HackTheBox - JSON
Вставка
- Опубліковано 14 чер 2024
- 00:52 - Start of recon, NMAP
04:35 - Using SMBClient to look for OpenShares
04:50 - Examining the HTTP Redirect on the page
06:56 - Attemping default credentials
08:25 - Running GoBuster with PHP Extensions
12:45 - Examining the /api/ Requests made in BurpSuite
13:35 - Comparing Requests to notice one has a "BEARER" Header. Researching exactly what it is.
14:45 - Examining the contents of BEARER/OAUTH2 by base64 decoding it.
15:50 - Inducing an error message by placing invalid base64, then trying to get a different error message by putting valid but unexpected bas64
16:50 - See a serialization error, pointing towards JSON.NET, then switching to Windows to install ysoSerial
22:54 - Creating a .net Deserialization exploit that will ping us
27:50 - Base64 encoding the exploit, starting tcpdump, and checking for code execution. Then editing our exploit use a PowerShell webcradle with Nishang to get a reverse shell
32:51 - Reverse Shell Returned, Running WinPEAS from my SMBShare so we don't touch disk
37:00 - Going over WinPEAS.bat, which doesn't have color (we will do EXE later in the video to get colors!)
42:00 - PrivEsc #1: Reversing Sync2Ftp to decrypt a password
50:15 - Decompile SyncLocation.exe via DNSPY, then edit the executable to display the decrypted password.
56:15 - Couldn't use PSEXEC with the decrypted creds. Lets use Powershell Invoke-Command to switch users
1:05:25 - PrivEsc #2: FileZilla Server - This will require us to pop the box from Windows!
1:10:50 - Using Chisel to forward 127.0.0.1:14147 to us
1:15:15 - Running the FileZilla Server and connecting to the box through our tunnel to create new users
1:21:53 - PrivEsc #3: JuicyPotato
1:24:53 - Running JuicyPotato to get a system shell
What is actually going on in this video?😂 I’m so stoned right now and stumbled on this , I’m 25 mins in and really interested ?? I literally have no clue what you’re trying to do but I’m with you man
its magic bro ! and its probably not for you ,
in exactly same boat lmfao this is amazing
@@seosamhohaodha3040 Don't discourage others for being curious.
Check out
hackthebox.eu
It is a platform that hosts vulnerable servers, encouraging users to hack them. You should definitely check it out.
Thank you for teaching us cybersecurity and thanks for explaining it so well for newbies.
Thanks for everything, ipp. If you ever visit Brazil, I'll buy a beer for you
That second way with port forwarding was my favorite,seemed easier than the first for me.
Subscribed! Awesome content! How long have you been working on cyber security / pentesting?
All Hail Ippsec 🙌🏾 thank you man
Just another great video 👌
Amazing video, learnt a lot , thnx
Hi Ippsec why you did not test for xxe attack by changing :application/json to application/xml ?
Sorry for the inconveniences
I literally spend all day on Linux, and watching this I feel like a total noob.
practice makes perfect and nobody starts at the top bro,,stay with it and it will come
@@seosamhohaodha3040 not op but thanks
I think the NCCGroup Burp plugin "Freddy" can be useful on this box. Any thought?
3 boxes away from seeing all your walkthroughs! One question, is there a reason why, when you're running Burp, you don't set the Target and use Proxy --> Options --> Intercept Client Request and enabled the AND operator, so you don't have to turn burp on and off when browsing to other sites?
I don’t like sending requests of personal browsing through burp as it may contain sensitive things like google cookies
I wish i could subscribe again ..
Tnx for your fantastic videos.
If its possible for you please teach us malware analysis and malware programming.
Thanks alot.
I may have miss you explaining this, but clicking in the window pauses the process until you hit enter in the window. It's an old windows feature that lets you pause a running process so you can look through the output. I think it's similar to linux, but instead of ctl+z, it's a mouseclick.
Any reason you dont use rlwrap on nc reverse shells?
Just forget to
This is a dumb question but do I need burp premium to use the features of burp site or could I use the free version?
Free version should work fine. I try to call out whenever I use a Pro feature (which is rare) and then show how to do it for free.
Great video as always. Btw if you want to understand exactly how that ysoserial .net exploit works (as you mentioned you're not familiar with it) - I explained it in a lot of detail in my video walkthrough of this same box that I've just uploaded to my channel
Wow I will be there
@plushoom glad to help :)
❤️
@IppSec What software you are using for screen recording?
Obs.
Can someone explain which track is it, and where can I get a medium-level track(eg, ACTIVE DIRECTORY 101, CVE, COMMON 101APPLICATIONS, DESERIALIZATION, etc) tutorial. (PS: for my assignment)
Quick question, do you always first pass in an encoded command for powershell rce, or how do you know that it would work in this scenario?
You never really know but due to the exploit itself having quotes, I’d have to escape quotes on the powershell command and it’s easier to try base64 before escaping quotes
Ah i see thanks for pointing out!
how to identify which gadget to use while creating a payload with ysoserial?
Hi IppSec, is it one
gtx 1080 or 2080 enough to crack the ciphers
?
You don't even need that much. A regular CPU does most windows hashes fast enough to work well, especially for CTF's.
at 1:11:xx you can use title to set title in powershell/cmd . :)
Great! You should also do challenges walkthrough!!!
what is your bash shell ?
guess for Remote WinRM need enable this "Enable-PSRemoting -Force" on json
What's the tab he uses to switch between OSs?
On your windows box you should look at Hyper terminal. Its similar to Tmux
hello do you know someone if exist a kali tools repository for Ubuntu or Blackbox?
Hello ippsec, please answer this question what is your profession ??
somebody should append 'PleaseSubscribe' password in rockyou wordlist
And IppsecRocks
You gonna need that here in the future 😄
Hi IPPSEC noob here I already asked you few time and have get I answer I know u busy , but in one of your videos u go to SSH TO craken!? I thing it is how u made that up is it a script or you log u. To other machine , sorry I know is stupid questions but am trying to learn from you
It's literally just a old pc with 4 graphics cards. Nothing special, no special configuration. Just ubuntu and hashcat with graphics cards.
@@ippsec so it is to other machine , ?? And also I didn't got to understand my own question sorry multiple language here and auto correction is on
Yes. When i type ssh kracken, I'm going to a different computer I use specifically for cracking. The main reason I do this is cracking takes up 100% of CPU, so it is not ideal to do on the same computer as I am recording on as I'd drop frames.
@@ippsec thank you so much , so kracken is like a script ? Or just the name of the machine!? Sorry my noobyness
Name of a machine on my network. I type ssh
this is window but I found it in the nix medium playlist :V
hi, can you also teach us how to clear traces are used to prevent administrators catch you, because i think a hack like a "ghost" is prefect hack.
Nope. Legitimate pentesting doesn’t require this, but crime does.
It's is possible to teach this but no one will ... U shud figure this out on your own .. suppose you run a powershell command there are certain logs which register this ..
It's upto u to figure out where they are and how u can avoid them. But never ask anyone this. This sets a wrong impression and lot of legal ramifications on the guy answering this
@@x0x4c admin: ohhhhh!!!
Waiting for playertwo and rope to retire ;_;
You claim to be a hacker and don't know jwt oauth2 etc? Really?
If you search videos (IppSec.rocks), I’ve done plenty of JWT stuff in the past. Some of the voice track is showing how to approach things you don’t know.
Also I never claimed to be a hacker.
damn rude
wow even in this educational part of youtube, people still find ways to be dicks. GG humanity
That second way with port forwarding was my favorite,seemed easier than the first for me.