardless of the category, since in machines we generally have a mix of them.
I'm sure both I and the rest of the community will benefit from your answer.
Thank you in advance for your kindness and for all the help your videos provide.
@Myk4my if you can get VIP, I think the retired easy/medium machines may be the best with guided mode. If you get stuck there’s videos.
First, luv u ippsec
Nice one bro
You have a beautiful brain good sir 🤓.
great person
Hey mate ! What is that shell you're using ? Thanks and Cheers !
Push!
Could you turn your microphone up a little in future videos please? I have everything on max and its still quiet
I just recursively cat the entire directory on to my attack machine into one text file and then used strings. Piped that to grep to look for "Password" 24:03
#Let'sSeeGang
#ThereWeGoGang
#Let'sSeeAndThereWeGoGang
Second!
Yo!