HackTheBox - Secret

IppSec · Beginner ·🧠 Large Language Models ·4y ago

Skills: Tool Use & Function Calling90%LLM Foundations80%Prompt Craft60%Fine-tuning LLMs50%

00:00 - Into 01:04 - Start of nmap talking about seeing two ports having the same HTTP Banner 03:20 - Checking out the webpage to discover source code and some docs 04:00 - Always RTFM, Playing with the API to Register a user, login, and check out privilege level. 05:50 - Renaming our burp repeater tab by just double clicking on the number 07:30 - Trying to login with a name instead of email 10:10 - Testing our login token to find out it uses JWT's in a non-standard way 10:50 - Analyzing the source code to see the token is used in a header called "auth-token" 12:40 - Looking at git commit history to see there is a hard coded secret in an older commit and forging a token 13:40 - Changing our tokens user, going back to the source code and seeing "theadmin" is a hardcoded administrative user 14:30 - Talking about the importance of rotating secrets in a web application 16:30 - Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE 17:50 - Testing command injection and getting a reverse shell 22:00 - Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a SSH Key for a second way into the box 23:40 - Checking NGINX Configuration to see if there is any difference between the two websites (port 80 and 3000), there isnt. 25:20 - Running LinPEAS, discovering a custom SetUID Binary called count 30:00 - Running the custom count binary against /etc/shadow, discovering it can read files as root, but not write files as root 31:57 - Examining the source code, to discover it allows for dump files to be created 33:15 - Failing to kill the linux process with the correct signal 34:50 - Pulling up the man page to kill and listing all signals, then killing the process with a Segfault (11) 36:40 - Using apport-unpack to extract the crash report into readable files 37:23 - Examining the coredump to discover the file read is there! Then doing the same thing with an SSH Key to get root on the box 40:00 - Showing how file descriptors (/proc/pid/f

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Tool Use & Function Calling

View skill →

Adding a Phone Gateway to a Virtual Agent

Administering an AlloyDB Database

Cloud Storage: Qwik Start - CLI/SDK

Cloud Composer: Copying BigQuery Tables Across Different Locations

Getting started with Firebase Cloud Firestore

Getting Started with Liquid to Customize the Looker User Experience

Related AI Lessons

Pony.ai Unveils NVIDIA-Powered Domain Controller for L4 Autonomy

Pony.ai and NVIDIA collaborate on a domain controller for L4 autonomy, enhancing large-scale autonomous driving deployment

Your LLM budget alerts won't save you if you can't map costs to users

Learn to map LLM costs to users to avoid unexpected expenses, despite having budget alerts

Dev.to · John Medina

A System-Prompt Skeleton That Survives Claude/GPT/Gemini Swaps

Learn to create a system-prompt skeleton that works across different AI models like Claude, GPT, and Gemini, and understand the importance of this flexibility in AI development

Dev.to · Gabriel Anhaia

Wire OpenTelemetry Around Your Anthropic Python Calls

Learn to use OpenTelemetry with Anthropic Python calls for improved observability and monitoring

Dev.to · Gabriel Anhaia

Chapters (23)

Into

1:04 Start of nmap talking about seeing two ports having the same HTTP Banner

3:20 Checking out the webpage to discover source code and some docs

4:00 Always RTFM, Playing with the API to Register a user, login, and check out pri

5:50 Renaming our burp repeater tab by just double clicking on the number

7:30 Trying to login with a name instead of email

10:10 Testing our login token to find out it uses JWT's in a non-standard way

10:50 Analyzing the source code to see the token is used in a header called "auth-to

12:40 Looking at git commit history to see there is a hard coded secret in an older

13:40 Changing our tokens user, going back to the source code and seeing "theadmin"

14:30 Talking about the importance of rotating secrets in a web application

16:30 Analyzing the private.js which shows a logs endpoint that is vulnerable to RCE

17:50 Testing command injection and getting a reverse shell

22:00 Noticing we are a user on the box, seeing our shell is /bin/bash, dropping a S

23:40 Checking NGINX Configuration to see if there is any difference between the two

25:20 Running LinPEAS, discovering a custom SetUID Binary called count

30:00 Running the custom count binary against /etc/shadow, discovering it can read f

31:57 Examining the source code, to discover it allows for dump files to be created

33:15 Failing to kill the linux process with the correct signal

34:50 Pulling up the man page to kill and listing all signals, then killing the proc

36:40 Using apport-unpack to extract the crash report into readable files

37:23 Examining the coredump to discover the file read is there! Then doing the sam

40:00 Showing how file descriptors (/proc/pid/f

5 Levels of AI Agents - From Simple LLM Calls to Multi-Agent Systems

Dave Ebbelaar (LLM Eng)