 Before this video gets started, I have to give a quick shout-out to some awesome event coming up tomorrow, the 15th of May at 12 p.m. UTC. I'm super excited. This is gonna be one awesome show. Hack the Box is Streaming a live tournament on Twitch. You can check it out at twitch.tv slash hack the box And it'll be a live competition, a live hacking battlegrounds attempt with some incredible players hosted by Myself and Ipsak. So this should be one hell of a show. Please please please get excited Check it out clear some time on your calendar for tomorrow the 15th of May at 12 p.m You can find online on hack the boxes Twitter if you want to read a little bit more about it They do have a link to their blog post where you can see all of the Fantastic players up in the lineup here, and it's gonna be a great time. Please come out. I hope to see you tomorrow What's going on everybody welcome back to another YouTube video We're still taking a look at the hack the box cyber apocalypse capture the flag Let's get started. I'll hop over to my computer screen here We're all the good stuff's going on and we're moving down. I'm gonna go take a look at this wild goose hunt challenge Looks like I have the challenge info here outdated alien technology has been found by the human resistance The system might contain sensitive information that could be of use to us Can you help all right? So it looks like we can go ahead and start this with a little docker container I'll go ahead and turn that on it will generate an IP address and port for me to look at I will open that up in a new tab here All right cool What is this? heroes heuristically encrypted real-time operating system This is kind of crazy to look at what am I doing here? Need a username and password See if That does anything no Okay, are there are these links? Is this a website? Like am I am I on the internet right now? How about admin admin admin? submit It's still gonna give me a login fail. Does there like a guest account guest guest? No, whatever. Let's go ahead and download these files here that are supposedly present So I'll go ahead and download that I'll make a directory for wild goose hunt. I think I'll move in the downloads folder that web wild goose hunt bring it into this directory and unzip it Okay, now we have the source code for all this another white box challenge here Let's take a look at the docker file Let's see what this is using to build it in case it happens to put the flag in any specific location Looks like we are going to end up running node again. So another kind of javascript application that will run server side Configuration files entry point all good stuff Let's go ahead and take a look at that entry point in case it does anything interesting Oh, yeah, okay this actually Starts up mongo db. So no sequel or mongo db and that sort of database that isn't a Kind of static structured query language, but is a little bit more flexible and how it can hold objects And it looks like the admin username is something that exists in the user's database And it will have a password here okay That password is going to end up being the flag and that looks like that's what we need to Determine is there going to be some no sequel injection or something that we're going to end up taking advantage of Let's take a look at this index.js file. Okay loading up with express mongoose as a library to go ahead and interact with mongo the local database Good enough using pug to view pages and engines here Using body parser to read in data. That's probably going to be json JavaScript object notation Um, is there stuff in these models? Yeah There's a user Kind of data type or the object for how the user is represented just takes the username and password That's not all that interesting What is the logic that kind of works with this? Let's check out Views, maybe is there functionality for what's going on here? oh, geez this is pug so a templating engine sort of thing and Kind of javascript node express land Who I do Oh, is this the Main.js that handles it. It's kind of the html that loads it all up. So How about static? js For that javascript Let's check out that main function. Oh, there we go. Yeah Yeah So this is logic for how we log in And we post to an api login with body being What We supply and We get the response from that and the data Data that's returned whether or not we log in or not Oh this This body though is just Passed along from our target on its own like from our submitted data. It's not sanitized or anything It's not going to be validated for other stuff So that makes me wonder if there is a vulnerability in that just using blatantly the target Can I do weird stuff with it? um I'll open up my developer tools here. I'm at f12 of my keyboard So I'll set a username I guess again to be admin if I hit enter The login sends a post request Sending the username and password The response is json with an invalid username or password. So that fails Can I send like the single quote I know I'm in no sequel. So this is going to be kind of different. It's not going to end up actually being like The data in the query that does it. It has to use some like node Specific or mongo db no sequel specific syntax. Uh, that is a thing though Let's go to payloads all the things one more time And let's see if they have something for like no sequel injection, which they do perfect So what are we looking at here? No sequel databases provide looser consistency restrictions than traditional sequel databases By requiring fewer relational constraints and consistently see checks. I can't read no sequel databases often offer performance and scaling benefits Yet these databases are still potentially vulnerable to injection attacks even if they aren't using traditional sequel syntax so We aren't We aren't We aren't ever going to log in With this are we? I mean the only user that exists is the admin And we're not going to be able to get An explicit result back So once again, I think we're going to be looking at another blind injection technique except this time with no sequel so We've done it. I've been recording a lot of these and so far it's been like an x-path injection for blind It's been doing a sequel injection with blind So they have an entry for this and payloads all the things where we import a All the libraries and stuff necessary to be able to do kind of the same structure as I've been doing previously with a blind injection technique, but you can see the payload here The specifying a specific object They're formatting it with the username and adding in passwords And they use regular expressions to test if the password starts with some found character So honestly, we could we could take this and work with it. I think Let's go back a couple directories. Let's get back to original and let's start up another script We use actually just paste this all in and add in our user bin environment python 3 We don't need url lib or url lib because that's annoying The username we know is admin so we can just actually specify that and it doesn't need to be supplied as a parameter thing there We'll use an f string in our case so Oh god, what have I done? I murdered something Did I F The f strings are kind of going to be annoying because of the Curly braces that we use here You know what? Let's let's use the format. Let's use the format string rather than the f string like the percent representation of something We don't need that though We don't need the username because we're adding that in as admin we Don't actually want to bother with those bad characters I think we we can leave them removed because those might be considered to be specific things pulled in from Like no sequel it's it's going to use the that syntax kind of like it would and regular expressions might be getting in the way So we can leave the headers. Uh, let's switch up this u variable to be the url The url will be kind of as we've seen in our requests. It posts to the api location Yeah, yeah api login So I will actually just grab The root here for that url and then we'll do url plus The api login now the data that we're going to send Should realistically be json, but it's going to end up kind of interpreting that because we're supplying that header Uh verify equals false that would be used for ssl stuff allow redirects equals false We're not actually going to end up logging in I do want to see the response from this so we send this and let's display it out That's not a function call with dot text and let's actually exit this so we only send this once and see how it looks Um Let's try it. I guess Python 3 attempt Login failed um Oh password Is empty and c is going to be kind of an a to start with Let's actually set this up kind of as we have previously. Let's do a leaked data We'll set that to be an empty list with the Emptiness there. So let's do for character And stringed out printable. So it's a little bit easier to read and let's do Our character added on to the list of our joined leak data all put together there So when we do this We can go ahead and display with an f string print trying That syntax And I'll need to make that single quotes So we're not Getting messed up in quotes here. Okay How about now Now something has failed My spaces and tabs are getting in the way. So I'll use the blind text to convert all that Trying zero login failed and let's let this keep going actually So we can see if we get to see When we determine whether we successfully log in that should be a capital C for the flag format Yeah log in successful welcome back admin. We see that flying by so we can check if the response is equal to this And we'll do that with a json again We can check if that response json is equal to this string In which case if it is we'll do a leak data dot append character and break the current character loop perfect so I think we're okay now Pretty sure that's all we need We don't need to uh display out the json response anymore, which we are no longer doing anyway So let's see after we get the capital C character Will we add it into our known list of characters? Looks like we're good and will it find htb or a capital h If it does we know our proof of concept is okay and then Perfect now we can just go ahead and add that starting string into our flag format htb And get the ball rolling again. I guess now we found a one found a one I don't know why I started to say that again. It looked didn't look like we had something else What will follow that though? Oh gosh That didn't seem to behave How did we get a one there? Is that wrong? Or like run into a bad character? I must have oh the Quote must be getting in the way So let's remove the uh double quote as well as a character that we want to ignore Are we going to end up with an underscore eventually? This is just again the the classic kind of troubleshooting of bad characters that we might have used in our payload There might be a few others, but Let's see underscore maybe no Backslash is going to die as well Try that I use two backslashes there. So it's an escaped sequence Um because backslash is the escape character in python I do want that to be interpreted as a literal backslash. So i'm going to escape that And let's see if that Works a little bit better underscore, please. Yes We did it Now it goes through a full iteration and we see the underscore does hit Successfully and we're cruising through to the next character. I I'm assuming that one is an i so i th i thin I think I think Yeah, I think All right, we're cruising. I will pause the recording and let this Go i'll tune back in once hopefully we have a flag pulled out We're still going but uh This is a long flag This is longer than the than what we've seen before Right, I think we're reaching the end here I see the flag spill out and lead speak. I think the aliens have not used mongo before And uh, there we go now. We have a closing curly brace and that should be the very end of our flag Perfect. So that's it. We have used no sequel some mongo db injection to leak out and do some blind injection to extract out that flag So i'll go ahead and click that submit flag button here pays this in. Let's see how we do And all right another one down. Heck yeah so That one I think we we got a little bit of a head start because we were able to totally steal some code from uh payload All the things and what they're doing here is just passing in the object sort of notation like the Curly braces notion to be able to determine. Hey if username is going to equal with this sort of operator in no sequel Equal a string that we supply and the password We're going to check some modifier like how about regex does it match This pattern where that carrot or the an up arrow is indicating the very start of the line the start of the string So we can check as we build out character by character that What we're finding is the correct start of the password. That's how we can go about our blind boolean test So that is the sweet sauce for no sequel injection in this case. And that's uh, I don't know I feel like that's kind of a Vanilla payload, but it works well in this case And that's how we are pulling out that admin password or the flag in this case. So we're done. That's it That was that challenge take a look at our script pretty good And uh, I think that's all for this one. Thanks so much for tuning in everybody. Thanks so much for watching I hope you are enjoying these videos Uh, I realize some of them might run a little bit long or realize some of them might have me fumbling and failing But hopefully that's all part of the fun. Hopefully that's part of the learning process So thank you so so much for watching if you guys did like this video Could you please do those youtube algorithm things press that like button? You know, maybe leave a comment type something in that box there hit that enter key Or submit button click that submit. I don't know Please subscribe Click the bell get notifications get notified when I upload something if you're into that sort of thing, you know Little alarm clock in the morning All right, I'm running out everybody. I think that's the very end of the video. Thanks so much for listening to me Yep, I love you. I'll see you in the next video. Take care