HackTheBox - Curling

Name: HackTheBox - Curling
Uploaded: 2019-03-30T15:00:03Z
Channel: IppSec
Description: 01:12 - Begin of Recon 01:55 - Running Cewl to generate a wordlist 02:50 - Finding secret.txt in the HTML Source, which happens to be the password 03:28...

IppSec · Beginner ·🧠 Large Language Models ·7y ago

01:12 - Begin of Recon 01:55 - Running Cewl to generate a wordlist 02:50 - Finding secret.txt in the HTML Source, which happens to be the password 03:28 - Runninh JoomScan so we have something running in the background 04:20 - Checking the manifest to get the Joomla Version 06:20 - Explaining what equals mean in base64 07:50 - Begin of hunting for Joomla Username 08:30 - BruteForcing Joomla Login with WFUZZ 10:35 - Troubleshooting by sending wfuzz through burp 12:25 - Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command 17:10 - Success! Logged into Joomla 17:58 - Gainin…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

1:12 Begin of Recon

1:55 Running Cewl to generate a wordlist

2:50 Finding secret.txt in the HTML Source, which happens to be the password

3:28 Runninh JoomScan so we have something running in the background

4:20 Checking the manifest to get the Joomla Version

6:20 Explaining what equals mean in base64

7:50 Begin of hunting for Joomla Username

8:30 BruteForcing Joomla Login with WFUZZ

10:35 Troubleshooting by sending wfuzz through burp

12:25 Turns out the CSRF Token is tied to cookie, adding that to the wfuzz command

17:10 Success! Logged into Joomla

17:58 Gaining code execution by modifying a template

20:20 Getting a reverse shell

23:20 Finding the file: password_backup which is encoded

23:55 Extracting password_backup manually with xxd, zcat, bzcat, tar

25:43 Extracting Password_Backup with CyberChef

27:35 Logging in with Floris

28:17 Looking at /home/floris/AdminArea

28:50 Testing the input file by changing the url to us

29:30 Getting LFI by using file:// within curl

30:38 Pulling the cron, to see what is going on

31:25 Cron shows curl -K to use curl with a config file, checking man page.

32:05 Changing where curl saves to, in order to gain a root shell

33:45 Showing another good file to read with the LFI (logs)

34:18 Using pspy to show when processes start/end, which shows the curl command with

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Curling

Chapters (25)

Playlist

Lesson complete!