HackTheBox - Format

Поділитися
Вставка
  • Опубліковано 1 гру 2024

КОМЕНТАРІ • 26

  • @ianberdahl108
    @ianberdahl108 Рік тому +2

    Definitely watching more of your vids. Good explanation on your steps. ❤

  • @AUBCodeII
    @AUBCodeII Рік тому +20

    What's going on UA-cam, this is TrippSec, and we're doing Drugs from Hack The Box

  • @dariusvlogs3634
    @dariusvlogs3634 Рік тому +3

    Thank you for reupload

  • @tntxqx8281
    @tntxqx8281 Рік тому +1

    Ippsec we love you ❤️❤️ you're personality you're knowledge 🔥🔥

  • @lonelyorphan9788
    @lonelyorphan9788 Рік тому

    Double Ippsec week! I feel spoiled 🙂. Ippsec rocks!

  • @AUBCodeII
    @AUBCodeII Рік тому +7

    I found out an unintended way to get code execution on this box.
    When we write a .php script in /content, and request this script, the server returns the content of this script:
    Client: GET /content/shell.php HTTP/1.1
    Server:
    This means that we matched the rule "location ~ ^/content/(?[^/]+)(/\.php)*$".
    However, when we request the path /content/shell.php/Anything.php, we have code execution:
    Client: GET /content/shell.php/Anything.php HTTP/1.1
    Server: www-data
    This is because we are matching the rule "location ~ \.php$", which allows execution of .php scripts.

  • @3rawkz
    @3rawkz Рік тому

    Hey! How did you know to add "app" subdomain? I didn't catch where during enum that showed up!

  • @boogieman97
    @boogieman97 Рік тому +1

    Great one again! I could understand your reasoning in creating a Python script that just does the job, but no functions also results in no structure and silly mistakes to my experience. You could have used the attribute "text" on the request object to have it decoded and not escaping instead of content

    • @ippsec
      @ippsec  Рік тому +2

      Yeah it’s been a while since I wrote python and talking while typing does make for more errors. Was also my third video that week so I was mentally burned out

  • @HackerBabaOfficial
    @HackerBabaOfficial Рік тому +1

    which keyboard you are using and which software using for screen recorder ?

  • @tg7943
    @tg7943 Рік тому +1

    Push!

  • @howismake
    @howismake Рік тому

    👏

  • @PR1V4TE
    @PR1V4TE Рік тому

    Why the video was taken down. 😅

    • @ippsec
      @ippsec  Рік тому +6

      Its in the description -- I re-uploaded it because the previous video got stuck on YT's end encoding the high def version, so most people could only watch it in 360p.

  • @Landee
    @Landee Рік тому

    thx ytb..

  • @Asynerx
    @Asynerx Рік тому

    The bot already retired

  • @triplem3224
    @triplem3224 Рік тому

    Last

  • @heapbytes
    @heapbytes Рік тому

    12:08 i didn't get why phpinfo() wasn't executed, can u plz explain or privodie resource abt the fast cgi thing @ippsec

    • @angeleeh
      @angeleeh Рік тому

      Its because of the content disposition header

    • @ippsec
      @ippsec  Рік тому

      @@angeleeh Not exactly, I go over it at 51:50 but the content-disposition header has nothing to do with it. It's just that location block in the nginx config.

    • @angeleeh
      @angeleeh Рік тому

      ​@@ippseci thought this is the case as it specifically sets content-disposition header on /content to 'attachment' so it just downloads the files without executing inline. Do you think you could execute code if /images had content-disposition header set in the same way?

  • @heapbytes
    @heapbytes Рік тому +1

    why use __init__ global in the username ? why not just {secret_encoded} or {secret} ?? (cuz when u demo the sys argv, you just used it as {secret} & secret there wasn't in any function too)

    • @ippsec
      @ippsec  Рік тому

      You can only include what is within the .format() piece. In my demo I passed secret there. On the box, the object was passed.

    • @heapbytes
      @heapbytes Рік тому

      @@ippsec ahhh I see thanks!!
      So if licence wasn’t passed in .format() what can we do?? Then we could have used directly {secret} or something else ?
      (Sry for the silly ques, this is my first time seeing ngnix vuln & other vuln this box has m too excited for it)

    • @AUBCodeII
      @AUBCodeII Рік тому

      @@heapbytes I think something must be passed in .format() for the format string vulnerability to work. Passing something in .format() or not, if you used {secret} directly, the script would throw a KeyError exception:
      Traceback (most recent call last):
      File "./license_simple.py", line 26, in
      license_key = (prefix + username + firstlast).format()
      KeyError: 'secret'
      You can write a simpler version of the script license to play with the input and see what the script outputs.