HackTheBox - AI

Name: HackTheBox - AI
Uploaded: 2020-01-25T15:01:24Z
Channel: IppSec
Description: 01:05 - Begin of Recon 01:50 - Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files. 03:45 - Playing with the F...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·6y ago

01:05 - Begin of Recon 01:50 - Taking a look at the page, noticing the site is PHP, running GoBuster to find other PHP Files. 03:45 - Playing with the File Upload, failing to identify how uploaded files are stored 05:20 - Investigating PHP Files that GoBuster found, discovering intelligence.php 06:30 - Searching for Text to Speach programs (create WAV Files) 08:50 - The first program didn't do a good job saving WAV Files, Downloading Festival 09:17 - Installing apt-file so we can use apt to search for what package contains a file (like yum whatprovides) 11:05 - Using text2wave to create wav fi…

Watch on YouTube ↗ (saves to browser)

Chapters (18)

1:05 Begin of Recon

1:50 Taking a look at the page, noticing the site is PHP, running GoBuster to find

3:45 Playing with the File Upload, failing to identify how uploaded files are store

5:20 Investigating PHP Files that GoBuster found, discovering intelligence.php

6:30 Searching for Text to Speach programs (create WAV Files)

8:50 The first program didn't do a good job saving WAV Files, Downloading Festival

9:17 Installing apt-file so we can use apt to search for what package contains a fi

11:05 Using text2wave to create wav files and upload them, then discover a SQL Injec

14:04 Having trouble getting the voice recognition to recognize the word union. Usi

19:10 Extracting the username and password out of the database, then logging in via

21:00 Investigating how the file upload script works, turns out to be a dead end

23:40 Running linPEAS to check other privesc paths (see JDWP)

26:50 Enumerating the local MySQL Database to get other credentials

28:00 Starting to investigate the Tomcat ports (8000, 8009, and 8080)

29:00 Doing SSH Tunnels via the SSH Binary to forward 8080/8009 to our box then look

30:20 Doing SSH Tunnels from within a SSH Session (~c) to forward port 8000 without

32:10 Manually using JDB to execute a command via java.lang.Runtime

42:30 Manually debugging JDWP is a bad idea, doing it the better way with jdwp-shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →