For me the regex part was pure magic. I went full ScriptKiddy and used a working script back in the day i solved the box but never really understood what it does until now. Was waiting for that video for so long. Thank you Sir!
About the for loop: I usually do ```for i in range(ord("!"), ord("~") + 1)``` so it's clearer what's going on and I'm not missing any ascii characters :P
How exactly do you find how if its running a mongoDB in the backend other than just looking at the mangos and thinking 'mango, mongo hmmm..' - cuz in a real life situation you'd need to somehow find out whats in the backend.
@@medoangel8370 ? but but the nmap said the http-title is mango, still the fruit, not the database...(did i miss anything?) (not to mention http-title can be edited by web dev i guess? they can say for example "banana protocol" but that doesn't mean it's really following banana protocol) (weird example i made but you get the idea :D)
So now we have the machine name and the pics of the mango that indicates that the server is using Mongo-DB In real life scenario, how would you discover that the site is using No-Sql DB and how would you discover that there is sql injection in it???
:facepalm: I somehow found github/MangoDevelopers and went down a rabbit hole from there, scrapping webpages and trying to build a keywords dictionary with mango related words. kill me now.
Ipp, is pentesterlab good for learning web exploitations? Or is there any other good resources. Am pretty weak on web stuffs thinking to practice some more advanced stuffs..like chaining exploits together and waf evasion stuffs.
Some http servers have "virtual host routing" essentially that means it will serve you different resources based on the "Host" header in the request. In this case it did not serve the page with the ip as hostname but it did with the hostname found in the ssl cert. by adding it to /etc/hosts you can easily just send a request with that host header. alternatively you could just manipulate the header in burp but that will get annoying fast.
21:15 Is mongodb regex broken? .* matches any amount of characters, including zero, as shown by egrep and sed: $ echo -n "admin" | egrep -o "admin.*" | sed -e 's/admin.*/still_a_match/g' So why does mongodb not match? Even egrep and sed agree, which is rare for me. Also, if some regex magician reads this... Why do I need to escape every damn "control character" in sed? echo -n "adminn" | sed -e 's/^ad\(mi[n]\+\)$/\1/g'
Hi @IppSec, Thank You for this Awesome Script for extracting MongoDB Data. Could you please comment here on how to learn / which modules are essential for a Penetration Tester in Python in learning the Python Script Automation like this. I am waiting for your valuable response.
@@ippsec Then they should allow everyone to pentest retired machines, just with no credit, only for academic and practical purposes , It'd be a profitable learning method. Thanks for answering btw.
Yeah Python did not work for me, had to write a bash script :) as always, It's a great learning exp. to see pros do it after you've stumbled around like a drunken a**hole.
I actually found myself clapping at the privilege escalation at the end. Don't ever stop what you are doing IppSec. It's amazing educational content.
For me the regex part was pure magic. I went full ScriptKiddy and used a working script back in the day i solved the box but never really understood what it does until now. Was waiting for that video for so long. Thank you Sir!
Same lol, feels wrong that it was so easy with the script :D
I am wondering from where you got that script?
Watching this in 1.75x is like watching a thriller...you're amazing ippsec
The minute I saw SQLmap in the preview I knew it was gonna be a good one.
Thanks for the video Mr.Ippsec.
21:35 you scared me there for a second
and at /.ssh
Woah i was thinking about analytics.php all the time
Great Video
Two cents:
1 - string.printable
2 - for loops in python has an else condition that is called if a break is not called
About the for loop:
I usually do ```for i in range(ord("!"), ord("~") + 1)``` so it's clearer what's going on and I'm not missing any ascii characters :P
Awesome! It's really cool! Thx for writeup!
How exactly do you find how if its running a mongoDB in the backend other than just looking at the mangos and thinking 'mango, mongo hmmm..' - cuz in a real life situation you'd need to somehow find out whats in the backend.
Through nmap that's the first thing he did
@@medoangel8370 ? but but the nmap said the http-title is mango, still the fruit, not the database...(did i miss anything?)
(not to mention http-title can be edited by web dev i guess? they can say for example "banana protocol" but that doesn't mean it's really following banana protocol) (weird example i made but you get the idea :D)
@@medoangel8370 i was deceived at first as well! then got so confused why ippsec know it's a mongodb hence nosql but still using sql injection😂loooool
i checked the htb forum they all say stuff like "the name of the box is a big hint"🤪
idk
maybe in real life you just try both...?🤣
a small hint: use jss with the -scripting argument then you can use $EXEC() tnx for a great video!
Python has a strings module that has useful subsets of the ASCII characters
This is great, I am already stuck working on the machine now 😀
import re;
re.escape(str)
should also do the trick instead of manually escaping special regex characters
Nice hint, thanks! I found that an asterisk character as part of the password leads to false positive matches. Has anyone found a solution for that?
i like your cut G
Thank you!
So now we have the machine name and the pics of the mango that indicates that the server is using Mongo-DB
In real life scenario, how would you discover that the site is using No-Sql DB and how would you discover that there is sql injection in it???
So I didn't catch the hint that this was supposed to lead me to mangoDB, how can I identify this in the future without a hint? Just trial and error?
amazing bro nice job man
:facepalm: I somehow found github/MangoDevelopers and went down a rabbit hole from there, scrapping webpages and trying to build a keywords dictionary with mango related words. kill me now.
Ipp, is pentesterlab good for learning web exploitations? Or is there any other good resources. Am pretty weak on web stuffs thinking to practice some more advanced stuffs..like chaining exploits together and waf evasion stuffs.
Hi ^^, I'm wondering: Why do you use "$ nmap -sC -sV" instead of "$ nmap -A"?
Greetings, and thank you a lot for your content.
I guess -sC -sV is faster than doing -A
Hey Everyone, Can you tell me blog sites like medium(12:40) for hacking/pentesting purpose ofc?
which desktop environment are you using ?
I love this vidéos
love you bro !!
Was easy box,but was bit of ctf like at the login time.
can you please explain me what he did at the login? how did he find out what to do their?
What keyboard are you using?
U are the best
I am wondering why the machine is still listed under Active machines at this moment!
You can work on that machine for 2 days after retirement
Shubham Gurav thanks for clarification!
@@shubhamgurav634 two days? I thought it will be until the next box gets retired
Tnk u.
nice
When you add an IP, host and alias to etc/hosts, why do you do that? I tried googling but cant find an answer. It only explains how to do it.
Some http servers have "virtual host routing" essentially that means it will serve you different resources based on the "Host" header in the request. In this case it did not serve the page with the ip as hostname but it did with the hostname found in the ssl cert.
by adding it to /etc/hosts you can easily just send a request with that host header. alternatively you could just manipulate the header in burp but that will get annoying fast.
Awesome thank you
21:15 Is mongodb regex broken? .* matches any amount of characters, including zero, as shown by egrep and sed:
$ echo -n "admin" | egrep -o "admin.*" | sed -e 's/admin.*/still_a_match/g'
So why does mongodb not match? Even egrep and sed agree, which is rare for me.
Also, if some regex magician reads this... Why do I need to escape every damn "control character" in sed?
echo -n "adminn" | sed -e 's/^ad\(mi[n]\+\)$/\1/g'
Hi @IppSec,
Thank You for this Awesome Script for extracting MongoDB Data. Could you please comment here on how to learn / which modules are essential for a Penetration Tester in Python in learning the Python Script Automation like this. I am waiting for your valuable response.
when are you releasing your own box on htb? 😎😎😎
hy how do you copy text or smth in tmux??
superuser.com/questions/196060/selecting-text-in-tmux-copy-mode
@Kanchho Chhoro a hora XD
re.escape!
August left Chris in America. Can you get the flag and reunite them? a crypto challenge in hackthebox plzzz help me
Cmon man hahahaha , you are a legend , seeing you disappoints me as a noob lol
:)
They should allow new subscribers to pentest also retired machines..
Then people would just keep creating accounts, it's only ~10 for a month of full access.
@@ippsec Then they should allow everyone to pentest retired machines, just with no credit, only for academic and practical purposes
, It'd be a profitable learning method. Thanks for answering btw.
Yeah Python did not work for me, had to write a bash script :) as always, It's a great learning exp. to see pros do it after you've stumbled around like a drunken a**hole.
first