HackTheBox - RainyDay

Name: HackTheBox - RainyDay
Uploaded: 2023-02-18T15:09:50Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 04:40 - Identifying this page is built with flask based upon a 404 page 06:15 - Looking at /api/ 07:15 - Show...

IppSec · Beginner ·📰 AI News & Updates ·3y ago

00:00 - Introduction 01:00 - Start of nmap 04:40 - Identifying this page is built with flask based upon a 404 page 06:15 - Looking at /api/ 07:15 - Showing a weird bug in python where you cannot run int() on a string that is a float 08:00 - Showing the source code on why this bypassed the check 10:12 - End of edit, extracting all the users passwords with curl 15:40 - Cracking the hashes and getting a password of rubberducky, playing with creating containers 22:30 - Getting a reverse shell on the Alpine-Python container 24:00 - We are a privileged container and can see processes from root, whic…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

1:00 Start of nmap

4:40 Identifying this page is built with flask based upon a 404 page

6:15 Looking at /api/

7:15 Showing a weird bug in python where you cannot run int() on a string that is a

8:00 Showing the source code on why this bypassed the check

10:12 End of edit, extracting all the users passwords with curl

15:40 Cracking the hashes and getting a password of rubberducky, playing with creati

22:30 Getting a reverse shell on the Alpine-Python container

24:00 We are a privileged container and can see processes from root, which lets us a

27:15 Can execute safe_python with sudo as jack_adm but it turns out to be a sandbox

33:50 Shell as Jack_adm, we can use sudo with hash_password.py, its a bcrypt hash bu

35:40 Explaining the vulnerability, bcrypt has a maximum length we can fill the buff

43:40 Creating a Hashcat rule file to append a single character to the password

45:50 Creating a python script to exploit this vuln in bcrypt and leaking the secret

53:48 Script to exploit the truncation vuln in bcrypt complete. Using hashcat to cr

1:00:00 Finished the box but we skipped one step. Going back to show there was a dev s

1:05:50 The dev site has a different /api/healhtcheck page, we can use boolean logic w

1:13:24 Creating a python script to automate the file disclosure vulnerability and exp

1:30:10 Talking about ways to improve the scrip

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - RainyDay

Chapters (20)

Playlist

Lesson complete!