HackTheBox - Investigation

Name: HackTheBox - Investigation
Uploaded: 2023-04-22T15:00:29Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 02:00 - Start of gobuster 04:00 - Discovering an upload form, looking for where things get uploaded 05:50 - T...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Introduction 01:00 - Start of nmap 02:00 - Start of gobuster 04:00 - Discovering an upload form, looking for where things get uploaded 05:50 - The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935 08:11 - You should really watch "The Perl Jam" 08:40 - Showing the weird syntax of perl's file open and how | leads to RCE 16:15 - Back to the box, exploiting and getitng a shell 20:00 - Reverse shell returned, looking at the uploaded files 22:35 - Running LinPEAS to discover a cron 27:00 - There's an outlook email message with an attachm…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Introduction

1:00 Start of nmap

2:00 Start of gobuster

4:00 Discovering an upload form, looking for where things get uploaded

5:50 The upload gives us ExifTool output, including the version number to show it i

8:11 You should really watch "The Perl Jam"

8:40 Showing the weird syntax of perl's file open and how | leads to RCE

16:15 Back to the box, exploiting and getitng a shell

20:00 Reverse shell returned, looking at the uploaded files

22:35 Running LinPEAS to discover a cron

27:00 There's an outlook email message with an attachment. Copying it then convertin

32:45 The file was an windows event log. Using Chainsaw to search through the logs

38:30 Using Chainsaw and JQ to parse the Successful and Failed logins

42:25 In the failed logins field, there's a password as a username and logging in as

44:35 There's a binary on this box, copying it to us and opening in Ghidra

45:30 Start of reversing, just showing strings and finding out where the get loaded

47:00 Running the binary in GDB and showing how arguments work, then renaming and re

51:30 Retyping done, renaming a few variables to make things easier to read

53:45 Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghi

59:20 Now that the code is cleaned up, it is obvious the program executes perl scrip

1:01:05 Showing there is also a race condition in the binary because the curl download

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →