HackTheBox - Ellingson

01:12 - Begin of recon, examining website seeing the "Hackers" Theme 04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015) 05:00 - Demoing how this is fixed now, with Werkzeug requiring a pin code 06:00 - Testing if we can connect back to our host with ping or curl (cannot) 08:00 - Dropping a SSH Key via python since we cannot reverse shell 13:00 - SSH into the box as the HAL User and clean up the authorized_key file 13:50 - Using xclip to copy and run LinEnum due to a firewall preventing us from curling it 21:00 - Discovering why the WERKZEUG PIN Code was disabled (Environment Variable) 22:27 - Checking out the Garbage SetUID Binary as HAL to discover he cannot run it 24:20 - Using Ghidra to verify we are not missing any functionality 27:30 - Using find to discover what files the adm group is an owner of 28:30 - Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup 31:30 - Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password) 35:30 - Using Ghidra to discover the hardcoded password in the garbage binary 37:00 - Exploring the binary, using Ghidra to see if there are any hidden menu options 41:30 - Installing GDB Enhanced Features (GEF) and pwntools for python3 44:20 - Poorly explaining leaking memory addresses by creating a ROP Chain with puts 48:50 - Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh) 49:20 - Using pattern create and offset/search within gef to RSP Overwrite Location 51:30 - Using ropper to discover a pop rdi gadget 53:40 - Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak. 01:06:30 - Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak 01:15:41 - Putting it all togather to create a gadget c