HackTheBox - Phoenix

Name: HackTheBox - Phoenix
Uploaded: 2022-06-25T15:00:24Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 02:22 - Taking a look at the SSL Certificates and website to find blog/forum 04:57 - Running WPScan, explaining why ...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap 02:22 - Taking a look at the SSL Certificates and website to find blog/forum 04:57 - Running WPScan, explaining why i like aggressive scanning 09:00 - Finding public vulnerability in Asgaros Forms (Blind Time Based SQLi) 10:45 - Running SQLMap to confirm the injection 21:00 - Examining the Wordpress Database structure, so we can run SQLMap to dump very specific things 25:20 - Cracking wordpress credentials to find out we can't use any because of MFA 30:10 - Using our SQL Injection to dump a list of activated plugins in wordpress 32:00 - Finding an exploit in…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:00 Start of nmap

2:22 Taking a look at the SSL Certificates and website to find blog/forum

4:57 Running WPScan, explaining why i like aggressive scanning

9:00 Finding public vulnerability in Asgaros Forms (Blind Time Based SQLi)

10:45 Running SQLMap to confirm the injection

21:00 Examining the Wordpress Database structure, so we can run SQLMap to dump very

25:20 Cracking wordpress credentials to find out we can't use any because of MFA

30:10 Using our SQL Injection to dump a list of activated plugins in wordpress

32:00 Finding an exploit in the Download From Files plugin, converting it to ignore

35:45 Uploading a malicious phtml (php) file to get a shell on the box

41:00 Examining how MFA is enabled on SSH/SU by looking at PAM files

42:10 Discovering the 10.11.12.13 network can bypass MFA, which our host is on.

45:10 Using find to show files created between two dates

48:20 Discovering backups are created in /backups and explaining why we cannot view

48:50 Looking in the */local/bin directories to discover an obfuscated shell script

51:30 Running the script and then examining the /proc/pid directory to find the shel

52:50 Explaining wildcard injection

56:00 Exploiting the wildcard injection in rsync

57:30 Showing how we could of used the SQL Injection to leak all the secrets in the

59:10 Looking at the MiniOrange MFA Source Code, the uninstall.php shows a lot of go

1:03:45 Showing how to do a "pretty print" or format output better in a MySQL Command

1:06:45 Failing to generate a QR Code that we can use google authenticator to login wi

1:12:44 Going back to the source code to find another way to generate MFA Codes

1:15:45 Fixing our generator script to decrypt the secret which we can paste to oautht

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →