HackTheBox - Investigation

00:00 - Introduction 01:00 - Start of nmap 02:00 - Start of gobuster 04:00 - Discovering an upload form, looking for where things get uploaded 05:50 - The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935 08:11 - You should really watch "The Perl Jam" 08:40 - Showing the weird syntax of perl's file open and how | leads to RCE 16:15 - Back to the box, exploiting and getitng a shell 20:00 - Reverse shell returned, looking at the uploaded files 22:35 - Running LinPEAS to discover a cron 27:00 - There's an outlook email message with an attachment. Copying it then converting to eml format and extracting the file 32:45 - The file was an windows event log. Using Chainsaw to search through the logs 38:30 - Using Chainsaw and JQ to parse the Successful and Failed logins 42:25 - In the failed logins field, there's a password as a username and logging in as smorton 44:35 - There's a binary on this box, copying it to us and opening in Ghidra 45:30 - Start of reversing, just showing strings and finding out where the get loaded in the program 47:00 - Running the binary in GDB and showing how arguments work, then renaming and retyping variables to have decompiled output make more sense 51:30 - Retyping done, renaming a few variables to make things easier to read 53:45 - Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghidra to "Parse C Source" 59:20 - Now that the code is cleaned up, it is obvious the program executes perl scripts... Funny thing is the perl binary can execute non-perl scripts 1:01:05 - Showing there is also a race condition in the binary because the curl downloads to CWD and even thoe its owned by root we can rename it and take control over the file