For me the regex part was pure magic. I went full ScriptKiddy and used a working script back in the day i solved the box but never really understood what it does until now. Was waiting for that video for so long. Thank you Sir!
How exactly do you find how if its running a mongoDB in the backend other than just looking at the mangos and thinking 'mango, mongo hmmm..' - cuz in a real life situation you'd need to somehow find out whats in the backend.
@@medoangel8370 ? but but the nmap said the http-title is mango, still the fruit, not the database...(did i miss anything?) (not to mention http-title can be edited by web dev i guess? they can say for example "banana protocol" but that doesn't mean it's really following banana protocol) (weird example i made but you get the idea :D)
About the for loop: I usually do ```for i in range(ord("!"), ord("~") + 1)``` so it's clearer what's going on and I'm not missing any ascii characters :P
So now we have the machine name and the pics of the mango that indicates that the server is using Mongo-DB In real life scenario, how would you discover that the site is using No-Sql DB and how would you discover that there is sql injection in it???
:facepalm: I somehow found github/MangoDevelopers and went down a rabbit hole from there, scrapping webpages and trying to build a keywords dictionary with mango related words. kill me now.
Ipp, is pentesterlab good for learning web exploitations? Or is there any other good resources. Am pretty weak on web stuffs thinking to practice some more advanced stuffs..like chaining exploits together and waf evasion stuffs.
Some http servers have "virtual host routing" essentially that means it will serve you different resources based on the "Host" header in the request. In this case it did not serve the page with the ip as hostname but it did with the hostname found in the ssl cert. by adding it to /etc/hosts you can easily just send a request with that host header. alternatively you could just manipulate the header in burp but that will get annoying fast.
21:15 Is mongodb regex broken? .* matches any amount of characters, including zero, as shown by egrep and sed: $ echo -n "admin" | egrep -o "admin.*" | sed -e 's/admin.*/still_a_match/g' So why does mongodb not match? Even egrep and sed agree, which is rare for me. Also, if some regex magician reads this... Why do I need to escape every damn "control character" in sed? echo -n "adminn" | sed -e 's/^ad\(mi[n]\+\)$/\1/g'
Hi @IppSec, Thank You for this Awesome Script for extracting MongoDB Data. Could you please comment here on how to learn / which modules are essential for a Penetration Tester in Python in learning the Python Script Automation like this. I am waiting for your valuable response.
@@ippsec Then they should allow everyone to pentest retired machines, just with no credit, only for academic and practical purposes , It'd be a profitable learning method. Thanks for answering btw.
Yeah Python did not work for me, had to write a bash script :) as always, It's a great learning exp. to see pros do it after you've stumbled around like a drunken a**hole.
I actually found myself clapping at the privilege escalation at the end. Don't ever stop what you are doing IppSec. It's amazing educational content.
For me the regex part was pure magic. I went full ScriptKiddy and used a working script back in the day i solved the box but never really understood what it does until now. Was waiting for that video for so long. Thank you Sir!
Same lol, feels wrong that it was so easy with the script :D
I am wondering from where you got that script?
The minute I saw SQLmap in the preview I knew it was gonna be a good one.
Thanks for the video Mr.Ippsec.
Watching this in 1.75x is like watching a thriller...you're amazing ippsec
21:35 you scared me there for a second
and at /.ssh
Two cents:
1 - string.printable
2 - for loops in python has an else condition that is called if a break is not called
How exactly do you find how if its running a mongoDB in the backend other than just looking at the mangos and thinking 'mango, mongo hmmm..' - cuz in a real life situation you'd need to somehow find out whats in the backend.
Through nmap that's the first thing he did
@@medoangel8370 ? but but the nmap said the http-title is mango, still the fruit, not the database...(did i miss anything?)
(not to mention http-title can be edited by web dev i guess? they can say for example "banana protocol" but that doesn't mean it's really following banana protocol) (weird example i made but you get the idea :D)
@@medoangel8370 i was deceived at first as well! then got so confused why ippsec know it's a mongodb hence nosql but still using sql injection😂loooool
i checked the htb forum they all say stuff like "the name of the box is a big hint"🤪
idk
maybe in real life you just try both...?🤣
Woah i was thinking about analytics.php all the time
Great Video
So I didn't catch the hint that this was supposed to lead me to mangoDB, how can I identify this in the future without a hint? Just trial and error?
About the for loop:
I usually do ```for i in range(ord("!"), ord("~") + 1)``` so it's clearer what's going on and I'm not missing any ascii characters :P
import re;
re.escape(str)
should also do the trick instead of manually escaping special regex characters
Nice hint, thanks! I found that an asterisk character as part of the password leads to false positive matches. Has anyone found a solution for that?
So now we have the machine name and the pics of the mango that indicates that the server is using Mongo-DB
In real life scenario, how would you discover that the site is using No-Sql DB and how would you discover that there is sql injection in it???
:facepalm: I somehow found github/MangoDevelopers and went down a rabbit hole from there, scrapping webpages and trying to build a keywords dictionary with mango related words. kill me now.
a small hint: use jss with the -scripting argument then you can use $EXEC() tnx for a great video!
Python has a strings module that has useful subsets of the ASCII characters
Hey Everyone, Can you tell me blog sites like medium(12:40) for hacking/pentesting purpose ofc?
This is great, I am already stuck working on the machine now 😀
Ipp, is pentesterlab good for learning web exploitations? Or is there any other good resources. Am pretty weak on web stuffs thinking to practice some more advanced stuffs..like chaining exploits together and waf evasion stuffs.
Awesome! It's really cool! Thx for writeup!
Thank you!
i like your cut G
amazing bro nice job man
which desktop environment are you using ?
Hi ^^, I'm wondering: Why do you use "$ nmap -sC -sV" instead of "$ nmap -A"?
Greetings, and thank you a lot for your content.
I guess -sC -sV is faster than doing -A
What keyboard are you using?
When you add an IP, host and alias to etc/hosts, why do you do that? I tried googling but cant find an answer. It only explains how to do it.
Some http servers have "virtual host routing" essentially that means it will serve you different resources based on the "Host" header in the request. In this case it did not serve the page with the ip as hostname but it did with the hostname found in the ssl cert.
by adding it to /etc/hosts you can easily just send a request with that host header. alternatively you could just manipulate the header in burp but that will get annoying fast.
Awesome thank you
Was easy box,but was bit of ctf like at the login time.
can you please explain me what he did at the login? how did he find out what to do their?
love you bro !!
21:15 Is mongodb regex broken? .* matches any amount of characters, including zero, as shown by egrep and sed:
$ echo -n "admin" | egrep -o "admin.*" | sed -e 's/admin.*/still_a_match/g'
So why does mongodb not match? Even egrep and sed agree, which is rare for me.
Also, if some regex magician reads this... Why do I need to escape every damn "control character" in sed?
echo -n "adminn" | sed -e 's/^ad\(mi[n]\+\)$/\1/g'
Hi @IppSec,
Thank You for this Awesome Script for extracting MongoDB Data. Could you please comment here on how to learn / which modules are essential for a Penetration Tester in Python in learning the Python Script Automation like this. I am waiting for your valuable response.
I am wondering why the machine is still listed under Active machines at this moment!
You can work on that machine for 2 days after retirement
Shubham Gurav thanks for clarification!
@@shubhamgurav634 two days? I thought it will be until the next box gets retired
I love this vidéos
U are the best
when are you releasing your own box on htb? 😎😎😎
hy how do you copy text or smth in tmux??
superuser.com/questions/196060/selecting-text-in-tmux-copy-mode
@Kanchho Chhoro a hora XD
Tnk u.
re.escape!
Cmon man hahahaha , you are a legend , seeing you disappoints me as a noob lol
August left Chris in America. Can you get the flag and reunite them? a crypto challenge in hackthebox plzzz help me
nice
They should allow new subscribers to pentest also retired machines..
Then people would just keep creating accounts, it's only ~10 for a month of full access.
@@ippsec Then they should allow everyone to pentest retired machines, just with no credit, only for academic and practical purposes
, It'd be a profitable learning method. Thanks for answering btw.
Yeah Python did not work for me, had to write a bash script :) as always, It's a great learning exp. to see pros do it after you've stumbled around like a drunken a**hole.
:)
first