HackTheBox - Curling

IppSec · Beginner ·🧠 Large Language Models ·7y ago
01:12 - Begin of Recon 01:55 - Running Cewl to generate a wordlist 02:50 - Finding secret.txt in the HTML Source, which happens to be the password 03:28 - Runninh JoomScan so we have something running in the background 04:20 - Checking the manifest to get the Joomla Version 06:20 - Explaining what equals mean in base64 07:50 - Begin of hunting for Joomla Username 08:30 - BruteForcing Joomla Login with WFUZZ 10:35 - Troubleshooting by sending wfuzz through burp 12:25 - Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command 17:10 - Success! Logged into Joomla 17:58 - Gaining code execution by modifying a template 20:20 - Getting a reverse shell 23:20 - Finding the file: password_backup which is encoded 23:55 - Extracting password_backup manually with xxd, zcat, bzcat, tar 25:43 - Extracting Password_Backup with CyberChef 27:35 - Logging in with Floris 28:17 - Looking at /home/floris/AdminArea 28:50 - Testing the input file by changing the url to us 29:30 - Getting LFI by using file:// within curl 30:38 - Pulling the cron, to see what is going on 31:25 - Cron shows curl -K to use curl with a config file, checking man page. 32:05 - Changing where curl saves to, in order to gain a root shell 33:45 - Showing another good file to read with the LFI (logs) 34:18 - Using pspy to show when processes start/end, which shows the curl command with no exploits
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
 2 HackTheBox - October
HackTheBox - October
IppSec
 3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
 4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
 5 HackTheBox - Bank
HackTheBox - Bank
IppSec
 6 HackTheBox - Joker
HackTheBox - Joker
IppSec
 7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
 8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
 9 HackTheBox - Devel
HackTheBox - Devel
IppSec
 10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
 11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
 12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
 13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
 14 HackTheBox - Charon
HackTheBox - Charon
IppSec
 15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
 16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
 17 HackTheBox - Europa
HackTheBox - Europa
IppSec
 18 Introduction to tmux
Introduction to tmux
IppSec
 19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
 20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
 21 HackTheBox - Jail
HackTheBox - Jail
IppSec
 22 HackTheBox - Blue
HackTheBox - Blue
IppSec
 23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
 24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
 25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
 26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
 27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
 28 HackTheBox - Node
HackTheBox - Node
IppSec
 29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
 30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
 31 HackTheBox - Sense
HackTheBox - Sense
IppSec
 32 HackTheBox - Minion
HackTheBox - Minion
IppSec
 33 VulnHub - Sokar
VulnHub - Sokar
IppSec
 34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
 35 HackTheBox - Inception
HackTheBox - Inception
IppSec
 36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
 37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
 38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
 39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
 40 HackTheBox - Tally
HackTheBox - Tally
IppSec
 41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
 42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
 43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
 44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
 45 How To Create Empire Modules
How To Create Empire Modules
IppSec
 46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
 47 HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
 48 HackTheBox - Bart
HackTheBox - Bart
IppSec
 49 HackTheBox - Aragog
HackTheBox - Aragog
IppSec
 50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
 51 HackTheBox - Silo
HackTheBox - Silo
IppSec
 52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
 53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
 54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
 55 HackTheBox - Poison
HackTheBox - Poison
IppSec
 56 HackTheBox - Canape
HackTheBox - Canape
IppSec
 57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
 58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
 59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
 60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

The Context Window Is Lying to You— And Your Harness Is the Only Thing That Matters
Learn why the context window in AI models can be misleading and how to focus on the harness for better results
Medium · AI
I compared 4 Chinese AI models against GPT-4o and Claude — the price gap is absurd (2026)
Discover how Chinese AI models compare to Western counterparts like GPT-4 and Claude in terms of price and performance, and what this means for builders
Dev.to AI
NVIDIA Launches Nemotron 3 Nano Omni Model, Unifying Vision, Audio and Language for up to 9x More Efficient AI Agents
NVIDIA launches Nemotron 3 Nano Omni, a multimodal model that unifies vision, audio, and language for more efficient AI agents
NVIDIA AI Blog
Celebrating 20 years of Google Translate: Fun facts, tips and new features to try
Celebrate 20 years of Google Translate by exploring its history, fun facts, and new features to improve your language translation skills
Google AI Blog

Chapters (25)

1:12 Begin of Recon
1:55 Running Cewl to generate a wordlist
2:50 Finding secret.txt in the HTML Source, which happens to be the password
3:28 Runninh JoomScan so we have something running in the background
4:20 Checking the manifest to get the Joomla Version
6:20 Explaining what equals mean in base64
7:50 Begin of hunting for Joomla Username
8:30 BruteForcing Joomla Login with WFUZZ
10:35 Troubleshooting by sending wfuzz through burp
12:25 Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command
17:10 Success! Logged into Joomla
17:58 Gaining code execution by modifying a template
20:20 Getting a reverse shell
23:20 Finding the file: password_backup which is encoded
23:55 Extracting password_backup manually with xxd, zcat, bzcat, tar
25:43 Extracting Password_Backup with CyberChef
27:35 Logging in with Floris
28:17 Looking at /home/floris/AdminArea
28:50 Testing the input file by changing the url to us
29:30 Getting LFI by using file:// within curl
30:38 Pulling the cron, to see what is going on
31:25 Cron shows curl -K to use curl with a config file, checking man page.
32:05 Changing where curl saves to, in order to gain a root shell
33:45 Showing another good file to read with the LFI (logs)
34:18 Using pspy to show when processes start/end, which shows the curl command with
Up next
5 Levels of AI Agents - From Simple LLM Calls to Multi-Agent Systems
Dave Ebbelaar (LLM Eng)
Watch →