HackTheBox - Ellingson

Name: HackTheBox - Ellingson
Uploaded: 2019-10-19T15:00:05Z
Channel: IppSec
Description: 01:12 - Begin of recon, examining website seeing the "Hackers" Theme 04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015) 05:00 - Demo...

IppSec · Intermediate ·🔐 Cybersecurity ·6y ago

01:12 - Begin of recon, examining website seeing the "Hackers" Theme 04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015) 05:00 - Demoing how this is fixed now, with Werkzeug requiring a pin code 06:00 - Testing if we can connect back to our host with ping or curl (cannot) 08:00 - Dropping a SSH Key via python since we cannot reverse shell 13:00 - SSH into the box as the HAL User and clean up the authorized_key file 13:50 - Using xclip to copy and run LinEnum due to a firewall preventing us from curling it 21:00 - Discovering why the WERKZEUG PIN Code was disabled (Environmen…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

1:12 Begin of recon, examining website seeing the "Hackers" Theme

4:00 Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)

5:00 Demoing how this is fixed now, with Werkzeug requiring a pin code

6:00 Testing if we can connect back to our host with ping or curl (cannot)

8:00 Dropping a SSH Key via python since we cannot reverse shell

13:00 SSH into the box as the HAL User and clean up the authorized_key file

13:50 Using xclip to copy and run LinEnum due to a firewall preventing us from curli

21:00 Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)

22:27 Checking out the Garbage SetUID Binary as HAL to discover he cannot run it

24:20 Using Ghidra to verify we are not missing any functionality

27:30 Using find to discover what files the adm group is an owner of

28:30 Displaying exact modify times with ls using time-style argument, then checking

31:30 Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's passw

35:30 Using Ghidra to discover the hardcoded password in the garbage binary

37:00 Exploring the binary, using Ghidra to see if there are any hidden menu options

41:30 Installing GDB Enhanced Features (GEF) and pwntools for python3

44:20 Poorly explaining leaking memory addresses by creating a ROP Chain with puts

48:50 Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow pa

49:20 Using pattern create and offset/search within gef to RSP Overwrite Location

51:30 Using ropper to discover a pop rdi gadget

53:40 Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT loc

1:06:30 Using Readelf to get important locations in libc and strings to get location o

1:15:41 Putting it all togather to create a gadget c

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →