HackTheBox - Fatty

Name: HackTheBox - Fatty
Uploaded: 2020-08-08T14:59:58Z
Channel: IppSec
Description: 00:00 - Intro 02:10 - Using wget to recursively download files off an annonymous FTP Server 06:00 - Attempting to execute the Java Thick Client, then sw...

IppSec · Intermediate ·🔐 Cybersecurity ·5y ago

00:00 - Intro 02:10 - Using wget to recursively download files off an annonymous FTP Server 06:00 - Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again 08:00 - Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp 11:00 - BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features 15:20 - Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source 20:40 - Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello …

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

2:10 Using wget to recursively download files off an annonymous FTP Server

6:00 Attempting to execute the Java Thick Client, then switching to Java version 8

8:00 Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve

11:00 BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thic

15:20 Using CFR to decompile a Java JAR File then VS Studio Code to analyze the sour

20:40 Downloading Eclipse and then configuring it to utilize Java 8 and creating a H

25:30 Importing a Java JAR File into our Java Project then calling Login

33:40 Replicating the functionality to identify what Role we are, then other functio

37:45 Calling the Invoker Class to execute methods on the server

42:50 Attempting to call methods that the GUI prohibited us from

45:30 Using ShowFiles to see we can list files in our parent directory, then using O

53:40 Failing to download the fatty-server.jar file due to encoding issues

58:40 Unsealing the JAR File so we can edit the Invoker Class Object to fix our enco

1:10:00 Utilizing our new binaryOpen function to write to a file

1:14:45 Debugging a null pointer error, our binaryOpen function returned nothing!

1:21:00 Decompiling the downloaded fatty server and analyzing it to discover a SQL Inj

1:28:50 Playing with SQL Injections in the username to get an admin session

1:40:00 Modifying the ChangePW Function to allow us to send malicious payloads, then u

1:48:30 Using CommonsCollections5 to generate a malicious payload to send and getting

1:57:17 Getting PsSpy on the box and discovering SCP is pulling files

1:59:50 Explaining what our exploit path is, having a tar overwrite itself and point t

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →