HackTheBox - Overflow

Name: HackTheBox - Overflow
Uploaded: 2022-04-09T14:57:51Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 02:20 - Taking a look at the website 03:10 - Examining the AUTH Cookie and talking about why its unique 05:40 - Runn...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap 02:20 - Taking a look at the website 03:10 - Examining the AUTH Cookie and talking about why its unique 05:40 - Running FeroxBuster, talking about why I started using it 08:15 - Examining the length of the cookie with various usernames to discover the cookie length changes 11:30 - Discovering the block size 12:30 - Modifying the cookie and getting an Invalid Padding error message. Which indicates it may be vulnerable to Padding Oracle 14:20 - Running padbuster to perform the Padding Oracle attack and decrypt the cookie. Then creating a new cookie changing o…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:00 Start of nmap

2:20 Taking a look at the website

3:10 Examining the AUTH Cookie and talking about why its unique

5:40 Running FeroxBuster, talking about why I started using it

8:15 Examining the length of the cookie with various usernames to discover the cook

11:30 Discovering the block size

12:30 Modifying the cookie and getting an Invalid Padding error message. Which indic

14:20 Running padbuster to perform the Padding Oracle attack and decrypt the cookie.

19:30 Changing our cookie to the forged one and logging into the application as Admi

21:05 Finding an SQL Injection in the Logs endpoint, using SQLMap to dump everything

29:15 Going over the SQLMap history files to view previously dumped data, so we don'

33:00 Cannot crack the MD5's in the database, downloading the CMS Made Simple source

42:30 Cracking the salted MD5 password of the editor user with hashcat

45:10 Going to the devbuild-job.overflow.htb and discover there's an upload resume

49:00 Uploading a jpeg results in the server giving us the ExifTool version, finding

54:00 Reverse shell returned, getting developers password and using SSH to login as

56:35 Using find to list files owned by developer to find files owned by developer

59:20 Hunting for files owned by tester and discovering commontask.sh, we can exploi

1:02:55 Shell as tester

1:04:25 Talking about extended attributes, using getfacl to show them

1:06:00 Discovering a SetUID File, every time running it there is the same PIN Code it

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →