HackTheBox - BroScience

Name: HackTheBox - BroScience
Uploaded: 2023-04-08T14:59:32Z
Channel: IppSec
Description: 00:00 - Intro 00:51 - Start of nmap 02:30 - Finding some vulnerable-looking parameters 03:50 - Testing some basic things for LFI, finding a WAF blocking...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Intro 00:51 - Start of nmap 02:30 - Finding some vulnerable-looking parameters 03:50 - Testing some basic things for LFI, finding a WAF blocking ../. Double encoding it to get passed 07:11 - Start of writing a script to abuse this LFI and crawl/download all the php source 10:30 - Making the script recursive, so it will check pages downloaded for new links 16:50 - Making the script save the files 19:40 - Opening the code in Visual Studio Code, and showing off Snyk's static code anlysis to highlight a Unserialization vuln 22:20 - Identifying how the site generates activation codes upon …

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

0:51 Start of nmap

2:30 Finding some vulnerable-looking parameters

3:50 Testing some basic things for LFI, finding a WAF blocking ../. Double encodin

7:11 Start of writing a script to abuse this LFI and crawl/download all the php sou

10:30 Making the script recursive, so it will check pages downloaded for new links

16:50 Making the script save the files

19:40 Opening the code in Visual Studio Code, and showing off Snyk's static code anl

22:20 Identifying how the site generates activation codes upon registration identify

25:30 Exploiting the PHP Unserialization by finding a vulnerable gadget (wakeup) whi

27:45 Building a deserialization object to download a file off our server and write

32:08 EDIT: Talking about webserver hardening (allow_url_fopen in php) and how it wo

35:00 EDIT: Poisoning our PHP Session with PHP Code as our username, then building a

41:38 Getting a shell on the box, dumping credentials from postgres

44:55 Attempting to crack the passwords, failing, checking the source code to identi

51:25 Passwords cracked logging in as bill

55:10 Using pspy to identify a script runs to renew certificates

57:15 Going over the bash script and identifying a command injection vulnerability.

1:01:45 Failing for a bit because I didn't change the certificate time, then changed t

1:06:04 Finding the CheckEnd parameter, setting our days equal to one but our payload

1:08:15 Putting the payload in $(), and getting root to the box

1:10:20 Just making sure we fully understood why our first attempts failed

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →