HackTheBox - Perfection
13,110
Published 2024-07-06
00:50 - Start of nmap
02:50 - Discovering the Weighted Grade Calculator which we will exploit
04:50 - Using FFUF to enumerate all bad characters and discovering we can't send any symbols
07:10 - Quick bash one liner with JQ to URL Encode each line of our wordlist
09:30 - Discovering a New Line character breaks the search for Bad Characters, then getting a shell on the box
14:40 - Shell returned, looking at the source code and seeing the "Bad Character" filter was really a regex whitelist
18:50 - Discovering mail that says the password format in the database
21:50 - Using hashcat Bruteforce mode to crack the password
All Comments (21)
-
Babe, wake up, new IppSec video dropped
-
I learned pen-testing largely from these videos. Three years ago, I got my first pentesting job and somehow promptly forgot all about IppSec. Until today. It's such a great feeling, to know that all my studies paid off. I can finally understand the full content of these videos! Yipee!!
-
I didn't know you could brute force with hashcat like that. I always learn something new!!
-
❤🎉 another sweet drop from the Wizard of the Matrix.
-
Thanks, as always your explanations are gold!
-
the GOAT
-
ippsec you’re one of my heroes but the way you pronounce ubuntu kills me lmao
-
Solid as usual
-
thanks! great video as always
-
Let's rock❤
-
good vid
-
you are so amazing
-
Thanks
-
Hey Ippsec i have a question that i guess is unrelated to this particular video but i know your the man to ask.. so i'm trying to figure out why if i type echo "password" | md5sum the output or string is totally different to the string i would get on say md5 hash generator online? Maybe i am being stupid but i guess i won't know if i don't ask.
-
Aside from HTB and TryHackMe, what tools should I be playing around with on my computer in order to break into Cyber? I have a few ideas: Kali Linux, Linux GUI, Windows command prompt. What else should I download?
-
Really great content,i just wanna ask if you could do more mobile app hacking
-
I assume hashcat checks file each iteration instead of remembering it's content
-
hey my burpsuite browser can't connect to the website
-
ffuf supports OS commands to encode input
-
Push!