Great one again! I could understand your reasoning in creating a Python script that just does the job, but no functions also results in no structure and silly mistakes to my experience. You could have used the attribute "text" on the request object to have it decoded and not escaping instead of content
Yeah it’s been a while since I wrote python and talking while typing does make for more errors. Was also my third video that week so I was mentally burned out
I found out an unintended way to get code execution on this box. When we write a .php script in /content, and request this script, the server returns the content of this script: Client: GET /content/shell.php HTTP/1.1 Server: This means that we matched the rule "location ~ ^/content/(?[^/]+)(/\.php)*$". However, when we request the path /content/shell.php/Anything.php, we have code execution: Client: GET /content/shell.php/Anything.php HTTP/1.1 Server: www-data This is because we are matching the rule "location ~ \.php$", which allows execution of .php scripts.
Its in the description -- I re-uploaded it because the previous video got stuck on YT's end encoding the high def version, so most people could only watch it in 360p.
why use __init__ global in the username ? why not just {secret_encoded} or {secret} ?? (cuz when u demo the sys argv, you just used it as {secret} & secret there wasn't in any function too)
@@ippsec ahhh I see thanks!! So if licence wasn’t passed in .format() what can we do?? Then we could have used directly {secret} or something else ? (Sry for the silly ques, this is my first time seeing ngnix vuln & other vuln this box has m too excited for it)
@@heapbytes I think something must be passed in .format() for the format string vulnerability to work. Passing something in .format() or not, if you used {secret} directly, the script would throw a KeyError exception: Traceback (most recent call last): File "./license_simple.py", line 26, in license_key = (prefix + username + firstlast).format() KeyError: 'secret' You can write a simpler version of the script license to play with the input and see what the script outputs.
@@angeleeh Not exactly, I go over it at 51:50 but the content-disposition header has nothing to do with it. It's just that location block in the nginx config.
@@ippseci thought this is the case as it specifically sets content-disposition header on /content to 'attachment' so it just downloads the files without executing inline. Do you think you could execute code if /images had content-disposition header set in the same way?
What's going on TH-cam, this is TrippSec, and we're doing Drugs from Hack The Box
😂😂😂. OK
Definitely watching more of your vids. Good explanation on your steps. ❤
Thank you for reupload
Ippsec we love you ❤️❤️ you're personality you're knowledge 🔥🔥
Great one again! I could understand your reasoning in creating a Python script that just does the job, but no functions also results in no structure and silly mistakes to my experience. You could have used the attribute "text" on the request object to have it decoded and not escaping instead of content
Yeah it’s been a while since I wrote python and talking while typing does make for more errors. Was also my third video that week so I was mentally burned out
I found out an unintended way to get code execution on this box.
When we write a .php script in /content, and request this script, the server returns the content of this script:
Client: GET /content/shell.php HTTP/1.1
Server:
This means that we matched the rule "location ~ ^/content/(?[^/]+)(/\.php)*$".
However, when we request the path /content/shell.php/Anything.php, we have code execution:
Client: GET /content/shell.php/Anything.php HTTP/1.1
Server: www-data
This is because we are matching the rule "location ~ \.php$", which allows execution of .php scripts.
Double Ippsec week! I feel spoiled 🙂. Ippsec rocks!
Push!
👏
Hey! How did you know to add "app" subdomain? I didn't catch where during enum that showed up!
which keyboard you are using and which software using for screen recorder ?
thx ytb..
Why the video was taken down. 😅
Its in the description -- I re-uploaded it because the previous video got stuck on YT's end encoding the high def version, so most people could only watch it in 360p.
The bot already retired
Last
why use __init__ global in the username ? why not just {secret_encoded} or {secret} ?? (cuz when u demo the sys argv, you just used it as {secret} & secret there wasn't in any function too)
You can only include what is within the .format() piece. In my demo I passed secret there. On the box, the object was passed.
@@ippsec ahhh I see thanks!!
So if licence wasn’t passed in .format() what can we do?? Then we could have used directly {secret} or something else ?
(Sry for the silly ques, this is my first time seeing ngnix vuln & other vuln this box has m too excited for it)
@@heapbytes I think something must be passed in .format() for the format string vulnerability to work. Passing something in .format() or not, if you used {secret} directly, the script would throw a KeyError exception:
Traceback (most recent call last):
File "./license_simple.py", line 26, in
license_key = (prefix + username + firstlast).format()
KeyError: 'secret'
You can write a simpler version of the script license to play with the input and see what the script outputs.
12:08 i didn't get why phpinfo() wasn't executed, can u plz explain or privodie resource abt the fast cgi thing @ippsec
Its because of the content disposition header
@@angeleeh Not exactly, I go over it at 51:50 but the content-disposition header has nothing to do with it. It's just that location block in the nginx config.
@@ippseci thought this is the case as it specifically sets content-disposition header on /content to 'attachment' so it just downloads the files without executing inline. Do you think you could execute code if /images had content-disposition header set in the same way?