HackTheBox - ForwardSlash

Name: HackTheBox - ForwardSlash
Uploaded: 2020-07-04T15:14:50Z
Channel: IppSec
Description: 00:00 - Intro 00:52 - Begin of Nmap 02:50 - Running Gobuster to Bruteforce the pages and subdomains to find backup.forwardslash.htb 08:10 - Registering ...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 00:52 - Begin of Nmap 02:50 - Running Gobuster to Bruteforce the pages and subdomains to find backup.forwardslash.htb 08:10 - Registering an account and examining the functions to signed in users 10:00 - Playing with the ProfilePicture.php to discover we can do file inclusion 12:50 - Testing for RFI 14:25 - Using the PHP Filter Wrapper to convert php files to base64 and extract source code 16:50 - Start of creating a script to automate this 19:40 - Terminal portion of the script completed, now to add HTTP Requests 23:30 - Script cannot access the page due to requiring a login ses…

Watch on YouTube ↗ (saves to browser)

Chapters (27)

Intro

0:52 Begin of Nmap

2:50 Running Gobuster to Bruteforce the pages and subdomains to find backup.forward

8:10 Registering an account and examining the functions to signed in users

10:00 Playing with the ProfilePicture.php to discover we can do file inclusion

12:50 Testing for RFI

14:25 Using the PHP Filter Wrapper to convert php files to base64 and extract source

16:50 Start of creating a script to automate this

19:40 Terminal portion of the script completed, now to add HTTP Requests

23:30 Script cannot access the page due to requiring a login session, hard code the

26:50 Script now is able to extract files off the server, now to add a save_file fun

34:00 Using the script we created as a library and building a brute forcer!

37:50 Manually looking at source code while our script runs in the background

42:00 Going back to gobuster seeing the "/dev" directory, extracting source to get c

45:00 Examining the Backup SetUID File with strace, explaining Path Injection (but i

48:00 Opening up the backup file in Ghidra

51:00 Using find to search for files owned by Pain to discover config.php.bak, then

53:40 Abusing the sudo rules to skip the crypto challenge. Upload a luks container

55:45 Creating a Luks Container

58:00 Adding a SetUID Binary in the luks container then uploading it, and executing

1:02:40 Going back to look over the Crypto Challenge

1:06:30 Using the program to encrypt text we know the key to, so we can build a brutef

1:14:00 Found a weird bug, we only need to know the first character of the key and len

1:23:40 Key found, decrypt the container

1:28:55 Going back to the ProfilePicture, and finding the SSRF + XXE Chain

1:33:50 Showing the importance of double URL Encoding

1:42:55 Creating ano

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →