HackTheBox - Patents

Name: HackTheBox - Patents
Uploaded: 2020-05-16T14:58:27Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Begin of nmap, there's a weird 8888 port. 03:55 - Looking at the website, downloading a docx 06:30 - Finally running GoBuster, doi...

IppSec · Beginner ·📰 AI News & Updates ·5y ago

00:00 - Intro 01:00 - Begin of nmap, there's a weird 8888 port. 03:55 - Looking at the website, downloading a docx 06:30 - Finally running GoBuster, doing the raft wordlist because it has "UpdateDetails" 15:15 - Running GoBuster against the "release" directory to get release notes and researching XML and DocX 22:00 - Adding an XXE Payload into our Word Document: customXml/item1.xml 26:15 - Making an XXE Chain to extract files using HTTP and PHP's Encoder 33:20 - Extracting the Apache Config to see DocRoot, then extracting config.php 37:40 - Exploring LFI Injection into getPatent_alphav1.0.php,…

Watch on YouTube ↗ (saves to browser)

Chapters (23)

Intro

1:00 Begin of nmap, there's a weird 8888 port.

3:55 Looking at the website, downloading a docx

6:30 Finally running GoBuster, doing the raft wordlist because it has "UpdateDetail

15:15 Running GoBuster against the "release" directory to get release notes and rese

22:00 Adding an XXE Payload into our Word Document: customXml/item1.xml

26:15 Making an XXE Chain to extract files using HTTP and PHP's Encoder

33:20 Extracting the Apache Config to see DocRoot, then extracting config.php

37:40 Exploring LFI Injection into getPatent_alphav1.0.php, explaining what happens

42:10 Exploring Log File Poisoning

54:00 Shell returned on the box, fixing up the TTY and searching for files by creati

58:30 There's a file in /opt/, that hints at a cronjob running a task every minute.

1:01:40 Password is exposed in the command, this is the root password to the docker.

1:11:25 Exploring the lfm directory and examining old git commit's to get the binary o

1:15:00 Opening up on Ghidra, defining main

1:17:20 Going into the first piece of the program which looks like an argument check.

1:20:30 Searching for the password in the binary to see where it is used. Use GDB to

1:24:30 Start of creating an exploit script

1:29:50 Changing the password to ippsec, and looking at it in GDB to confirm a variabl

1:44:10 Discover the applicaiton is expecting files to be in /files/, behaves like DOC

1:45:10 Explaining where I think the Buffer Overflow Happens (URLDecode)

1:50:00 Crashed the applicaiton, discovering the correct spot to overwrite with "patte

1:54:00 Using Ropper to find some pop gadgets to use, then cre

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Patents

Chapters (23)

Playlist

Lesson complete!