HackTheBox - Flujab

Name: HackTheBox - Flujab
Uploaded: 2019-06-15T15:00:06Z
Channel: IppSec
Description: 01:30 - Begin of Recon 04:15 - Adding DNS Names to /etc/hosts 05:20 - Using Aquatone to take HTTP Screenshots of a bunch of pages 11:00 - Start of looki...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·6y ago

01:30 - Begin of Recon 04:15 - Adding DNS Names to /etc/hosts 05:20 - Using Aquatone to take HTTP Screenshots of a bunch of pages 11:00 - Start of looking at FreeFlujab.htb 15:40 - Looking at HTTP Cookies we send 17:40 - Editing Cookies in Firefox 19:50 - Discovering SMTP_CONFIG, which lets us change where the mail server is 21:50 - Using FireFox to remove character restrictions on a page 24:15 - The WebPage kept resetting our cookie, using Burp to auto replace 27:30 - Standing up a SMTP Server in python to read mail 30:20 - Discovering SQL Injection 34:50 - SQL Injection confirmed, testing Un…

Watch on YouTube ↗ (saves to browser)

Chapters (32)

1:30 Begin of Recon

4:15 Adding DNS Names to /etc/hosts

5:20 Using Aquatone to take HTTP Screenshots of a bunch of pages

11:00 Start of looking at FreeFlujab.htb

15:40 Looking at HTTP Cookies we send

17:40 Editing Cookies in Firefox

19:50 Discovering SMTP_CONFIG, which lets us change where the mail server is

21:50 Using FireFox to remove character restrictions on a page

24:15 The WebPage kept resetting our cookie, using Burp to auto replace

27:30 Standing up a SMTP Server in python to read mail

30:20 Discovering SQL Injection

34:50 SQL Injection confirmed, testing Union Injections

37:40 Creating a Python Script to aid us in running SQL Injections

37:40 Script: Running a SMTP Server in background thread

41:35 Script: Adding ability to use arrow keys to go to previous command

46:42 Script: Making our command prompt send HTTP Requests

52:40 Dumping database structure from INFORMATION_SCHEMA

1:05:00 Dumping information out of the VACCINATIONS Table

1:07:50 User information dumped, cracking a sha256 hash

1:11:00 Accessing a new HOSTNAME from the database (sysadmin-console-01)

1:16:00 Logging into Ajenti

1:17:00 Discovering Notepad can read files from the server

1:24:10 Looks like there was a SSH Key Compromise on the box from a README File

1:27:40 Searching the compromised debian keys for one on the box

1:29:48 Able to SSH Into the box with the Key! However we are in restricted bash

1:30:30 rBash escape 1: Using GTFOBins to find a way to escape restricted bash

1:32:30 rBash escape 2: Using -t bash argument in SSH to escape restricted bash

1:33:30 Exploiting an old version of Screen to PrivEsc!

1:43:40 Creating files in /home/sysadm

1:46:40 SSH is configured to allow public keys to also be placed in ~/access

1:48:00 Reading Ajenti Documentation to see API lets us change file permissions

1:50:00 Ajenti wants the CHMOD Number to be in a weird format

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →