HackTheBox - Perfection

IppSec · Beginner ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video demonstrates how to exploit vulnerabilities in a web application using tools like nmap, FFUF, and Burp Suite, and how to crack passwords using hashcat, with a focus on cybersecurity and hacking techniques.

Full Transcript

what's going on YouTube this is ipeg I'm doing Perfection from hack to box which starts out with hacking a web application that calculates weighted grades the vulnerability here is like a ssti I don't know if it exactly is server side template injection but it behaves very much like one however the trick is there is some type of filter in place that blocks a lot of characters from being sent however if you send a line break then that bypasses the regular expression that is looking for bad characters in this case it's actually a weight list but if you send the line break then you can send any character you want you can trigger some code execution get a shell on the box and then once you get on the box there is a piece of mail that talks about the password format and you have to extract the password hash out of a SQL light database and then use a custom rule in hashcat to Brute Force the password so with that being said let's just jump in as always I'm going to start off with an end map so- SCC for default scripts as V enumerate versions dvv double verose this gives us the TTL OA output all formats put in the end map directory and call it Perfection then 1010 11253 is the IP address this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and the banner tells us it's an aunu server we also have HTTP on Port 80 the banner tells us it's engine X the HTTP title tells us it's a weighted grade calculator there's not much in the end map so let's just go take a look at the website so going to 10 10 11 11253 we get the weighted grade calculator um looking at it there's not that much information we see made by secure tools but the thing that really sticks out to me is web rck version 1.7.0 whenever I have something like this and it like discloses what it's made by I always go and look for exploits I'm going to check out exploit DB I know you can use search plade on your box but I still like going to the web page and looking at this I see the dates of like 2008 2010 2011 this may look like it's vulnerable because it's Ruby 1.9.1 but and it said web 170 I'm guessing this is the version of Ruby itself whenever I'm confused like this I always Google like uh web 170 let's do like release notes and see when this was released cuz maybe it's the version of the Ruby like language itself instead of um the library and we see 170 was released in 2020 and all these exploits a well before that so uh we could go Google looking for things maybe it's not on exploit DB but let's just go keep taking a look at the website right so we go to about us we have some names we have Tina Smith and Susan Miller but I don't see a login form so I can't really like start trying for default credentials or things like that if we go to calculate weighted grade we have this form right so I'm just going to try to fill this out let's do a grade of one weight of 20 and see what happens here and we need to fill out all the things that's going to be annoying uh let's do ASD one okay so I'm going to go into burp Suite to intercept this so we can easily replay this if we want to and click submit and we see please reenter weights do not add up to 100 so we have to make sure all the weights go up to 100 I'm just going to replay this request so we don't waste 20 seconds typing it over again I'm going to send the request and I want to see where that error message is right so we have it right here I'm going to search the page for SL form go to the little gear icon order scroll when text changes so now we don't have to keep scrolling to see it so let's make sure our weights add up to um 100 so I'm just going to put all the weights at 20 and because there's five so 20 Time 5 is going to be 100 send it and we see our total grade is 7% so what I want to do here is let's see if I change this to be a 20 we have 10% so let's try 1 * 20 and we have malicious input blocked so there is some type of filter here we can try it in the category as well um let's do like 7 * 7 and this is just a common like service ey template um injection the two double brackets we have malicious input blocked I don't even know if this works in Ruby I'm assuming this is a ruby because we saw powered by Weck 170 oh and there's the Ruby version 302 so that's disclosed in the header as well um going back our exploit DB's Clos but um we know there's no vulnerability in the Ruby language itself because we didn't have anything there and web brick so uh let's see what can we do here I want to see all the bad characters so what I'm going to do get a valid request and then I'm going to copy this to a file so we're going to right click and then copy to file and we're going to type um let's see waited. request save that and then let's just take a look at it and I'm going to put fuzz where I want to fuzz so we're going to go in category just put fuzz in all capitals and now we want to find a word list that is special characters uh Let's do fuzzing let's see is there a special I'm just going to grip d i special there we go so we have this special characters. text okay uh I think I only copied the file name let's copy the entire path copy there we go awesome so now we can do fuff I'm going to say- request and we called it uh weighted request I'm going to specify the Proto is HTTP and then the word list I want to use is this SEC list one and we're going to send it and I'm guessing everything with 1619 is a bad character right that's probably going to be U malicious um detected right so we can say filter size 16 19 and we have three that are valid and the three that are valid is only valid because it's probably not URL encoding these right it's just sending like the Amper sand which if you send this and don't URL encode it it does nothing right because it's going to treat that as a separator so like this if we go here like it doesn't show the Amper here where it's replaying the data right same with a plus that's just going to put oh the space did go through so space looks like it is a valid character uh we could try a slash and looks like slash is valid um if we wanted to we could y encode all this pretty easily um if we do Echo slash and then we pipe this over to JQ so I'm going to do jq- capital r this is going to like uh not require it to be Json it's just read um raw input I think and then lower case r is going to be raw output but if we don't do the lowercase R it just puts it in those quotes right that's how we want this to look and if we don't do a capital R it errors so what we're going to do is cat the file so if I do a cat this and now we URL encoded that entire payload right so I'm just going to go up here where my FFF request was and then if you go with a I think that's less than and then um the parthy it's going to run this command and then treat it as a file so this is a quick way to just um manipulate your files or do like encoders because I don't think fuff supports encoders W fuzz does but I don't think fuff does so we throw this and I'm going to get rid of the filter size that doesn't look like it worked actually uh let's see why did that not work that is odd if I run this command did I screw it up I don't think I did oh we don't have a cat we have to run the command right we have to cat that file there we go okay so filter size 1619 and the only thing that's good is percent 2 F which is a slash I'm actually surprised the plus didn't get work we do a plus and then y'll encode this yeah it does not work so what I'm guessing here is space is a valid character but plus is not right so when the reg X was seeing it it did not like the plus um if we just send it without yur encoding it it's not really sending plus it's sending space so that's probably the discrepancy there so there is one thing that is hard to test um through burp just because if you like highlight you can't really convert this um it is new line characters so like uh back SLR back sln that's really percent z d percent z a if we do man aski uh let's see look for return where is it carriage return 0 D and then new line is 0 a so let's try that let's do percent 0 D percent 0 a a and then I'm going to put a semicolon which is a bad character we still have malicious input blocked if I just do a new line it actually worked we have ASD and then a semicolon so we have successfully um bypass the filter and why does this work I don't know exactly because we haven't looked at the code but it does um generally work when like there's a regular expression and the regular expression is not multi-line it's just going to look at the first line it passes it and then it moves on to the next one because they didn't specify like if it's python doall is normally how it happens I think because um period won't match a line break unless you have the dot all parameter uh this is Ruby I don't know much Ruby so I don't know exactly what the issue is here once we get a shell we can take a look at it right but doing a new line allows us to bypass the filter so let's go ahead and look up uh Ruby ssti payloads so now that we can test this and let's see I like going to payload all the things and hack tricks and it's loading probably because burp Suite is still in intercept nope it's not it's just taking its sweet time um I'm going to turn this off maybe my vm's actually going slow wow that is going real slow disable you can see something spiked here uh let's search for Ruby and then we have percent equals percent okay so let's go back to repeater and then after the0 a we're going to do like this and then 7 * 7 percent like that and we have some error I'm guessing we have to yur encode this so percent is percent 25 and there we go we have 49 if this had 7 * 7 we know it wouldn't be vulnerable but since it actually processed this it is so let's take a look at what they suggest uh we could do like file open uh we could also do system so I'm going to try this system payload so if we grab this and then we send that uh let's just go hit enter we just get true uh so it's not reading the output the um result of that command was true like the exit code if the file doesn't exist we get false uh we could try the other way they said it um let's just leave the cad Etsy PWD instead of doing system let's just do backck right like that and then we get the output the other thing it had was like um ioop LS this also works to get output as well because you're reading the lines if you do system. read it doesn't work I don't know Ruby I don't know exactly why but these two play loads would be the best to get results um if for some reason I didn't have access to those payloads I would probably try a sleep command or a ping because if we do a sleep one it takes now a second to load we can do a sleep too look at the bottom right of the screen see 2,000 milliseconds so we know it took 2 seconds to load so let's now just get a reverse shell so I'm going to do let's actually make shell on a box and the reason why I'm doing it this way is um I can type and talk at the same time that'd be great we're in something that could have like a lot of bad characters so if I do it this way I can avoid all the bad characters by just doing base 64 and bad bad characters I just mean like quotes and things like that so I always like using a cradle like this just because there's less Bad characters uh the one thing you have to be careful on when doing base 64 we'll have to make sure we you encode the payload because that plus is going to be treated as a space and not um how we want it right so let's do a echo then base 64- D then bash okay urlin code NCL lvmp 901 send this and we get a shot so let's upgrade a shell so I'm going to do python 3-c import PTY PTY spawn bin bash and then control Z stty RW minus Echo and then foreground hit enter twice and then we can export man I cannot type today uh term is equal to X term so we can clear the screen and now let's take a look at what we have and the first thing I generally look for is some type of credential stored in the web app like it talks to a database normally however I don't believe there's a database behind this web app but the one thing I am curious about is um how that ssti worked right how we bypassed the filter so I'm just going to look at main. RB and let's see this is looking at a post on weighted grade Cal so I think it's right where we want to be and we're looking at this and we see else if pams category one and then we have this regular expression so this is matching A to Z lowercase uppercase 0 through 9 and a space and then matching as long as it starts with and ends with that string up until a line break so the percent z d that is a return character and I guess return is not part of this line break in Linux only back sln is right so that's why when we had the uh return it doesn't match and um oh we also match slash I don't know if I said that so um there's no really bad characters it's a white list not a black list or a deny list um and then we get code execution y so we're just checking here I don't see anything there oh it's doing an rb. new and then we're just passing in our parameters um think of like ear. new as like an eval because it's just like embedded Ruby so it's just doing a script and whenever you do the um less than 10% equals um it's executing so I don't know if this is technically ssti or not um maybe it is maybe er. new is like for templates and things like that but that's why I get code execution because you can think of this as eval I guess so let's see what do we have here um if we look at our user we can see we are a member of pseudo so if I do pseudo DL it wants a password for Susan so let's see what do we have we have user. text we have this migration thing I C let's actually do um SQL light do we have it yep pupil. dump and then we have a bunch of hashes Let's see we can do Echo dasn wc- C we have 64 characters is that like a sha one sum Echo test sha one uh let's do a rant one so we only grab the first character that's probably too small uh wc- Z 41 probably shot 256 some I would think yep there we go it says 65 not 64 because there's a line break in there I bet if I did Echo dasn uh that did not work uh yeah so it did that just because of the line break so let's see we have to figure out what Susan's password is I'm just going to do a find on the box to see what files Susan is a owner of so I'm going to do find sl- user Susan uh let's see we can also add a LS and then let's hide error messages because there's going to be a lot of files we can't open and let's see we have a lot of things in own I'm going to hide everything in proc because I don't care about proc uh forgot the dash V so let's see we have home Susan and that is about it so we just have things in um the home let's take a look at the group so we'll do group Susan and let's see we have a bit more so she earns that Ruby app and then there's also a piece of mail so let's take a look at this so I can cat for our male Susan and we see due to our transition to Jupiter Grades because of the Pupil Path data breach which should migrator credentials and we have the format first name then the first name backwards and then a randomly generated integer between one and is that a billion so my question right now is how do they do this because that could be like one or you could do uh let's see like this so I don't know how it's formatted um I'm going to guess it's form of 10 digits but I'm not positive so we have to go over or first we have to extract all the um credentials out of this Pupil Path database and then we can go over to the Kraken and try cracking it um so let's do that in order to get all the table names I'm just going to run that dump command again and I want to extract the name and password um actually our user Susan so we could probably just do it with Susan's hash but I'm going to extract all the hashes just because right so we're going to run that SQL L command again and then I'm going to do uh select name password from users and that is ugly since it did that line wrapping but we have it there um if we wanted we could do st- a rows 28 columns 110 stty rows 28 call 110 um it calls there we go so now if I did that SQL light command again um we can do select [Music] name password from was it users yep there we go so fixing the TTY just means I can go all the way left and right so it just behaves a bit better now for hashcat hashcat when you specify usernames does like it Del Limited in a semicolon so we could just do a saids pipe semicolon G like that and now we have it in hashcat format but what I want to do is just grab Susan's so just going to grab this we're just going to work with Susan to see if we can get her password real quick so let's go over to the Kraken CD hashcat and then I'm going to go in hashes and we can call this Perfection and I'm just going to paste that and now let's take a look at the man page for hashcat because we're actually going to use a um Attack Mode here and we normally don't use attack modes in haat because we're just cracking off a dictionary we want to manipulate something thing so we got the modes uh we got the straight this is the one we normally use but I'm going to use the Brute Force you could also use like the wordless and mask that's going to like combine the brute force with the mask so if you wanted to have a word list of multiple names you could I tried doing a lot of that but I couldn't get a rule file to do what I wanted to because we have to do the username then an underscore then the username backwards right and I tried a long time let's see if I can remember this real quick let's just do Echo IPC and then we can sayat is it STD out and then DJ for a rule so if I just do DJ I want to append a underscore right so this is how I was playing around with rules so I could get that working and then f is reflect the word backwards but every time I did that I had this underscore here and I couldn't figure out for the life of me how I can reflect the word and delete a character right the uh bracket is delete the first character so I was hoping that would delete the reflected character if you're curious all this if we Google like hashcat um probably rules will bring us to the page we want rule based attack so we can see how a lot of the rules works here right so that's where I was getting it from um but all these rules like either require knowing the position and there's no way I could figure out how to get the length of a word's position this whole memorize functionality looked helpful but if we look at the plus note it indicates it's in hashcat Legacy not the new one so I couldn't like memorize a word then replay it maybe someone in the comments can help me but I just couldn't figured out how I could get it in the format I wanted to with just a rule file so I resorted to The Brute Force because we can specify um characters here right so let's do hashcat and then we'll do um Attack Mode three and then let's go into hashes Perfection and then we can say Susan uncore nasus uncore and then was a billion so I'm going to do nine digits so 1 two 3 one two 3 one two three that should be nine digits and then if we run this it's probably going to tell us we match multiple hashes um we want to use mode 1400 because it's just a sha 256 I guess I don't know what shot 3 256 is but here we go um it is going to start running and let's see how long does it expect to take oh it's already done so we got covered one out of one that was like near instant um I think if we switch to attac mode six for some reason it goes a lot slower so we see that took 15 seconds on my computer I can do uh let's try going to attack mode six so we'll call this combinator dick I guess or I misspelled that I'm going to do Susan nasis like that um actually let's get the word list real quick let's see what did it crack slash hashcat finin 1400 hashes Perfection show so here's the password let's just see if this works real quick and then I'm going to go look at hashcat so if we do a pseudo- l paste in the password looks like we can pseudo so I'm going to do pseudo Su and now we'll right so I just want to show why did not switch to attack mode six um so we got that combinator dict file so if we did this correctly Let's see we should be able to do um mode six like that and then we specify like this right uh we want to remove the pot file ashat pot [Music] file there we go so we'll see how long this takes I don't think it's going to take just 15 seconds I don't know why doing it this way is slower but it is um or maybe we just got lucky how it hit the digits that is also very very possible so I'm just going to let this run and we're going to run it twice to see if it's the same on combinator right um because there's only one word I think it's only going to use one of my gpus I don't know if it did that before but I'm going to pause the video and we'll see how long this one takes I know I said we'd let this crack finish but it's been a couple minutes and I am only like eight % of the way through so I'm going to kill this I'm going to look at the speed we're at uh 274,000 hashes a second on one GPU with the combinator mode we're going to run what we did before with um let's see what is it this right here and see what speed this goes so 274,000 hashes a second we'll see how quick this is um wow a lot faster right this is like exponentially so we didn't just get lucky using Attack Mode six with just one word in the word list makes it go really slow um The Brute Force mode with one word makes it go a lot quicker I'm just guessing it's like less processing when it does it this way I'm not exactly sure where all that iio is coming from but as you can see if you use the combinator mode uh you need to have a pretty big um word list I'm actually kind of curious if we uh duplicated this a bunch if it goes any quicker probably not because it's probably going to use the same number each time but it may use more gpus um we got to move that pot file again let's see how quick is this so at least we're oh we still only just use one g GPU so that does not speed it up any so yeah if you do this and you just have one word um you could use combinator it works but definitely use the Brute Force Mode when you can over combinator because it's quicker or at least hybrid wordless combinator so with that being said that is the video hope you guys enjoyed it take care and I will see you all next time

Original Description

00:00 - Introduction 00:50 - Start of nmap 02:50 - Discovering the Weighted Grade Calculator which we will exploit 04:50 - Using FFUF to enumerate all bad characters and discovering we can't send any symbols 07:10 - Quick bash one liner with JQ to URL Encode each line of our wordlist 09:30 - Discovering a New Line character breaks the search for Bad Characters, then getting a shell on the box 14:40 - Shell returned, looking at the source code and seeing the "Bad Character" filter was really a regex whitelist 18:50 - Discovering mail that says the password format in the database 21:50 - Using hashcat Bruteforce mode to crack the password
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to exploit vulnerabilities in web applications and crack passwords using various tools and techniques, with a focus on cybersecurity and hacking.

Key Takeaways
  1. Use nmap to scan for open ports and identify potential vulnerabilities
  2. Use FFUF to fuzz and identify valid characters in a web application
  3. Use Burp Suite to exploit vulnerabilities and gain access to a web application
  4. Use hashcat to crack passwords and gain access to sensitive information
  5. Use SQL commands to extract table names and passwords
💡 The video highlights the importance of using various tools and techniques to exploit vulnerabilities and crack passwords, and demonstrates how to use AI-powered tools to analyze and respond to cybersecurity threats.

Related AI Lessons

Nobody Is Coming to Save Your Privacy. Build the Tools Yourself
Take charge of your own privacy by building tools yourself, as relying on others may not be effective
Dev.to · v. Splicer
The Billion Dollar Business of Making You Forget Passwords
Learn how the internet is shifting away from password-based security and what this means for cybersecurity, as companies invest billions in alternative authentication methods
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence against you by building a secure local solution using a Raspberry Pi and external chip
Medium · Cybersecurity
Aikido buys Root to patch open source in place, without the upgrade dance
Aikido Security acquires Root to patch open source vulnerabilities in-place, streamlining dependency management
Dev.to · Leo

Chapters (9)

Introduction
0:50 Start of nmap
2:50 Discovering the Weighted Grade Calculator which we will exploit
4:50 Using FFUF to enumerate all bad characters and discovering we can't send any s
7:10 Quick bash one liner with JQ to URL Encode each line of our wordlist
9:30 Discovering a New Line character breaks the search for Bad Characters, then ge
14:40 Shell returned, looking at the source code and seeing the "Bad Character" filt
18:50 Discovering mail that says the password format in the database
21:50 Using hashcat Bruteforce mode to crack the password
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →