- 430
- 12 423 462
IppSec
Приєднався 21 гру 2016
Video Search: ippsec.rocks
HackTheBox - Crafty
00:00 - Introduction
01:00 - Start of nmap
02:55 - Doing a full nmap scan, then scanning the minecraft ports with scripts to discover minecraft version
04:45 - Discovering this minecraft version is vulnerable to Log4j
06:50 - Extracting Java Version/Class Path/etc via Log4j
10:40 - Using the Log4j Shell POC to get a shell, this reflectively loads a Java Library
13:50 - Getting a reverse shell
15:00 - Discovering plugins on the server, copying the JAR over to our box and decompiling it to discover hardcoded credentials
20:20 - Using PowerShell to run a command as Administrator to get root
01:00 - Start of nmap
02:55 - Doing a full nmap scan, then scanning the minecraft ports with scripts to discover minecraft version
04:45 - Discovering this minecraft version is vulnerable to Log4j
06:50 - Extracting Java Version/Class Path/etc via Log4j
10:40 - Using the Log4j Shell POC to get a shell, this reflectively loads a Java Library
13:50 - Getting a reverse shell
15:00 - Discovering plugins on the server, copying the JAR over to our box and decompiling it to discover hardcoded credentials
20:20 - Using PowerShell to run a command as Administrator to get root
Переглядів: 4 446
Відео
HackTheBox - POV
Переглядів 8 тис.19 годин тому
00:00 - Introduction 01:00 - Start of nmap 02:45 - Discovering the Dev Subdomain 04:00 - Playing with the Resume Download, discovering a File Disclosure Vulnerability 05:40 - Discovering some odd behavior with ../, its just a replace. Grabbing web.config 08:15 - Using YsoSerial.Net to create a malicious ViewState Gadget, be careful with command prompt and single quotes! 12:00 - Getting a revers...
Using PAM EXEC to Log Passwords on Linux
Переглядів 8 тис.14 днів тому
Video will be public June 2nd 00:00 - Introduction 01:04 - Talking about what PAM is 05:00 - Talking about pam_exec 08:15 - Creating a bash script pam_exec calls to log passwords 12:20 - Creating a GoLang binary that replicates our Bash Script to log passwords 16:00 - First iteration almost done, dumping all passwords 18:38 - Explaining how we will add if the authentication was successful in ou...
HackTheBox - Analysis
Переглядів 7 тис.14 днів тому
00:00 - Introduction 01:05 - Start of nmap 05:00 - Discovering the internal.analysis.htb subdomain 07:55 - Talking about why I want to run FeroxBuster here and showing the menu so we can stop crawling non-interesting directories (ex: js, css, img) 13:30 - Discovering list.php in users and fuzzing parameters 16:40 - Start of program to bruteforce usernames 21:55 - Got the first character of ever...
HackTheBox - Bizness
Переглядів 11 тис.21 день тому
00:00 - Introduction 01:00 - Start of nmap 03:00 - Seeing JSESSIONID and NGINX trying the off by slash exploit to get access to /manager, doesn't work here 04:30 - Dirbusting with FFUF because the lack of 404's messed with gobuster 07:40 - Discovering the OfBiz Version, looking for exploits 09:00 - Going over the Authentication Bypass in OfBiz 12:40 - Downloading YSOSERIAL and building a Docker...
HackTheBox - Ouija
Переглядів 11 тис.28 днів тому
00:00 - Introduction 01:00 - Start of nmap 03:15 - Fuzzing the API port port 3000 with ffuf 09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use 11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling 18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js 28:45 - ...
HackTheBox - Monitored
Переглядів 9 тис.Місяць тому
00:00 - Introduction 01:00 - Start of nmap 02:40 - Examining the webpage, not finding much 05:30 - Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data 08:20 - The process list is in SNMP, explaining how to read this data 12:40 - Grepping interesting processes discovering there's a bash script that has user credentials in ar...
HackTheBox - Napper
Переглядів 9 тис.Місяць тому
00:00 - Introduction 00:55 - Start of nmap, showing -vv will cause the output to contain TTL 04:40 - Checking out the website 05:23 - Doing a VHOST Bruteforce to discover the internal domain and discovering credentials on a blog post 07:30 - Checking out the NAPListener blog post, which gives us a way to enumerate for the NAPLISTENER Implant 10:30 - Showing the Backdoor code to discover how it ...
HackTheBox - Devvortex
Переглядів 11 тис.Місяць тому
00:00 - Intro 01:00 - Start of nmap 03:45 - Discovering dev.devvortex.htb is a Joomla Page, showing JoomScan and enumerating version manually through manifests 07:00 - Looking for Joomla Exploits for version 4.2.6, discovering a way to view application config as an unauthenticated user 09:40 - Start of deep dive into the exploit, looking at commits on the day the advisory said this was patched ...
HackTheBox - Surveillance
Переглядів 11 тис.Місяць тому
00:00 - Introduction 01:00 - Start of nmap 02:45 - Discovering an exploit for Craft CMS, it doesn't work out of the box because of a typo on exploit-db looking into this exploit 06:00 - Walking through the Exploit Script 11:45 - Getting a shell on the box with the script that was on Github 14:45 - Logging into the CraftCMS Database, finding the password 17:30 - There is a backup of the database...
HackTheBox - Hospital
Переглядів 22 тис.2 місяці тому
00:00 - Introduction 01:00 - Start of nmap 03:00 - Analyzing the TTL to see that the Linux Host is likely a Virtual Machine. Also Docker is not at play since it decremented 07:00 - Attacking the PHP Image Upload Form, discovering we can upload phar files 13:48 - Uploading a php shell, discovering there are disabled functions blocking system 17:15 - Using dfunc bypass to identify proc_open is no...
HackTheBox - Codify
Переглядів 11 тис.2 місяці тому
00:00 - Introduction 01:00 - Start of nmap 02:50 - Playing with the Javascript Editor, discovering filesystem calls are blocked 04:45 - Discovering the sandbox is vm2, going to github discovering it is discontinued with known security issues 06:30 - Getting code execution, then a reverse shell 09:50 - Discovering a second website with a database, cracking hashes in the database 12:50 - Discover...
HackTheBox - Rebound
Переглядів 11 тис.2 місяці тому
00:00 - Introduction 01:07 - Start of nmap then checking SMB Shares 04:05 - Using NetExec to do a RID Brute Force and increase the maximum to 10000 07:00 - Using vim g!/{string}/d to delete all lines that do not contain something to build wordlists 10:40 - Using ASREP Roasting to perform a Kerberoast attack without authentication 17:40 - Using NetExec to run Bloodhound as ldap_monitor 25:30 - D...
HackTheBox - Analytics
Переглядів 11 тис.2 місяці тому
0:00 - Introduction 01:00 - Start of nmap 03:20 - Discovering Metabase, noticing the HTTP Headers are different. Checking TTL just to see if it decrements from the main web page. 07:00 - Searching for an exploit for metabase, then enumerating version 09:30 - Manually exploiting Metabase by pulling the setup-token, then getting injection on the /setup/validate endpoint through the JDBC Driver 15...
HackTheBox - Manager
Переглядів 10 тис.3 місяці тому
00:00 - Introduction 01:00 - Start of Nmap 03:20 - Checking out the website, deciding there isn't much of interest here 05:10 - Running Kerbrute with a userlist to identify valid users 05:50 - Showing what Kerbrute is doing with NetExec 09:00 - A better way to enumerate valid users, RID Bruteforce, showing it with NetExec 10:50 - Using RPCClient to show how RID Bruteforce works 14:00 - Using Ne...
Automating a File Disclosure Vulnerability to Crawl Website Source
Переглядів 12 тис.4 місяці тому
Automating a File Disclosure Vulnerability to Crawl Website Source
IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock
Переглядів 9 тис.6 місяців тому
IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock
8:33 the power of friendship
"Your Nmap skills are top-notch! 🔥 Always learning from the best. Keep it up! 💪 #ProHacker"
22:21 why didn't PSSession worked???
WinRM is probably disabled since it's not connecting at all, but you can also disable PSRemoting per user or globally. It's convenient when it's available, but it isn't always
I know a similar question was asked but i was curious for the privEsc exploit - is this something you just saw that it was an older windows DC and just gave it a whirl? is that vulnerability something you would just try against windows server 2008 and 2012 DC's off the bat? Thanks!
I don’t fully remember, but I don’t think I’d try it in the future just because there’s a big difference between 4 years and 10 years. If I saw an old machine, I’d presume it’s vulnerable to eternal blue and check that
I want to try this out for my career can anyone put me through please?
16:15 apart from the username abd password, you forget to put the share
this called me ignorant in 10 different languages and finished it with a slap on the face.
Hey Ipp, did you know there's a town in Central African Republic named after a handsome man at 6.2716° N, 21.1951° E?
Can you make more videos for web apps? I think web app videos might get more views because web developers can also watch and understand so that they are able to better harden their site. Your videos are great but I have to dedicate my time completely to web development.
hi ippsec, i think free users only have access to one most recently retired box.
Dang it. I'll jump on and fix this in 10 minutes if no one else has already
@@0xdf thanks legend. it is fixed
I didn't quite like this box, it was annoying because... Minecraft 😂 I think log4j could've been depicted using another service.
Is it realistic for someone to host a Minecraft server from their PC? I don't know, I don't play Minecraft.
Yes, definitely
It makes sense since this was where log4shell was first discovered/exploited
@@0xdf it does make sense, but Minecraft was far from being the only problem. And it was totally impractical for the few of us that actually installed the game in a VM
fuck this box
🤣
I think you are showing this log4j stuff from an experienced pov that dealt with it many times so you just know what to do each time, rather than showing the actual methodology a newbie would go through when they face a certain exploit for the first time.
I don't speak for ipp, but the research is the hardest thing to show on a video. The first time I saw Minecraft/log4shell I spent hours reading about it and trying to understand it, which was tricky since I didn't have any experience with the game. But I don't think watching ipp read for an hour would make good UA-cam
Yeah what 0xdf had said. Like most things if there’s a topic that’s hard go to Ippsec.rocks and choose an earlier video. LogForge shows log4j well
I'm pretty windows by default now won't connect to a share unauthenticated. If you set up your share with a username and password on crafty, it works.
yes!
Thanks sir, This is so helpful
God this one was so annoying when it was active, so unstable lol
I actually exploited this using an actual minecraft account xd didnt know theres console client for this
ily
i cannot for the life of me get a reverse shell on this machine even when i follow this tutorial
I was searching for it...but youtube only gave me that he wanted... And now i found this
bro can u make font size bigger or use zoom in for whole video coz for me its hard to watch those text
Empire Last commit 5 years ago, still useful?
nice!
Love the breakdown! Very clear on your process
Nice! have you (or anybody here) tried cve-2024-4577 PHP-CGI remote execute on this? I tried it but it didn't seem to work and I don't know why.
you bestt <3
Nmap: No:`nmap -sV -sC ...` Yes:`nmap -sCV`, `nmap -sVCS`[Stealth mode] Complete[:`nmap -sVCSYU -O ..`[TCP Stealth(-sS), UDP + SCTP] Idk why you use this stupid, elongated syntax, and have been asking myself this for a reasonable while now...
Primarily because most of my tools that I open with recon don't support combining arguments like that and it is easier for me to just use the one way that is reliable.
this is amazing and insightful content thank you so much
It took me a while to figure this out, but you can also use John the Ripper to crack a salted hash. First, we need to create the file with the hash and salt, in the format <hash>$<salt>. I'll name it admin.hash: b8fd3f41a541a435857a8f3e751cc3a91c174362$d After that, we need to identify the format to be used: john --list=subformats | grep -i sha1 | grep -i '\$s' The command above shows us that we want to use the dynamic_24 and dynamic_25 formats: Format = dynamic_24 type = dynamic_24: sha1($p.$s) Format = dynamic_25 type = dynamic_25: sha1($s.$p) Since we don't know whether the salt is added before or after the string before calculating the hash, we have to test both formats. Finally, we need to run john with both formats: john admin.hash --wordlist=rockyou.txt --format=dynamic_25 After running john with the dynamic_25 format, we find out the the cleartext password that, prepended with the salt "d", generates the hash above.
This was amazing to watch❤.This pwns the Maze lile a true master.
What metasploit version is that?
@32:41 i think it is failing because you are supplying it with a PID (2336) number instead of PPID number corresponding to that which if i can remember it was something like 624.
Hey ippsec are you planning on doing any more live streams for ctf's and things in the near future? Would be great to be more interactive with you picking your brains and learning.. much love my friend 🖖
Push!
What's going on, UA-cam, this is IppSec, and today I'll apply for a job at Google Project Zero
Se garantiu man
i cant stand hacking on a vm so I have to reboot if i want to use a tool like ysoserial for a ctf :(
POV hackbox let's do it love from India ❤
what do you do when you encounter the completely new thing during challenge how do you cope up with that how do you manage to go to the next setup
best thing u can do is take ur time and understand the basics then fit that in ur situation and try to break it
Waiting for the usage machine as my SQLmap failed to retrieve the db contents
Ye cant even get it using manual database retrieve
@@huntit4578 I tried but it didn't worked for did you get it in manual way
use delay and make sure your tokens are not expired.
@@huntit4578For manual set resource pool to 1 or 2 in burp suite
Legend. 🤘🏻🤘🏻
Hi
Hey Bro do you know where i can learn hacking instgram accounts
Are you god
You can use strace into a PID too.
اجيت من قصه ابراهيم وقاسم
15 is crazy I was on my 86th screenshot before getting code execution 😂😂
Push!
great video! can't wait for the next part with the indended root
the Boss is here as always