HackTheBox - Stratosphere

IppSec · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video demonstrates a cybersecurity walkthrough of the HackTheBox Stratosphere challenge, utilizing tools such as Burp Suite, GoBuster, and Hydra to exploit vulnerabilities in a Tomcat server and gain access to the system. The video covers various techniques, including code execution, reverse shell, and privilege escalation, using Python scripts and exploiting Struts vulnerabilities.

Full Transcript

what's going on YouTube this is IPPs I can be doing stratosphere from hack the box which I liked a lot because the user shell followed a real story it was much like the Equifax hack where they got hacked via struts and then you pillage the database the catch is the server has a really strict IP tables so you have to use a Ford Shale or use the struts exploit to do it without getting a TTY you could do it that way I think that's the way most people did it but the Ford Shale is just so cool I love using it and showing it off so we'll use that method of course and the previs it's a little bit short because there's not much to the probe ask it's just one of those when you see it you realize all I could see we have that mistake is made and essentially it's a Python script that you can execute via sudo and the Python script has a import statement and the Python path has the current working directory first so if you just create a malicious Python module and then sudo execute the script your code runs so really short brave ask but it is cool and I thought pretty unique since I don't think we've had like one of those on hack the box before but anyways let's jump in as always we start with the end map with - SC for default scripts as v8 version so a output all formats plan the end map director and call their stratosphere and the IP address which is 1010 1064 can take some time to run so I've already ran it look at the results we see quite a bit of information very first thing we see is port 22 is open its SSH and it's a Debian server and we can confirm that by it's saying Debian and 10 plus 9 update to the next thing open is HTTP and it's doing finger print strings it's a 404 request and I think it's outputting all of this because it doesn't have the server header we can see HTTP for for a content type content language content length date connection then the contents of the web page I think if it just said server is equal to like Apache iis or nginx we may get less of a verbose output because and map doesn't know exactly what it is it outputs everything so maybe you can identify it the next one down we have a 200 request and we don't have the actual get still don't see a server request but we have a last modified date of Tuesday February 27th and the date on the server as well which says August Wednesday 29th so the server hasn't this page hasn't been changed and about I don't know six months or five months so some number of months and that's just hopeful minoo and if you see this like 2016 you know the page just hasn't been updated that much and if it's a web framework you may start looking into exploits around that scrolling down we see port 8080 is open and it's very similar to the port 80 and that looks like it's about it we get a bunch of fingerprint stuff probably again because it can't identify exactly what web server it is so it just outputs everything to maybe decide if you can I'm just going to check the stratosphere GN maps a grapa belen map file just to make sure I didn't miss any open port since there was a lot of information on the screen I see point 22 open 80 open and 8080 open I don't know why that just appeared so let's go back into exclusive mode and go over to the web page so I'm going to go in a book turn intercept on go into Firefox go to my foxy proxy configure to go to burp suite and then 10 10 10 at 64 go back to burp send this repeater with control or control shift or to switch to the tab click go and just look at the header it's exactly what we saw a last modified date and everything so it's turn receptor off see what this looks like stratosphere we protect your credit services we offer about us if we click get started' sites under construction we'll get the source nothing there started here same thing language doesn't work so I'm just gonna try a few things like robot start text and we get a patchy Tomcat message and again it's saying Debbie and so we now know this is a tomcat server we go to manager which is a common Tomcat URL it prompts for credentials so we can do like Tomcat Tomcat Tomcat manager and maybe Tomcat secret admin admin doesn't look like any of the default ones work heading escape we go to a 401 or an authorized page so we know this is a tomcat web server and that's about it so what I'm going to do is I'm going to start go Buster so see if we can find any other files that are here we can try to go to slash dev doesn't do anything and I'm also going to stop Hydra to try to brute force this Tomcat wall again so let's go back to terminal and we will make a go Buster tab first let's pull up the options with go Buster - H and we will see that we want to do - you four URL so go Buster - HTTP 10-10-10 64 then we want to do a wordless or user share word list doorbuster then directory list 2.3 medium and we'll do - oh four out file and we'll just call this go Buster log well that's running I forgot I want to check one other thing we did slash manager on 10-10-10 64 I'm gonna try doing port 8080 and if I get the same exact thing I'm gonna assume this is the same exact web server and there's no difference so and let's start two different go Buster's so we get mandrill on both of them so we're just gonna live with 80 and ignore port 8080 right off the bat go Buster did find slash manager but let's move on over to Hydra so we can do Hydra - H - see what we have and we want to use let's see forget exactly what service it is it's one of the HTTP so let's see I want to say it's just HTTP - get so when I try that so Hydra - capital L we have to create a user file so let's make a directory Hydra go into it and create users dot text and we want to specify a few default users so admin tomcat and root just saying some default readers off users off the top my head no reason I chose that other then it's common things I've seen with tomcat so now we can do Hydra - capital L users text - capital P and we're going to specify user SEC list user share SEC list and passwords then let's do dirk web top thousand i don't like doing any more than like a thousand requests for a HTTP brute force just because it takes freaking forever and let's go back up and look at the options i'm gonna use - f - exit when i login pair has found so we'll do - f the IP address which is 10 10 10 64 then the page which is slash manager oh we never specified the module so HTTP - get and that can't be right I found it way too fast let's go and try this so go to the page refresh admin the password doesn't work and I'm looking at this it's manager slash HTML not just slash manager so maybe Hydra doesn't follow redirects because a redirect could mean successful login so to specify the exact page has the HTTP message log in Vienna so if we do slash manager we get a 302 to go to manager slash go to manager slash get another 302 get a manager slash HTML and this when we get to 401 so this is the page you have to give over to Hydra so slash manager slash HTML and now that's taking much longer so I believe that's working we went back over to go Buster we have slash monitoring so let's check out that page and let's turn off intercept it is slash monitoring and I didn't get rid of this colon and we get a page with a sign on with username and password and register the one thing I note is everything is dot action if we go into burp intercept on we see a J session cookie so we know again this is probably gonna be Tomcat because that's common with Tomcat the weird thing is dot action normally with Tomcat applications I see like dot do or dot java application says do not action so first thing I'm gonna do is turn intercept off and we're gonna go to Google and search let's do dot action file Java and see if what this says very first result is stack overflow from 2009 and we see it's probably a URL pattern for firing a struts action and just based upon hearing struts I know Apache struts and its had a lot of vulnerabilities recently additionally the big one was Equifax that did some type of credit monitoring so we see stat stratosphere credit monitoring so I'm guessing struts is gonna be the thing to do so my next thing is to Google and I want to find out how to verify what struts version is running so I did Google identify struts version and once we know what version it is we'll know what exploits to throw and let's see how to find out what struts version this looks like it's gonna be something locally not over the web and the manifest file and meta and struts config so this doesn't really say anything had to find out over a web server it's all locally on the Box we have this blogged at Qualcomm which is a paid exploit scanner much like necess and things like that but it actually has a lot more exploit capability kind of like Metasploit i guess so we see a bunch of things with the vulnerability scrolling down let's see koala sis actually shows how they identify if it's vulnerable so there's putting something in a content type header and they're putting just math in a content type header and then if it responds we'll see it actually processed the math potentially so that's a common way to identify if you have code execution do some type of math if it processes the math chances are there is a path to code execution because it executed what you typed so now let's go back let's go to [Music] 10 10 10 64 slash monitoring we're sending this to poop already so let's just go into a history tab send this to repeater and then add this header that koalas did and what king that's odd go to terminal already named - Oh Hydra finished I was gonna meet him - Hydra but how'd you didn't find anything let's see that was the wrong clip board control shift insert and it's processing unicode we see this isn't single takes right there it's a weird unicode one because it's slightly slanted so let's just replace that manual get rid of that and replace all these with single quotes and let's get rid of the closest thing because we want you to subscribe to this video or at least I want to and that may work click go and we see the header got put up and it responds with a number we could change this to be something like 191 times 7 to see if this is actually doing math it looks like it is and now we get leap back so definitely have something here so let's go back to that koalas page and let's grab this CVE number and search for an exploit so CVE Python github and we get this exploit so let's get clone this to download the exploit and play with it so get clone struts pound and you can just try executing it to see what it says - h4 help so when I check a single URL so HTTP 10 10 10 64 slash monitoring and that should be fine right let's give it all the way to welcome that action just to be sure we got it and then - C let's do ID and we see it's our took running as Tomcat 8 so it looks good we can do a different thing so you name - I probably put this in quotes because we have a space and we definitely have the name output it says the host name here stratosphere and it's running Debian we have code execution let's get a reverse shell so let's just go to the reverse shell cheat sheet by pentester monkey pen test monkey and I'm gonna try this bash one first because I believe this works on debian so paste that in do ten ten fourteen thirteen I think is my IP if config tun zero yep and instead of 8080 let's do port 9000 one because we like Flair I'm listen on port 9000 one go and we don't get anything back so I'm gonna try let's do a port we can want to get out on four four three change this to be four four three click go still don't get anything so let's just try curl HTTP 10 10 14 13 ko not found double you get still not getting anything so it looks like there is some firewall potentially let us try which and see to see if net cuts on this it is so we can do NC - you for UDP 10 10 14 13 or do 53 for DNS and see LVN p lv nu p so we listen on UDP 53 do this and we don't have anything so it doesn't look like the firewalls letting us out the last thing I would do is if config not found IP addr there we go and we can get let's see I don't see a ipv6 address is it like IP - 680 dr IP 6 could be completely disabled because one common thing is ipv6 is left out so let's do if config tun 0 and we can listen on ipv6 so n cat - 6 lv NP 4 4 3 and then we can do W get HTTP and when you put the IP and brackets I'm not sure if we do - 6 on W get won't do it anyways and nope we don't have any way to get a reverse shell on this box but we do have command execution so let's do LS - away on temp see if we have if we're in some type of sandbox 1010 1064 welcome did we crash the box I did the box go down you name - eh huh that is odd VPN looks up paying 10 10 10 64 bucks is no longer responding so maybe it got rebooted in middle of all this so I'm gonna pause the video and we're going to see exactly what happened but there is a firewall that is preventing it from talking out so we're gonna have to do some magic let's just clean up a terminal pain before I pause the video okay and the box is back online so we can ping it and we can also do the last command we try to do which was you name - a not exactly sure what was going on every now and then boxes go down that's hacked the box life but let's do exactly what we did as we noticed the box was offline and that was ipv6 because firewalls often leave a hole in I P v6 it just gets forgotten about so and CoV mp443 we probably should have done a if config tun zero to get our ipv6 address i F config our ipv6 is dead beef - and just because I'm not positive in the ipv6 syntax we're just going to verify it locally with W get - 6 and we have to specify it in brackets because colons or use reports and also ipv6 separators ok so we know it listener works we know a W get command is correct let's go back to strut spoon and paste this in and we don't get a shell so now we're getting more and more confident that there is a firewall and we have to work around it and the easiest way to do that is through a technique I did and so car and I write the script in that video and explain it we're gonna pull that script and walk through it and then modify it to do struts but essentially you do a web show a hundred percent through HTTP requests so you never get a call back because we can't get a call back because of the firewall so let's make a directory called struts pone Ford shell and we'll grab that one of the wrong directory so let me go into Vaughn hub Soaker and win a copy web shell and just like in the surco video i'm not going to be posting the source to the script mainly because there's a lot of learning experience you get when you debug Python scripts because typing this all out without making error is pretty tough so you'll learn a lot if you just try to type this out it's a little bit different than the one in Soaker because I accidentally deleted that and then got one from a friend named zero xdf on hack the box and he made a few modifications to make it a bit cleaner I made some modifications to it again to make it a little bit cleaner and add comments and maybe when I add other features I want I'll upload it somewhere but for now start copying it down I'm gonna hit page down it ended with while true result okay so copy the next set and then go to the very end and we're gonna walk through this because this one is shell-shocked so we have to put the struts exploit here and do that and also explain exactly how it works the heart of this exploit is this named pipe command and to step through it without actually running Python will do this quickly and again go to SoCo if you want a better explanation go to explain shell calm we can try this to see if this can explain it Oh main pipes doesn't explain it too well so let's open a new tab then test paste this in and go through it so RM slash temp F it's just cleaning up if it already exists so that's kind of irrelevant the MK fi f MK fi fo like make file and file out that is a named pipe it's just going to make this possible it creates a special file the very first thing we have is cat slash temp F piped it to bin SH so on one if we do like echo Who am I to F and then cat F and pipe it to bash it execute the command so all this is doing is reading temp F and piping it over to bash to be executed then this is going to direct standard error which is two and two standard out which is one and then it's going to send that to net cat and this net cat connecting to an IP on the port and then the standard in from net cat is going to temp F so this kind of creates a circular loop of reading temp F executing a file sending it to netcat net cat listening and writing back to temp F so what the Ford shell does is removes this net cat and just puts like temp out so when you write contents in to slash temp oh it's going to then execute it in the bash and or when you write contents into temp F it's going to execute it and send it to tempo that's essentially what the Ford shell technique is so let's go through this thing we have a few modules base64 we use that because we basics T for all the commands we run it just works around the potential of having like bad characters that we'd have to you're elenco to do weird things with random it's going to help us generate sessions so we don't step on ourselves when we create multiple shells on the same box requests because well doing HTTP requests threading this one's a bit odd because we're just writing contents into a file then reading another flower to get output back so since the program's never giving us out but we have to set something up in the background to constantly read that file and constantly display output so that's what threading does time this is just so we can do sleep commands I believe so we set the class web show and we have the initialization where it actually sets up the show and then it's setting up like the session so input dot random variable is going to be where we send commands to and they're gonna read from output dot random number to get commands back now this is actually going to make that name pipe that we had explained then we're going to set up the thread so we can run it in the background and that's all it does for initialization next thing is we have to have a command to constantly read stand it out which is going to be that dev sh m output session and then it's going to do that by running a command that running command is just going to be the cat command then it's going to run a second command to clear the standard out file so the next time we read that file it's empty and that way we just don't have to remember where we left off in the file this next function is going to be the actual one that runs commands and this is shell-shocked because that's what Sircar was and there we go putting the shell-shocked in the user agent of the payload we have another one called write command and this one's just going to do the base64 wrapping of the command before we send it to run Raw command then upgrade shell this is going to be a just shortcut so we can do the PTY trick to get a real shell prompt please subscribe this is just going to say under your command here essentially and then we do an infinite loop so that is the script let us go in to copy the relevant code from the struts exploit paste it in the script and then try it out open a new console and go to struts bone view this search with payload and this is the struts exploit so just copy all this control see go back and get rid of this payload I'm gonna have to do set paste paste it in and then I have the spaces and so I don't have to do this every time I'm gonna do Q to start a macro then hit a head i to go an insert mode space three times go down hit home escape to get out of insert mode q to get out of macro mode and now I can just do at a and it does that for me push my cursor to the next line so I could also do ten at a and do ten lines at a time then three at a to do three lines so we have the struts exploit and our command is labeled the same thing so we don't have to modify anything the one thing we will need to do is change the exploit I think it was a content type if we look here it is content - type so if we do content tight payload and we have to set the user agent to something so usually it will be you all rock and should be good normally things don't work in the first time so we'll find out what mistake we made we're gonna run a web show with Python 3 type a command like LS and burp isn't working oh we didn't do URL and it's going to 1010 1056 which doesn't exist so forgot to set one thing which was this to be 64 and the struts exploit was was it / monitoring / example welcome got action maybe I believe that's it LS and there we go so now we have a nice little web shell where we can do commands and most importantly we can like go in directories so we go in to come look at the contents and let's look at web.xml see what this is it doesn't look too interesting let's look at tomcat users XML we get a username password team poner and this weird password so I'm going to copy this and I hit ctrl C which killed my show awesome but copy this and the main thing I'm going to try to do is get into the database and I'm making that my very first task because if we just go based upon history the Equifax hack which this box seems to be built around since it's a credit monitoring box they exported the database so I'm going to go based upon the story and say the first thing I want to do after exporting struts is find a way into the database only enough this doesn't let me log into Tomcat username so maybe they have some ACL we're only like the localhost is authorized I'm not exactly sure where that is configured in Tomcat but go back into a web shell see what else we have if we go to do file store I'm curious what DB connect is ASCII text cat DB connect and we have database information so SSN may be like Social Security numbers so let's try to connect to that MySQL - h4 Lok host localhost - you SSN underscore admin - I think - - password equals if we just do - P it's gonna ask ask us for the password and it didn't oh we have to upgrade to a TTY so I'm going to do upgrade which is gonna run that Python - the import PT PT y PT t y dot spawned in bash we may have killed a shell with that my sequel command see do we have a shell let's try this only enough I'm not getting out any output I'm used to saying some type of output it's weird let's start the server upgrade right off the bat and there we go that's why I'm used to saying this thing like what you'd see when you have a terminal window so let's run this my sequel command again and I see my passwords near the top of the line so let's just copy that right now base this enter the password and now we're in the database so we can do show databases see what we have access to use SSN show tables and it's all empty so let's get out of this and try the my sequel is admin so and there were two credentials in this DB connect file social security number and users so my sequel - H localhost - you admin - P admin show databases use users show tables describe accounts to see what fields are there and then we can just do select star from accounts the reason why and when we do describe first is sometimes the like tables have so many columns it gets hard to read so I just describe it see if I just want to select username password or select everything so we have the account Richard and this as a password so we can try this again so let's go back to this Richard put this in still nothing so let's exit this cat Etsy passwd we see that Richard is a user so I'm just gonna do sq - Richard paste that password and we have a shell on it we also have test out PI in his directory so I'm going to look at that but before I do that let us just SSH to it because if you remember from the Recon SSH was allowed so 10-10-10 64 is Richard and we're in and actually have a real shell so we can close out of this is it one more time and then we can remove dev sh m to clean our tracks that's fine exit so now we have the shell we have the user dot xwc user dot txt we could run the Linux River but I'm curious what this test is it's owned by root and only root can write to it Richard can execute it and read it so let's take a look so it's a Python 3 program it's gonna input hash lib ask us a bunch of questions and then at the end it's going to return root success top pie so we can try cheating and just copying all the questions so if we go to like hashes dog we could have maybe even googled it but whenever I search hashes I use this website paste it in type the CAPTCHA submit and it was oh that's weird we have a /n I wonder how that got there copy just a hash paste this in bzk 4jw and we can see the very first one is Kai boo so we wanted to we go down the chain and execute this it's actually Python 3 test dot pi and do all of these but it's going to take a little bit to do all those this one is a relatively long hash and hashes dog doesn't have it so if we want to we can just search around for the very last one because it probably goes up in difficulty so let's start from the end go up and see if this finds anything doesn't get anything and if we search it on google we have one paceman thing hash killer trying to crack it but new data it's gonna execute /root slash success by the Python programs don't do set UID Python will strip that out only like compiled languages do that and even if it had set UID well Python isn't running with test out pi doesn't have the set UID bit so nothing we can do there however it's executing something enroute somehow if we do sudo - L we can see that Richard may run user been Python and that script so if we do sudo python and then test up PI says no password I wonder if we have to specify the whole string there we go so now we can run this as root and Python is a bit weird so if we look at how Python loads libraries it actually loads them from the current directory first so I think if we do Python 3 - see import sis friend is it sis top path there we go so we can see pythons path and this is the order it loads those import statements so it's gonna go to current working directory first let's go to use a whip Python 3 5 zip use a whip Python 3 5 python python python but since it's going to current working directory first and we look at test op i and it's just hashlib here we could just create the hashlib pi and then let's try import OS and I think it's OS dot system then - so now when we run our import command for but when we run input hashlib it's now gonna search for hashlib pi and current working directory and this time it's gonna find a file and execute it so if we do that sudo command that's not that that's our path sudo python home richard testify and it switches us to the root and if we go to routes directory we don't see secret pi so even if we had got all that correct nothing would happen because that Python doesn't exist and we can do WCC root our techs see it's 33 characters and that is the box so hope you guys enjoyed it and I will see you all next time

Original Description

01:11 - Begin of recon 03:48 - Manually checking the page out 04:30 - Discovering the webserver is java/tomcact 05:35 - Starting up GoBuster / Hydra 09:40 - The Directory /Monitoring was found - Discovering its Struts because of .action 11:00 - Stumbling upon an exploit trying to find out how to enumerate Struts Versions 14:10 - Searching Github for CVE-2017-5638 exploit script, exploiting the box to find out its firewalled off 21:10 - Using a HTTP Forward Shell to get around the strict firewall # Sokar Video Explaining it: https://www.youtube.com/watch?v=k6ri-LFWEj4 # Inception - Another box where i modify the FWD Shell POC: https://www.youtube.com/watch?v=J2I-5xPgyXk&t=3s 22:40 - Go here if you want to start copying the Forward Shell Script 23:34 - Explaining how it works 25:10 - Explaining the code 31:06 - Forward Shell Returned - Enumerating Database to find creds 37:29 - Examining User.py 40:15 - Privesc: Abusing Python's Path to load a malicious library and sudo user.py
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 54 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video demonstrates a comprehensive walkthrough of the HackTheBox Stratosphere challenge, covering various techniques and tools to exploit vulnerabilities in a Tomcat server and gain access to the system. The video provides a hands-on approach to learning cybersecurity concepts and techniques.

Key Takeaways
  1. Run nmap with -sC to scan for open ports
  2. Use Burp Suite to intercept and modify HTTP requests
  3. Exploit Tomcat vulnerabilities using GoBuster and Hydra
  4. Gain code execution using a Struts exploit
  5. Use a web shell to bypass firewall restrictions
  6. Execute commands remotely using Ford shell technique
💡 The video highlights the importance of identifying and exploiting vulnerabilities in web servers and applications, and demonstrates the use of various tools and techniques to gain access to a system.

Related Reads

📰
File Path Traversal Vulnerability
Learn how file path traversal vulnerabilities allow attackers to bypass security and access restricted files on a web server
Medium · Cybersecurity
📰
Beyond Prompt Injection: The AI Attacks That Actually Matter
Learn about AI attacks beyond prompt injection and their significance in cybersecurity
Medium · Cybersecurity
📰
Breaking Born2Root: From Enumeration to Root Access
Learn how to break Born2Root, a Capture The Flag challenge, by following steps from reconnaissance to gaining root access, and understand the importance of ethical hacking in cybersecurity.
Medium · Cybersecurity
📰
Treasury Sanctions Two Individuals and VPN Firm Enabling Ransomware Attacks on Americans
US Treasury sanctions individuals and a VPN firm for enabling ransomware attacks, learn how to protect against such threats and the role of cybersecurity in preventing them
Dev.to · Codego Group

Chapters (14)

1:11 Begin of recon
3:48 Manually checking the page out
4:30 Discovering the webserver is java/tomcact
5:35 Starting up GoBuster / Hydra
9:40 The Directory /Monitoring was found - Discovering its Struts because of .actio
11:00 Stumbling upon an exploit trying to find out how to enumerate Struts Versions
14:10 Searching Github for CVE-2017-5638 exploit script, exploiting the box to find
21:10 Using a HTTP Forward Shell to get around the strict firewall
22:40 Go here if you want to start copying the Forward Shell Script
23:34 Explaining how it works
25:10 Explaining the code
31:06 Forward Shell Returned - Enumerating Database to find creds
37:29 Examining User.py
40:15 Privesc: Abusing Python's Path to load a malicious library and sudo user.py
Up next
How AI Coding Got So Cheap (And Why That's Ending)
SCALER
Watch →