HackTheBox - Bighead

Name: HackTheBox - Bighead
Uploaded: 2019-05-04T15:19:48Z
Channel: IppSec
Description: 00:01:10 - Begin of Nmap 00:04:45 - Pulling important information from the website 00:06:00 - Discovering DNS Names, adding stuff to /etc/hosts 00:18:30...

IppSec · Intermediate ·🔐 Cybersecurity ·6y ago

00:01:10 - Begin of Nmap 00:04:45 - Pulling important information from the website 00:06:00 - Discovering DNS Names, adding stuff to /etc/hosts 00:18:30 - Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that with Burp 00:23:50 - Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418) 00:27:00 - Found BigHead Web Server on Github, pulling Zips and cracking 00:36:40 - Before reversing the binary, keep hunting for information about the OS 00:43:40 - Discovering PHPInfo within the PhpMyAdmin directory, has OS. 00:46:00 - Installing Immunity and Mona 00:47…

Watch on YouTube ↗ (saves to browser)

Chapters (28)

1:10 Begin of Nmap

4:45 Pulling important information from the website

6:00 Discovering DNS Names, adding stuff to /etc/hosts

18:30 Odd behavior with code.bighead.htb, redirects us to 127.0.0.1; change that wit

23:50 Using wfuzz to dirbust, with the ability to see HTTP Codes (hunting for 418)

27:00 Found BigHead Web Server on Github, pulling Zips and cracking

36:40 Before reversing the binary, keep hunting for information about the OS

43:40 Discovering PHPInfo within the PhpMyAdmin directory, has OS.

46:00 Installing Immunity and Mona

47:30 Grabbing MinGW so we can run the Bighead Webserver

55:40 Crashing the webserver, seeing we have

1:00:00 Sending a pattern to the box and examining the stack to see where our overwrit

1:06:15 Validating we know where all our overwrites are (EAX,EBX,EIP,ESP)

1:10:06 Explanation of EggHunters

1:16:05 Grabbing the shellcode we want, then adding it to our exploit script

1:24:50 Validating our exploit is working as we intended by setting a break point on J

1:27:00 Our box complains about DEP, lets disable that on our OS and hope its disabled

1:30:00 Running the exploit against the target and getting a shell back!

1:35:00 Searching the registry (HKLM) for "password"

1:37:00 Dumping information about services on the box (HKLM\System\CurrentControlSet\S

1:38:15 Discovery of NGINX password, then looking at ports listening on localhost

1:41:08 Found SSH Listening on 127.0.0.1:2020, Setting up a reverse tunnel with Chisel

1:45:10 SSH into nginx@Bighead over port 2020, land in an extremely restricted shell

1:50:30 Searching for vulnerable PHP Code, discovering testlink

2:02:55 Exploiting an LFI Vulnerability

2:07:00 Using Netcat to get a reverse shell

2:16:10 Looking at the KeePass Configuration File to see where the KDBX and Key is

2:18:55 A bunch of pain trying to get data off the Alternate Data St

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →