HackTheBox - Ellingson

IppSec · Intermediate ·🔐 Cybersecurity ·6y ago

Key Takeaways

Uses Flask/Werkzeug debug page vulnerability to gain SSH access to Ellingson box

Original Description

01:12 - Begin of recon, examining website seeing the "Hackers" Theme 04:00 - Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015) 05:00 - Demoing how this is fixed now, with Werkzeug requiring a pin code 06:00 - Testing if we can connect back to our host with ping or curl (cannot) 08:00 - Dropping a SSH Key via python since we cannot reverse shell 13:00 - SSH into the box as the HAL User and clean up the authorized_key file 13:50 - Using xclip to copy and run LinEnum due to a firewall preventing us from curling it 21:00 - Discovering why the WERKZEUG PIN Code was disabled (Environment Variable) 22:27 - Checking out the Garbage SetUID Binary as HAL to discover he cannot run it 24:20 - Using Ghidra to verify we are not missing any functionality 27:30 - Using find to discover what files the adm group is an owner of 28:30 - Displaying exact modify times with ls using time-style argument, then checking logs to see what users changed their password after the shadow backup 31:30 - Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's password) 35:30 - Using Ghidra to discover the hardcoded password in the garbage binary 37:00 - Exploring the binary, using Ghidra to see if there are any hidden menu options 41:30 - Installing GDB Enhanced Features (GEF) and pwntools for python3 44:20 - Poorly explaining leaking memory addresses by creating a ROP Chain with puts 48:50 - Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow password with system(/bin/sh) 49:20 - Using pattern create and offset/search within gef to RSP Overwrite Location 51:30 - Using ropper to discover a pop rdi gadget 53:40 - Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT location of PUTS and performing the memory leak. 01:06:30 - Using Readelf to get important locations in libc and strings to get location of /bin/sh. Then performing all the calculations based upon memory leak 01:15:41 - Putting it all togather to create a gadget c
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related Reads

📰
Active Directory Enumeration & Password Spraying: A Hands-On Guide
Learn hands-on techniques for Active Directory enumeration and password spraying to enhance your internal penetration testing skills in Microsoft Windows environments
Medium · Cybersecurity
📰
The Quantum Internet Explained: How the Next Generation of Communication Could Be Unhackable
Learn how the quantum internet can revolutionize cybersecurity with unhackable communication, and why it matters for the future of data transfer
Medium · Cybersecurity
📰
One login for you and your AI agents. Zero long-lived keys.
Simplify cloud access for humans and AI agents with a tool that eliminates long-lived keys
Medium · Cybersecurity
📰
Zero Trust Starts Before Login: Lessons From Cloud Security
Learn how Zero Trust security starts before login and its importance in cloud security
Medium · DevOps

Chapters (23)

1:12 Begin of recon, examining website seeing the "Hackers" Theme
4:00 Discovering a Flask/Werkzeug Debug page (Patreon Hack of 2015)
5:00 Demoing how this is fixed now, with Werkzeug requiring a pin code
6:00 Testing if we can connect back to our host with ping or curl (cannot)
8:00 Dropping a SSH Key via python since we cannot reverse shell
13:00 SSH into the box as the HAL User and clean up the authorized_key file
13:50 Using xclip to copy and run LinEnum due to a firewall preventing us from curli
21:00 Discovering why the WERKZEUG PIN Code was disabled (Environment Variable)
22:27 Checking out the Garbage SetUID Binary as HAL to discover he cannot run it
24:20 Using Ghidra to verify we are not missing any functionality
27:30 Using find to discover what files the adm group is an owner of
28:30 Displaying exact modify times with ls using time-style argument, then checking
31:30 Cracking the Sha512Crypt (1800) hashes with Hashcat (Discovering Margo's passw
35:30 Using Ghidra to discover the hardcoded password in the garbage binary
37:00 Exploring the binary, using Ghidra to see if there are any hidden menu options
41:30 Installing GDB Enhanced Features (GEF) and pwntools for python3
44:20 Poorly explaining leaking memory addresses by creating a ROP Chain with puts
48:50 Begin of Buffer Overflow ROP Chain - leak libc address, call main, overflow pa
49:20 Using pattern create and offset/search within gef to RSP Overwrite Location
51:30 Using ropper to discover a pop rdi gadget
53:40 Beging creating the pwntools skelton exploit, using objdump to get PLT/GOT loc
1:06:30 Using Readelf to get important locations in libc and strings to get location o
1:15:41 Putting it all togather to create a gadget c
Up next
What is DevSecOps Explained with Examples
VLR Software Training
Watch →