HackTheBox - Attended

Name: HackTheBox - Attended
Uploaded: 2021-05-08T15:02:11Z
Channel: IppSec
Description: 00:00 - Intro 01:15 - Showing a tmux keybinding to 03:06 - Setting up an IPTables rule to log new connections 05:00 - Using SWAKS to send an email 07:...

IppSec · Beginner ·🤖 AI Agents & Automation ·4y ago

00:00 - Intro 01:15 - Showing a tmux keybinding to 03:06 - Setting up an IPTables rule to log new connections 05:00 - Using SWAKS to send an email 07:15 - Starting up a python SMTP Server so we can see the email coming back to us 12:23 - Finding a VIM RCE and verifying it works by using ping 16:25 - Testing a python2 web cradle within the VIM Exploit 20:00 - Explaining how our C2 is going to work and why what we are doing it uniquely 23:50 - Quick high level overview of the C2 Program we are creating 24:50 - Start coding the C2 34:20 - Demoing the C2 Keeping the HTTP Request alive until a co…

Watch on YouTube ↗ (saves to browser)

Chapters (30)

Intro

1:15 Showing a tmux keybinding to

3:06 Setting up an IPTables rule to log new connections

5:00 Using SWAKS to send an email

7:15 Starting up a python SMTP Server so we can see the email coming back to us

12:23 Finding a VIM RCE and verifying it works by using ping

16:25 Testing a python2 web cradle within the VIM Exploit

20:00 Explaining how our C2 is going to work and why what we are doing it uniquely

23:50 Quick high level overview of the C2 Program we are creating

24:50 Start coding the C2

34:20 Demoing the C2 Keeping the HTTP Request alive until a command is sent

39:00 Updating our Client/Implant to work with the new C2

41:45 Updating the Web Cradle with our improved agent and getting a shell as Guly

44:10 Discovering an SSH Config, updating it to put our web cradle in ProxyCommand t

59:15 Start of analyzing the AuthKeys binary

1:09:10 Installing OpenBSD

1:15:16 Getting GEF on OpenBSD to help with reversing

1:17:30 Back to analyzing the binary, examining the registers after Base64

1:22:10 Using Pattern Create with a large string to crash the program and find out wha

1:25:50 Controlling RIP and dealing with an annoying python3 oddity that makes me use

1:31:10 Start of talking about ROP Chains and looking up the Execve Syscall informatio

1:32:39 Comparing OpenBSD to Linux Syscall numbers and realizing why linux segfaulted

1:35:00 Using Ropper to print gadgets

1:36:30 Start of RAX Gadget, finding SHR and NOT

1:39:00 Showing the start of base64 decode is hard coded at a memory address

1:40:52 Explaining how to create any number with just the NOT and SHR instructions.

1:48:10 Start of RDI Gadget (movss and cvtss1si)

1:54:40 Start of creating our exploit program and prove we can set RAX

2:04:15 Adding the ability to set RDI which requires putting some data on the stack

2:13:30 Explaining our writing to the stack

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →