HackTheBox - Charon

IppSec · Beginner ·🔐 Cybersecurity ·8y ago

Skills: Network Security80%

1:30 - Rabbit Hole - Searching for SuperCMS 6:23 - Running enumeration in the background (GoBuster) 7:40 - Rabbit Hole - SQLMap Blog SinglePost.php 12:04 - Finding PHP Files in /cmsdata/ (GoBuster) 12:53 - Manual Identification of SQL Injection 15:50 - SQL Injection Explanation 17:20 - Rabbit Hole - Starting SQLMap in the Background 18:10 - SQL Union Injection Explanation 19:30 - Identifying "Bad/Filtered Words" in SQL Injection 21:02 - SQL Union Finding number of items returned 21:48 - Returning data from Union Injection 22:48 - SQL Concat Explanation 23:55 - Enumerating SQL Databases Explanation (Information_Schema) 25:46 - Returning Database, Table, Columns from Information_Schema 29:30 - Scripting to dump all columns 36:45 - Listing of columns in SuperCMS 37:15 - Dumping User Credentials 41:36 - Logging in and exploiting SuperCMS 47:00 - Return of reverse shell 48:40 - Transfering small files from shell to my machine 50:56 - Using RsaCtfTool to decrypt contents with weak public key 52:52 - Breaking weak RSA manually 1:01:20 - Begin PrivEsc to Root 1:02:40 - Transering large files with NC 1:03:50 - Analyzing SuperShell with BinaryNinja (Paid) 1:06:04 - Analyzing SuperShell with Radare2 (Free) 1:08:22 - Exploiting SuperShell 1:12:46 - Encore. Getting a Root Shell with SetUID Binary

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 14 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

More on: Network Security

View skill →

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

Building a High-throughput VPN

Configuring Network Connectivity Center as a Transit Hub

VPC Flow Logs - Analyzing Network Traffic

HackTheBox - Intentions

HackTheBox - Intentions

Google Cloud Packet Mirroring with OpenSource IDS

Related AI Lessons

Inside Consumer DVRs — Hardware, Firmware & Network Security Evaluation

Learn about the hardware, firmware, and network security of consumer DVRs through a reverse engineering analysis of the Hikvision DS-7204HUHI-K

Medium · Cybersecurity

Cómo construimos un SOC con honeypot e IA local

Learn how to build a Security Operations Center (SOC) using honeypot and local AI to detect and prevent cyber threats

Dev.to · Yoandy Ramirez Delgado

Credentials in web applications: how to store them properly

Learn how to store credentials properly in web applications to prevent breaches

Dev.to · Ian Johnson

XSS Nedir ve Neden Hâlâ Tehlikeli? | Bir Siber Güvenlik Öğrencisinin Notları

Learn about XSS attacks and their ongoing threat to web security

Medium · Cybersecurity

Chapters (28)

1:30 Rabbit Hole - Searching for SuperCMS

6:23 Running enumeration in the background (GoBuster)

7:40 Rabbit Hole - SQLMap Blog SinglePost.php

12:04 Finding PHP Files in /cmsdata/ (GoBuster)

12:53 Manual Identification of SQL Injection

15:50 SQL Injection Explanation

17:20 Rabbit Hole - Starting SQLMap in the Background

18:10 SQL Union Injection Explanation

19:30 Identifying "Bad/Filtered Words" in SQL Injection

21:02 SQL Union Finding number of items returned

21:48 Returning data from Union Injection

22:48 SQL Concat Explanation

23:55 Enumerating SQL Databases Explanation (Information_Schema)

25:46 Returning Database, Table, Columns from Information_Schema

29:30 Scripting to dump all columns

36:45 Listing of columns in SuperCMS

37:15 Dumping User Credentials

41:36 Logging in and exploiting SuperCMS

47:00 Return of reverse shell

48:40 Transfering small files from shell to my machine

50:56 Using RsaCtfTool to decrypt contents with weak public key

52:52 Breaking weak RSA manually

1:01:20 Begin PrivEsc to Root

1:02:40 Transering large files with NC

1:03:50 Analyzing SuperShell with BinaryNinja (Paid)

1:06:04 Analyzing SuperShell with Radare2 (Free)

1:08:22 Exploiting SuperShell

1:12:46 Encore. Getting a Root Shell with SetUID Binary

A single PR just hijacked the NPM registry...