HackTheBox - Ouija

แชร์
ฝัง
  • เผยแพร่เมื่อ 21 มิ.ย. 2024
  • 00:00 - Introduction
    01:00 - Start of nmap
    03:15 - Fuzzing the API port port 3000 with ffuf
    09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use
    11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling
    18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js
    28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack
    38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret
    45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box
    52:45 - Discovering port 9999
    58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow
    1:04:00 - Creating a C Program to explain the integer overflow
    1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves
    1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so
    1:21:00 - Creating a pattern so we can see where we write data to
    1:24:22 - Creating a python script to build our payload
    1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak)
    1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell

ความคิดเห็น • 27

  • @AAHyo
    @AAHyo หลายเดือนก่อน +29

    Always when I hate myself, I'm watching ippsec's insane box walkthroughs, so I can feel even more stupid

  • @pavi013
    @pavi013 หลายเดือนก่อน +5

    Even if you can't do the box, its good to take all the knowledge.

  • @KohzmikYT
    @KohzmikYT หลายเดือนก่อน +13

    Idk how people think of these, I can barely do a medium box, let alone a insane one. You're insane ippsec, much love from south africa

    • @Siik94Skillz
      @Siik94Skillz หลายเดือนก่อน +1

      Experience... thats how

  • @antoniob.6515
    @antoniob.6515 หลายเดือนก่อน +1

    Insane… ❤I cannot even imagine how much you have studied to reach this level

  • @and_I_am_Life_the_fixer_of_all
    @and_I_am_Life_the_fixer_of_all 29 วันที่ผ่านมา

    man, I love some aspects of this box

  • @csgosmoke
    @csgosmoke หลายเดือนก่อน +1

    I give up on this one because I can't able to get the foothold but hey thanks for uploading this will try to understand where I lack

  • @george___43
    @george___43 หลายเดือนก่อน

    Awesome!!!!

  • @NatteeSetobol
    @NatteeSetobol 24 วันที่ผ่านมา

    Awesome box. I wish we could debug the HTTP smuggling part so we could figure out why it was acting the way it acted when you added a third header. Also, I used xclip -o > file.txt to paste into a file in a terminal and use tmux loadbuffer - to load data in the tmux buffer. Thanks for the video!

  • @sponge5643
    @sponge5643 หลายเดือนก่อน

    The best.

  • @Giyosiddin_Muxammadiyev-
    @Giyosiddin_Muxammadiyev- หลายเดือนก่อน

    Good !

  • @ujsimrananees
    @ujsimrananees หลายเดือนก่อน

    Could you point to a resource where I could study more in detail about this Hash extension attack?

  • @thedude4723
    @thedude4723 หลายเดือนก่อน +1

    My head hurts

  • @elcapitanodeltimbuktu1O1sir
    @elcapitanodeltimbuktu1O1sir หลายเดือนก่อน

    Its Gonna Be More Fun If Using HTTP/2 Pipeline 😊

  • @tg7943
    @tg7943 หลายเดือนก่อน

    Push!

  • @takatoekoe
    @takatoekoe หลายเดือนก่อน

    what certs do you have?

  • @maniakdemi3548
    @maniakdemi3548 หลายเดือนก่อน

    Awesome

  • @coltonthomas3658
    @coltonthomas3658 หลายเดือนก่อน

    How long does it take to do a box like this?

    • @Darius1013
      @Darius1013 หลายเดือนก่อน

      It depends on your skill level - if you understand basic concepts and how stack works - it takes few hours to get foothold and pwn root, but if you have lack of knowledge in some parts - you can spend at least few hours filling your gaps (and i'm not talking about basic tooling, but more how stack handles stuff - in this case you needed to understand HA proxy overflow and do debugging on lib file - if you already run into this HA exploit - its way easier, if you did other debugging - again - not so hard as start from 0). So i would say on average it can take from few hours to few days - depending on your skills - and if you can't do it in few days - you're lacking basic skills on some specific parts (you can train them on easier machines), or missed something - can't find anything in day - check your notes again, try different angles and finally rabbit holes - you can dig deep where is nothing - it takes time, and give 0 results, but sometimes you can find unintended ways to hack the box, so idk, maybe they are not so bad.. Funniest part is adventure, so just try and if you fail, you still learn something and will do better on next one :)

    • @AUBCodeII
      @AUBCodeII 10 วันที่ผ่านมา

      xct, currently ranked #1 on HTB, took 17 hours, 50 minutes and 57 seconds to get system blood.

  • @AUBCodeII
    @AUBCodeII หลายเดือนก่อน +4

    Hi Ipp, today is my birthday :3

    • @ippsec
      @ippsec  หลายเดือนก่อน +9

      Happy birthday!

    • @AUBCodeII
      @AUBCodeII หลายเดือนก่อน +1

      @@ippsec thanks! 😊

  • @berthold9582
    @berthold9582 หลายเดือนก่อน

    I never click on an insane box 🤧

  • @genelkanininaksine
    @genelkanininaksine หลายเดือนก่อน +1

    Ippsec the legend

  • @ihavelowiq2723
    @ihavelowiq2723 29 วันที่ผ่านมา

    in here i don't understand this. (!(d(q.headers['identification']).includes("::admin:True"))) in this check, d() returns value. how to check admin:true in it?

    • @ihavelowiq2723
      @ihavelowiq2723 29 วันที่ผ่านมา

      i ran the code and it just works. :|