HackTheBox - Yummy

IppSec · Beginner ·🔐 Cybersecurity ·1y ago

Skills: AI Security90%Security Basics80%Defensive AI70%

00:00 - Introduction 01:00 - Start of nmap 03:55 - Playing around with the website, booking a table and then registering an account 08:40 - Taking a look at the Save to iCalendar functionality and finding a File Disclosure vulnerability 12:15 - Finding the application source code via the /proc/self/cwd directory 14:15 - The JWT does RSA manually, using a weak exponent, showing we can factor this with RsaCtfTool 18:40 - Showing JWT.IO doesn't work with weak RSA Keys, showing an alternative tool 26:10 - Looking at cron jobs, finding all of the source code 28:20 - The DBMonitor Cron looks like it will execute code if we create specific files in the /data/scripts directory 33:50 - Using INTO OUTFILE with our SQL Injection to write files and exploit the DBMONITOR Cron to get a shell 41:30 - Shell returned looking at the database, then exploiting another cron because we can write a file 45:20 - Looking at the commit history of an Mercurial HG repo and finding a password 49:05 - We can run HG PULL as dev, showing there are multiple places we can put a HGRC file and create a repo with a hook that will execute a script on pull 57:05 - We can run rsync as root, but the standard gtfobin doesn't work 1:00:00 - Showing the chown flag doesn't remove setuid bits in RSYNC, which lets us make setuid files 1:03:00 - BEYOND ROOT: Showing the changes to the box (secure_file_priv and AppArmor) that allows MySQL To Write files 1:08:49 - Showing the CHOWN removes SetUID but Rsync does not when changing owners

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: AI Security

View skill →

Managing Threat Intelligence with Cortex XSOAR

SECURE Your App with Roles and Permissions in Spring Security!

SECURE Your App with Roles and Permissions in Spring Security!

TheCodeAlchemist

Pete Bryan - Scaling Jupyter Notebooks for global scale security analysis | JupyterCon 2020

Pete Bryan - Scaling Jupyter Notebooks for global scale security analysis | JupyterCon 2020

Warning! Python Remote Keylogger (this is really too easy!)

Warning! Python Remote Keylogger (this is really too easy!)

Episode 9: Automating Single-Turn Attacks with PyRIT | AI Red Teaming 101

Episode 9: Automating Single-Turn Attacks with PyRIT | AI Red Teaming 101

Microsoft Developer

Secure Agent Authorization with OAuth 2.0 | Amazon Bedrock AgentCore | Amazon Web Services

Secure Agent Authorization with OAuth 2.0 | Amazon Bedrock AgentCore | Amazon Web Services

Amazon Web Services

Related AI Lessons

The Hidden Security Problem in IoT Asset Tracking Systems

Discover the hidden security risks in IoT asset tracking systems and how to mitigate them

Medium · Cybersecurity

I Managed WordPress Security Across 1500+ Clients. The Main Reason WP Sites Get Hacked.

WordPress sites are commonly hacked due to vulnerable plugins, not sophisticated attacks, and learning to manage plugin security is crucial

What Is YubiKey Authentication & How It Works

Learn about YubiKey authentication and how it works to enhance security

Dev.to · Mrunank Pawar

I Used to Ignore “Boring” Vulnerabilities… Until One Paid More Than a Critical

Don't underestimate small vulnerabilities, as they can lead to bigger problems and significant payouts

Medium · Data Science

Chapters (17)

Introduction

1:00 Start of nmap

3:55 Playing around with the website, booking a table and then registering an accou

8:40 Taking a look at the Save to iCalendar functionality and finding a File Disclo

12:15 Finding the application source code via the /proc/self/cwd directory

14:15 The JWT does RSA manually, using a weak exponent, showing we can factor this w

18:40 Showing JWT.IO doesn't work with weak RSA Keys, showing an alternative tool

26:10 Looking at cron jobs, finding all of the source code

28:20 The DBMonitor Cron looks like it will execute code if we create specific files

33:50 Using INTO OUTFILE with our SQL Injection to write files and exploit the DBMON

41:30 Shell returned looking at the database, then exploiting another cron because w

45:20 Looking at the commit history of an Mercurial HG repo and finding a password

49:05 We can run HG PULL as dev, showing there are multiple places we can put a HGRC

57:05 We can run rsync as root, but the standard gtfobin doesn't work

1:00:00 Showing the chown flag doesn't remove setuid bits in RSYNC, which lets us make

1:03:00 BEYOND ROOT: Showing the changes to the box (secure_file_priv and AppArmor) th

1:08:49 Showing the CHOWN removes SetUID but Rsync does not when changing owners

Deploying VPC Service Controls