HackThebox - Boardlight

Name: HackThebox - Boardlight
Uploaded: 2024-09-28T15:00:26Z
Channel: IppSec
Description: 00:00 - Introduction 00:50 - Start of nmap 04:00 - Running a VHOST Scan to discover CRM Subdomain 04:50 - Discovering Dolibarr is running at version 17....

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·1y ago

00:00 - Introduction 00:50 - Start of nmap 04:00 - Running a VHOST Scan to discover CRM Subdomain 04:50 - Discovering Dolibarr is running at version 17.0.0 which is vulnerable to CVE-2023-30253 05:30 - Discovering default credentials of admin:admin work then running the exploit 07:30 - Using BurpSuite to act as a Transparent/In-Line proxy so we can proxy the exploit script without editing it, so we can understand what it does 12:45 - Manually stepping through the exploit to understand exactly what it does 19:15 - Reverse shell returned, dumping the local database 22:50 - Just trying the MySQL …

Watch on YouTube ↗ (saves to browser)

Chapters (14)

Introduction

0:50 Start of nmap

4:00 Running a VHOST Scan to discover CRM Subdomain

4:50 Discovering Dolibarr is running at version 17.0.0 which is vulnerable to CVE-2

5:30 Discovering default credentials of admin:admin work then running the exploit

7:30 Using BurpSuite to act as a Transparent/In-Line proxy so we can proxy the expl

12:45 Manually stepping through the exploit to understand exactly what it does

19:15 Reverse shell returned, dumping the local database

22:50 Just trying the MySQL Password with Larissa and finding password re-use

25:20 Discovering a SetUID Binary called Enlightenment_sys getting the version from

30:00 BEYOND Root: Understanding how the Enlightenment_sys privesc works and doing s

35:00 Discovering why the exploit uses /tmp///net

38:35 Looking at how the command injection happens

40:55 Looking at why we couldn't use www-data to exploit this binary

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →