HackTheBox - Drive

Name: HackTheBox - Drive
Uploaded: 2024-02-17T15:00:12Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django 07:50 - Using FFUF to bruteforce ...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Introduction 01:00 - Start of nmap 02:30 - [MasterRecon] Examining CSRF Cookie to discover it is likely Django 07:50 - Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but not view the ID itself 14:00 - Accidentally deleting something important when FUZZING, always be careful of what you are doing with tools 16:45 - Discovering the /block endpoint allows us to view any file, discovering a file with credentials which lets us log into the server 23:00 - Setting up a SSH Tunnel to access port 3000, which is Gitea. Discovering an old commit that has the password to …

Watch on YouTube ↗ (saves to browser)

Chapters (20)

Introduction

1:00 Start of nmap

2:30 [MasterRecon] Examining CSRF Cookie to discover it is likely Django

7:50 Using FFUF to bruteforce ID's of uploaded files, can discover valid ID's but n

14:00 Accidentally deleting something important when FUZZING, always be careful of w

16:45 Discovering the /block endpoint allows us to view any file, discovering a file

23:00 Setting up a SSH Tunnel to access port 3000, which is Gitea. Discovering an ol

32:00 Logging into the box as Tom, discovering the DoodleGrive Binary, opening it up

38:45 Looking at the Sanitize_String command, to see what characters we cannot use

41:40 Exploiting DoodleGrive via SQL Injection with the EDIT command, this is easy t

47:40 Got root, our path is messed up which makes the shell hard to use, however fix

50:45 Exploiting DoodleGrive via LOAD_EXTENSION, by dropping a library and using cha

54:00 Our SQL Extension C Code

1:02:36 Failing to use WriteFile() guessing this is because of the size of our input,

1:16:20 Exploit DoodleGrive via Binary Exploitation! Explaining the Overflow and Forma

1:19:30 Creating a python script to find where the Canary exists in memory via the For

1:23:30 Proving this is the canary by stepping through the program in GDB use $fs_base

1:25:30 Finding where we can overwrite the canary with pattern create

1:27:55 Creating a python script to exploit this binary

1:43:40 Converting our pwntools script to use SSH so we can exploit the binary on the

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →