HackTheBox - Fortune

IppSec · Beginner ·🖊️ Copywriting & Content Strategy ·6y ago

Key Takeaways

The video demonstrates a step-by-step approach to hacking the HackTheBox box 'Fortune' using various tools and techniques such as nmap, OpenSSL, burp, wfuzz, and Python scripting. The video covers topics such as command injection, SSL/TLS, and SSH authentication.

Full Transcript

what's going on youtube this is ipsec and we're doing fortune from hack the box and this video may be a bit short or jumpy because i believe i caught a cold while at a conference in europe last week so talking isn't on the highest on my priority list right now that being said the box itself was rated as insane but i'd probably put it as medium to heard if you've done all the previous hack the box machines because there isn't really anything new other than it just being on a unfamiliar os which is bsd it starts off with a super easy web injection then goes into creating a client certificate that we've done in like la casa de papel i've done in the securing vendor web app video i think sizzle did it so client ssl certificates we've done a few times after that there's some nfs tomfoolery which we did in the jail video a long time ago and then after that it's just decrypting a password that's in a postgres database so there's nothing extremely hard about this box it's just putting together an attack chain and working on an os you're not familiar with so that being said let's just jump in as always we're going to start off with the nmap so dash sc for default scripts sv enumerate versions oh a output all formats pin the nmap directory and call it fortune and then the ip address which is 10 10 10 127 this can take some time to run so i've already ran it looking at the results we have just three ports open the first one is ssh on port 22 and that banner says it's open ssh 7.9 the next thing we have is http on port 80 and it says openbsd httpd which means this is an open bsd box doesn't mean all that much to me when i'm looking at openbsd web servers i just know that it's going to be slightly annoying because the command line arguments or file locations may be in different things so whenever i do my initial exploits i do something extremely basic because if i try just like a command that normally works on linux may not work on bsd and i'll get a false negative which means i exploited a thing but it failed so i thought my exploit failed so just keep that in mind as we move forward the next thing we have is nmap thinking this is https because it is 443 and it's open but none of the scripts successfully completed we see the output of ssl date says tls randomness does not represent time don't know what that means so let's start off by looking at port 443 so i'm going to go to https 10 10 10 127 and we see right off the bat it's asking us to present a certificate if you don't get the screen chances are you just haven't done other boxes or watched other videos because this certificate we had created in the money heist video or la casa de papel and then this other certificate is one we had created and i think the securing vendor web apps so we can uncheck remember this decision and go forward and we just get ssl error unknown ca alert if we try to grab this certificate firefox does not appear to be letting us so i'm going to use openssl to grab the certificate and look at it so we'll do open ssl uh s underscore client dash connect 10 10 10 127 port 443 and if we look at the results we can see the certificate but we also get two potential users we have charlie and bob and they're at fortune.htb which is most likely the host name of this box and then we also see there is a intermediate ca which is just a certificate authority that's signed by the root ca and this is more for like com security by compartmentalization so you have multiple intermediate cas and you may say hey this uh branch of this company gets this ca this branch gets this ca and that way if a branch of the company gets compromised not all your certificates are compromised you can just revoke that one compromise branches intermediate ca things that it sign and you'll be fine once you put a new one out so just more of just not putting all your eggs in the same basket with intermediate ca but it behaves just like a root ca cert if you do get this maybe that makes sense maybe it doesn't but let's move on since this is requiring a client cert there's nothing we can really do on that port so the other port that was listing is 80 so let's check out what is on port 80. so i'm just going to get rid of this s go to this website and we say please choose from a database of fortunes so i'm going to click fortunes next and we just get your fortune is if i refresh the page it's just choosing random things if we go try again click submit we get something else so let's just see exactly what's happening in boom so i'm going to switch my proxy to burp make sure we are intercepting intercept is on click try again let's pick star trek and submit um i clicked but it went on default that is odd and it doesn't appear to be intercepting no it is okay so we have it intercepted click go and here is the output so we can play with it a little bit by just seeing what happens if we put a bad database so like please subscribe and see what the error message looks like it just doesn't give us a fortune if we put like a star it doesn't do anything we do star trek or one equals one try like star trek and then a comment and we just see it airing out so generally what i do is i switch to w fuzz and let's do a quick special character fuzz so we'll do w fuzz dash w for word list user share sec list then fuzzing and special characters and then we would do dash d to do data this would be db equals star trek and then fuzz and capital and the url which is http 10 10 10 127 so what that's going to do if you look at the special character fuzzing list it's just a list of special characters so we'll just put all the characters in and see what happens so it looks like uh oh we didn't do slash select there we go so we have mostly things that are 293 so we can just put like an underscore and see what happens i'm guessing that means there was no fortune so if there's no fortune it's going to be a length of 293 characters so i'm gonna do dash dash h to hide characters and i'll specify 293 and run this fuzz again and we get only four um outliers or abnormally sir whatever the ampersand and that is 364 which is odd but if you think about it we get random fortunes every time so this is 581 bytes now it's 5 30 bytes because the fortune changed and this may just be doing some type of url encoding so let's uh url encode it and we still get a fortune so and it doesn't really affect it let's look at plus so if we do a plus nothing happens if we url encode the plus we get no fortune so plus definitely messes up and i'm thinking maybe the plus doesn't do anything because the server may translate this into a space and then star trek space it may just chop off that space and it may work so that is odd we got a backslash so let's try that click go nothing happens and backslash is known for escaping characters so if it escapes it shouldn't really do anything if we put a backslash before r and escape r because escaping r does nothing if we escape the escape and then put r this probably will fail yep but if we put 3 let's see what happens it still fails so backslash is being used as an escape most likely and then we have a semicolon so if we put a semicolon to end a star trek nothing happens so based upon these i'm going to guess there's potentially command injection because all these are known for like interacting with a command line like the ampersand backslash and semicolon this plus we think it's just a false positive because it wasn't url encoded and got treated as a space so let's try semicolon id for like a command and we get a command ran so we can do like which and c to see if netcat is on the box we see it is user bin nc so we should be able to netcat back to us so 10 10 14 3 port 443 nc lvmp 443 click go and we don't get any connection back so there may be a firewall we can also just double check or turn zero it is 10 10 14 3 we could try icmp so tcp dump dash i time zero icmp and we can do i really hope it's dash c that's c1 let's see uh ping dash c1 127.001 that went once hopefully bsd doesn't change this 10 10 14 3 go and we can ping but we just can't do netcat so let's just create a python program to make explaining this a bit easier because it's just a pain reading the output and this we could probably just do db equals semicolon id and then click go and we got a random fortune with no db that's funny um and you could also go into burp options i think if you wanted to use burp and create a hotkey is it miscellaneous yeah hotkeys so if we edit hotkeys it should be a repeater go and there it is issue repeater request so you can just click on the hotkey and then do like control enter click ok and then when you go to the repeater tab you can just hit control enter to run commands so we could change it from id to ls-la control enter and see commands but this is still a bit of a pain to read results so let's go over to python and create a quick program let's call this cmd inject.pi and then we can do our import statements the first one we want of course is a request to make http request then we want regular expressions because we want to grab the output of our command because we don't want to grab all this stuff and thinking about this we could probably just put a bad database like please sub and then semicolon and that doesn't give us fortunes because the command fails so putting something here is better than nothing because if you have nothing you get a fortune if you have something you don't get a fortune so keep that in mind and the last thing we want is or like command or cli program or class that we always use this should be familiar to you we do it seems like every other video i create a script using this so you should know this by now the prompt is just going to be with the um terminal is you'll see in a second and we got to create the default function so self args and for now we'll just print it out and then let's create the loop so terminal and term is cmd so let's just make sure this works okay and this should just print hello world there we go so our cli is working now we're going to actually make the request so let's do def run cmd cmd and data this can be the post request so db and then i think there's format string i forget what the f stands for but it makes us be able to do things much easier so we want to put something that doesn't exist so a this is going to make it so we don't see the fortune i'm going to do echo dash n please support me and then we'll do cmd there's going to be the command and then echo dash n on patreon we'll just leave it at that and what that's doing is if we just put in something here so we can do like echo dash n test echo dash n test and run this now a regular expression can just grab what is in between the two variables so that's why i did those two okay that should be good there now we got to make the request so r is equal to and this is all red so we forgot something there we go close out the single quote request dot post http 10 10 10 127 select and then data is equal to data to send that post request and we can print our text and this print can be run cmd so now when we run this we can do who am i and we have the command or it being ran you can see the please support me underscore fortune on patreon if we did lsla you have that so the next thing we have to do is the regular expression just only grab the result of our command so let's do we can do page is equal to r.text and then m is equal to regular expression.search please support me dot star question mark and then on patreon and that and then the variable we want to search we can say if m so if this command found anything whoops then print m dot group one else return one or we can just print one here this is really sloppy code ls and we're always returning one so if we think about this we have multiple lines so the regular expression's never completing by default the period doesn't match new lines so if we just add another comma here and do re dot all that means the period is going to match everything this will probably work now ls there we go so now we have a pseudoshell i'm just going to clean this up a little bit we want to return return and we can do output and print output so there we go so have our commands we can now see things on this box i'm going to do a ps dash ax i think there we go and we can see what is running so nothing looks interesting up there except we do have nfs but we didn't have any nfs ports we have smtpd um we have ver app server fortune ssh auth and then the command we ran and we also have postgres so let's take a look at what's in this var app serve so i'm just going to do find slash var app srv and we have two things added ls so we can see the permissions let's see read it looks like we can read almost everything the only thing we can't read is this ver app serve ssh all postgres pass at least that's what i'm guessing pg stands for and we'd have to be the ssh auth user to read that um we can check take a look at what this fortune dot pi is so let's see cmd db selection so this is the application that we are exploiting so we see this is a python flask application and um whoops i'll create a to do here if you wanted to improve this um do do d encode or decode html entities i think that's what those are called but in order to avoid cross-site scripting it is putting the variables in html entities so i think these are quotes we could copy this over into burp go to decoder and then decode as html that is a single quote so let's see dbs request form so shell command is equal to cmd plus selection selection is that db variable and that just does os dot p open which is process open on that shell command with no sanitization so that is why are exploits working let's go and look at the other application which is ssh auth so we can look at the configuration file first see what this is doesn't really look too interesting let's do where's the python script go here cut this file and let's see what it's doing some type of ssh generation so insert into authorized keys we got ssh generation here connecting to the database auth pf user is appserve doesn't have any passwords so let's see off pf is only there so auth pf is a bsd thing i think so if we do etsy auth pf we have off bf rules so if we get this we see the external interface is em0 we do ifconfig that is 10 10 10 127 and pass in quick on external interface tcp udp from user ip to extif so this is saying if someone logs into this box create these firewall rules pf stands for packet filter which is bsd's version of iptables so if a user gets in the box then open up all the ports so we have to figure out how to get on the box and i'm guessing because of um this being a flask app that this is also this one is on port 443 that ssl that we couldn't access so let's find out if we can or see if we can find that intermediate ca for signing keys so then we can create our own certificate so i'm going to do find slash dash name i'm going to do star dot csr pipe errors to dev null because we're going to read a bunch of directories and just get errors if we don't do this uh oh it doesn't give error messages normally whenever i run these commands i always send a error message devenall so let's do name another extension for certificate is pem pem and we get a bunch of stuff in slash home so home bob has a bunch of certificates i'm guessing thousand dot pem is probably going to be his user certificate if we cut this copy we probably should create a way to save files in a python script but i'm lazy so we can v one thousand dot pem paste and then do um what is it open ssl uh what's the certificate it's not pkcs um the other one x59 that's the type of certificate this probably is dash in one thousand dot pem dash text and we can see the subject is bob at fortune.hdb the issuer is going to be the fortune root ca um i'm not sure exactly what certificate this is i really hate ssl um let's just go back instead of figuring out what these certificates are let's just download the ones we think we need and generate our own so intermediate.shirt.pem this is most likely just based upon where it is going to be the intermittent intermediate cas um public cert so we can get out here v let's make our own directory certs cd certs v intermediate dot ca and then we will cut this whoops then go into copy mode copy this all and then paste it so the next certificate we want is the private key which is probably going to be in this private folder so we can cat this copy and then paste this so this would be intermediate dot key and dot ca isn't a extension this can be intermediate dot cert that's normally what public keys are called okay so the next thing we need is that's probably it so we can try assigning this so we'll have to generate erki so we'll do open sl gen rsa dash out ipsec dot key we'll do 20 48 bytes there we go or 20 48 bits now we have to create a certificate signing request so open ssl request new key ipsec dot key dash out ipsec dot csr and we'll just put enter for a bunch of things actually it doesn't matter but for the organization name i do want to put fortune just for organizational purposes and then fqdm we'll do ipsec at fortune.hdb again these can be anything this is just so when my firefox pops up i know which certificate to select so we got my certificate signing request let's try signing this so openssl x509 dash request in ipsec dot csr ca intermediate dot cert then dash ca key intermediate dot key then we'll create a serial number for the certificate and we'll export it as ipsec dot p e m days thousand twenty four sha256 looks like it generated freecat ipsec.pem we can see that we can also do openssl x509 ipsec pam and see the subject of this certificate and the person who signed it so in order to go into a browser we have to package it up into uh pkcs12 format so open ssl pkcs12 export out ipsec.pfx n key this will be ipsec dot key my private key dash n ipsec dot pem this is the signed request and the cert file is going to be intermediate.cert the um public key of the ca let's not put a password on it and hope everything works so go into firefox certificates go to your certificates import ipsec.pfx no password and we can see we are there so let's do https 10 10 10 127 and turn burp off and we want to make sure we give it our fortune certificate click ok and can't validate that is odd let's try maybe it's dns 10 10 14 nope 10 10 10 127 fortune.htb try the hostname https fortune.htb [Music] give it the certificate why are we getting bad cert let's see certificates it's always annoying um authorities this starts with an f fortune intermediate trust it edit trust can identify websites sure i don't think it needs that that's probably just a really stupid thing to do let's clear history maybe clear everything fortune.htb don't remember go weird i'm not sure why this isn't working um let's see maybe it's time maybe the certificate or the server is rejecting our certificate so let's go up run date 1944 and our server is 1952. so the box is a few minutes behind which means it's probably rejecting a certificate because we're signing it at like 1950 and the server's like wait it hasn't hit that time yet it's not valid so we probably just got to give it some time for this to work so if we i'll just give it five minutes so i'll resume the video at like 1957 and we'll see if it works so it's been about five minutes let's just try it again and success so lesson learned whenever you're doing anything with ssl or crypto and it's not working make sure you check the time i've burned a ton of hours with errors like that so this page says you will need to use the local auth pf service to obtain elevated network access if you do not already have the appropriate ssh key pair then generate one here we click this it gives us the sh key and that wants us to log in so let's save this file we'll save it as fortune.ssh paste chmod 600 fortune.ssh i'm going to cat etsy passwd to see what user this most likely is and we see at the very bottom the nfs user has the shell user s pen auth pf so if we do sh-i nfs user at 10 10 10 127 and uh fortune.ssh so dash i specifies the key and then we're going into this box so it says hello nfs user you are now authenticated from the host 10 10 14 3 so we can do nmap dash p dash to do all ports 10 10 14 3 and we'll do dash v shorts so it shows us open ports as it finds them um 10 10 127. don't want to unmap ourselves and if you want you can always just go to like google and do auth pf open bsd and you can see exactly what it is user shell for authentication gateways so um let's not do dash p dash let's just do that to get the top 1000 ports and see what else it responds on we have port 111 port 8081 port 2049 we can see what 8081 is so if we do colon 8081 secure connection failed we can do like open sl s client connect 10 10 10 127 8081 and probably not https pg admin for service is unavailable see charlie for details and then we also get 2049 which makes sense because that's the nfs port and we are the nfs user so we can do show mount dash e 10 10 10 127 not found apt install i think nfs common is what this is and if you want a good video on nfs go back and watch my jail video it's one of my earlier hdb videos but that box had a ton of things to do with nfs so definitely check that out as we're only going to scratch the surface here so now that the nfs common package is installed we can do the show mount command 10 10 10 127 and we can see the share slash home is accessible by everyone if this had an ip address here then it would only be accessible to that ip this is also i think works with host names as well but everyone means we should be able to mount it i'm going to do mount t nfs dash o v e r s stands for version 2 then 10 10 10 127 specify the home share and then we're going to mount it in mnt i specify version 2 because nfs version 2 doesn't really have any authentication or authorization it trusts the client to provide everything so if we go into slash mount and do a lsla we can see the users of home if we try to do ls charlie we give a permission denied we can see that's uid 1000. so if i just create the user please sub and we edit my uid to be 1000 will be able to access that charla user so change please sub to 1000 i'm also going to go change the user ip to be 1001. so now if i do lsla we can see ip is the owner of bob and please sub is the owner of charlie so if i do please sub and then we go cd slash mount charlie do it ls now we can get in we can do wc-c user.txt see we can read that file there's also the file mbox which is from bob to charlie and he's telling him that he has set the dba password for postgres to be the same as the root password so now we have to know uh there's a password inside the postgres database and that password is going to be the one that we can use to ask you to root so let's first try to escalate to the bob user so let's see ls-la uh we have the dot ssh directory so we can create the authorized key but before i do that i'm just going to test something with set uid binaries because that's generally how i exploit nfs servers so let's just see if that path is valid so i'm going to ask you to the ip user because that has the same uid as bob and bob has the directory that is world readable so we could just create stuff in bob and execute it from the web server so if we can put a set uid program here then potentially we could just run commands from the web server as charlie so i'm going to touch test and then we're going to go into bob from um charlie and we can do ch own uh who is my user here please sub test and nfs isn't letting us change the owner the file so can't really do anything there because set uid will take the permissions of who owns the file and if we can't change our owner then uh we're dead in the waters we can try chmod 777 test and now try this command again ch own please sub test and we still can't so let's just go down the path of ssh so cd charlie and again if you want to see that set uid binary stuff with nfs check out the jail video so go into the ssh directory and then we just have to generate a key so ssh keygen um f charlie.ssh and we got charlie sshpub so we can copy this echo whoops uh echo i hate when i copy line breaks i just did it again there we go two whoa terminal screwed up hopefully this works authorized keys and i type with that all let's just control c maximize the window and do this again echo paste to authorized keys cat the file okay we have written that so you can do chmod 600 charlie.ssh sh ssh i charlie.ssh charlie at 10 10 10 127. and we are in the box as charlie and now we should be able to go into the app server directory we saw as the web user so pg admin 4 lsla and we're in so if we do file pg admin 4 dot db we see it's just a sqlite 3 database so do sqlite 3 pg admin 4.db and we could do dot dump to dump the database which we see looks like the credentials right here but if we want to be a bit more surgical we could try dot schema and this is going to be like um show tables or describe database so things like that but we can see all the columns in each table so if we just ran the command dot schema and grep for create let's do grep i for create we can see all the tables so we got user or version user role settings whatnot but passwords will probably be in user and server so we could just do select star from user and we see two things so let's copy this and let's see i don't think we need that authentication anymore exit this the notes paste that that'll be helpful and then the we do need that uh let's do that ssh command again why do i need that i thought sh was listening yeah so i guess just closing that nfs thing when packet filter reset it killed my ssh connection but yeah let's go back into ver app serve pg admin 4 to life history i don't uh we can do sql light 3 pg admin 4.db select star from server and then grab this as well so now we have to find out what exactly this is because it looks like base64 but if we echo dash n paste base64-d we don't have base64 command let's go down echo dash n base64-d it's just gibberish so it's encrypted somehow so we have to figure out how to decrypt this so if we cat pg admin 4.ini the configuration file it's pointing us to a few things we got a virtual environment web socket let's check this virtual environment looks like it's just like libraries for this python package web if we look in web it looks like this is the source code to the application so what i'm going to do is we'll do a grep dash i for case insensitive capital r to go recursively dash l to only show me file names and let's try password and everything and we get a ton of hits on password so let's do something different let's see how do we do decryption so we do that on decrypt and we have much less hits so let's see pg admin utils crypto.pi that definitely looks interesting so if we go into this look at decrypt we can see it's a function you pass the ciphertext and the key so now we want to find what the key is so i'm going to do grep dash r again recursive and i'm going to look for everything that calls decrypt and we see up here the server groups net.pi decrypted password is equal to manager password and user password again all of these are calling user password if we look into this we could potentially see it let's look at user from flash security import current user login required let's see decrypt decrypted password let's see i'm not sure exactly where this is getting set grab dasher it's probably in one of those flask libraries which means it's going to be pain let's do irl let's see [Music] i'll leave that for you to hunt around for where that pass was being set let's just copy this um config file so if we go into crypto.pi let's just copy this into slash temp chmod 777 slash temp crypto.pi and then we will execute it with a web server to cat it so python3 now to view it just an easy way to get it on a box i guess i don't know why i'm even doing this because we could just do it this way the same exact thing um cat we'll just cut the file for some reason i was thinking my um python script had the ability to download files but it doesn't so we'll just do it this way copy it go here v crypto dot pi paste set mode to paste paste now we need to decrypt and we need just need to paste it in so i guess i can save notes cat notes and we want to take this paste and i think the message was from bob to charlie so we can do his password which is right here copy this which is the user password that didn't paste where i wanted to paste it and when we execute we have to do print i don't think this is a python3 library there we go so reuse of passwords like this is a bad idea if we copy this try it in the fortune user we can escalate to root so that is the box i hope you guys enjoyed the video sorry it's short and probably not as in-depth as normal but talking is painful right now as i'm just getting over a cold so see you all next week take care

Original Description

01:04 - Begin of recon 04:41 - Exploring the web page on port 80 06:02 - Using wfuzz to do a special character fuzz to identify odd behavior and discover command injection 11:06 - Creating a hotkey in Burpsuite to send requests in repeater pane 11:50 - Start of creating a python program to automate this 17:30 - Script finished 18:30 - Exploring /var/appsrv 21:15 - Exploring authpf 22:30 - Hunting for the signing key for the CA to view HTTPS 24:40 - Copying the certificates to our box 26:00 - Creating and signing a Client Certificate 28:50 - Importing the certificate into FireFox 30:49 - Discovering the reason our certificate isn't working (time of server is behind) 31:50 - Accessing the HTTPS Website to get a SSH key for NFSUSER 33:40 - Discovering additional ports are open after using SSH with NFSUSER 34:45 - Installing the NFS-COMMON package to get the showmount binary 35:10 - Mounting a NFS Share with Version 2 36:00 - Editing our User ID on our box to gain access to the NFS Directories 37:00 - Reading mail to discover that the root password is set to the Postgres databases root pw 37:30 - Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for this being successful) 40:20 - SSH into the box as Charlie and dumping the database 43:40 - Exploring the source code to the web application 47:00 - Copying the crypto python script to our box, which will let us decrypt it 47:40 - Copying the secrets into the crypto python script and decrypting the password
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video provides a comprehensive guide to hacking the HackTheBox box 'Fortune' using various tools and techniques. It covers topics such as command injection, SSL/TLS, and SSH authentication, and demonstrates how to use Python scripting to automate the hacking process. The video is suitable for beginners and intermediate learners who want to improve their hacking skills.

Key Takeaways
  1. Run nmap to scan the box and identify open ports
  2. Use OpenSSL to grab the certificate from the https site
  3. Use burp to intercept and analyze HTTP requests
  4. Use wfuzz to fuzz the website with special characters
  5. Create a Python program to automate the hacking process
💡 The video demonstrates how to use a combination of tools and techniques to exploit vulnerabilities in web applications and gain unauthorized access to a system.

Related Reads

Chapters (24)

1:04 Begin of recon
4:41 Exploring the web page on port 80
6:02 Using wfuzz to do a special character fuzz to identify odd behavior and discov
11:06 Creating a hotkey in Burpsuite to send requests in repeater pane
11:50 Start of creating a python program to automate this
17:30 Script finished
18:30 Exploring /var/appsrv
21:15 Exploring authpf
22:30 Hunting for the signing key for the CA to view HTTPS
24:40 Copying the certificates to our box
26:00 Creating and signing a Client Certificate
28:50 Importing the certificate into FireFox
30:49 Discovering the reason our certificate isn't working (time of server is behind
31:50 Accessing the HTTPS Website to get a SSH key for NFSUSER
33:40 Discovering additional ports are open after using SSH with NFSUSER
34:45 Installing the NFS-COMMON package to get the showmount binary
35:10 Mounting a NFS Share with Version 2
36:00 Editing our User ID on our box to gain access to the NFS Directories
37:00 Reading mail to discover that the root password is set to the Postgres databas
37:30 Testing if we could setup a SetUID Binary with this NFS (Check Jail Video for
40:20 SSH into the box as Charlie and dumping the database
43:40 Exploring the source code to the web application
47:00 Copying the crypto python script to our box, which will let us decrypt it
47:40 Copying the secrets into the crypto python script and decrypting the password
Up next
What is copywriting for SEO?
LinkBuilding HQ
Watch →