HackTheBox - Faculty

Name: HackTheBox - Faculty
Uploaded: 2022-10-22T15:07:30Z
Channel: IppSec
Description: 00:00 - Intro 01:01 - Start of nmap 02:10 - Testing login of the webapp, finding SQL Injection to bypass it 03:20 - Running gobuster with our cookie so ...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:01 - Start of nmap 02:10 - Testing login of the webapp, finding SQL Injection to bypass it 03:20 - Running gobuster with our cookie so it has access to any authenticated page 04:50 - Examining the course edit functionality and discovering how the page tells us if our update was a success 05:50 - Explaning the dangerous thing with update injections, we accidentally changed EVERY row. 08:45 - Extracting information from this Update Injection in MySQL by editing a second column 10:15 - Standard MySQL Injection to extract table information from Information_Schema, then dumping has…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:01 Start of nmap

2:10 Testing login of the webapp, finding SQL Injection to bypass it

3:20 Running gobuster with our cookie so it has access to any authenticated page

4:50 Examining the course edit functionality and discovering how the page tells us

5:50 Explaning the dangerous thing with update injections, we accidentally changed

8:45 Extracting information from this Update Injection in MySQL by editing a second

10:15 Standard MySQL Injection to extract table information from Information_Schema,

15:00 Showing a second login form, which is also SQL Injectable

17:00 Examining the Generate PDF Function

19:00 Verifying we can put HTML in the PDF

21:40 Going to GitHub Issues and finding issues with MPDF to find vulnerabilities in

22:30 Showing we do have SSRF but this doesn't really give us anything

24:10 Using Annotations to add loca files into the PDF

25:25 Dumping source code of the webapp to find the configuration file, then getting

29:40 Testing the MySQL Password with SSH and logging in as gbyolo

31:20 Exploiting Meta-Git to gain access to the developer user

36:40 Shell as Developer and running LinPEAS

38:48 Testing CVE-2022-2588 as a privesc on Ubuntu, it works! (unintended route)

42:30 Finding GDB has cap_sys_ptrace permissions, which means we can debug processes

43:20 Using MSFVENOM to generate shellcode to perform a reverse shell, which we will

45:00 Creating a python script to format the shellcode in a way we can just paste it

46:25 Explaining the modulo operator (%) which is how we will pad our payload

49:00 Building our payload

53:00 Payload has been built! Lets inject it into a process and get a shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →