HackTheBox - Book

Name: HackTheBox - Book
Uploaded: 2020-07-11T15:00:07Z
Channel: IppSec
Description: 00:00 - Intro 00:34 - Begin of Recon 01:45 - Enumerating the login page 03:05 - Creating an account, identifying what fields are unique 05:00 - Logged i...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 00:34 - Begin of Recon 01:45 - Enumerating the login page 03:05 - Creating an account, identifying what fields are unique 05:00 - Logged into the page, examining functionality starting with the download.php file 07:30 - Playing with the search field 08:00 - Playing with XSS by using img src 13:00 - Examining the user signup more closely 15:25 - Viewing javascript on the page to show there is a maximum number of characters in username/email 17:20 - Start of attempting SQL Truncation attack 22:25 - Attempting to login to /admin/ with our account to see we get in, then redoing every…

Watch on YouTube ↗ (saves to browser)

Chapters (27)

Intro

0:34 Begin of Recon

1:45 Enumerating the login page

3:05 Creating an account, identifying what fields are unique

5:00 Logged into the page, examining functionality starting with the download.php f

7:30 Playing with the search field

8:00 Playing with XSS by using img src

13:00 Examining the user signup more closely

15:25 Viewing javascript on the page to show there is a maximum number of characters

17:20 Start of attempting SQL Truncation attack

22:25 Attempting to login to /admin/ with our account to see we get in, then redoing

23:20 Explaining the SQL Truncation Attack

35:40 Noticing the PDF Generation processes HTML and probably JavaScript

39:00 Using a Javascript payload that reads a local file on the box

45:20 Getting rid of the Base64 Encoding in the payload and reading /etc/passwd

46:18 Trying (and failing) to grab /proc/self/environ

54:10 Attempting to grab an SSH Key for the Reader User

56:00 SSH Key is poorly formatted. Using pdf2text to see if formatting is better

57:30 PDF2Text didn't work, lets try PDF2HTML which does a great job

59:45 Revisiting the Base64 Payload to see if PDF2HTML grabs all the Base64 (it does

1:02:15 Running LINPEAS to see we may be able to exploit log rotate

1:06:10 Poorly explaining how logrotten works

1:12:30 Performing the Logrotten exploit to get a reverse shell

1:18:15 Finally keeping the reverse shell alive

1:20:25 Examining how the SQL Truncation vulnerability came to be by looking at the PH

1:27:30 Showing how it determines the admin user and uses trim() which is why our atta

1:29:40 Examining the PHP Sessions

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →