HackTheBox - Player2

Name: HackTheBox - Player2
Uploaded: 2020-06-27T15:02:07Z
Channel: IppSec
Description: 00:00 - Intro 00:51 - Begin of NMAP 02:00 - Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver 07:00 - Testing basic SQL ...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 00:51 - Begin of NMAP 02:00 - Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webserver 07:00 - Testing basic SQL Injection on product.player2.htb 08:10 - Running gobuster against the product domain to find potential pages 13:00 - Running gobuster to try to enumerate sub domains. 17:50 - Checking the full port scan of the box to see 8545 19:45 - Gobuster had an issue enumerating subdomains, switched to wfuzz 22:45 - Investigation TWIRP because port 8545 had that in an error mesage 24:40 - Running gobuster to hunt for protobuf files and api endpoints 28:50 …

Watch on YouTube ↗ (saves to browser)

Chapters (30)

Intro

0:51 Begin of NMAP

2:00 Identifying the Virtual Host (VHOST) player2.htb and doing recon on the webser

7:00 Testing basic SQL Injection on product.player2.htb

8:10 Running gobuster against the product domain to find potential pages

13:00 Running gobuster to try to enumerate sub domains.

17:50 Checking the full port scan of the box to see 8545

19:45 Gobuster had an issue enumerating subdomains, switched to wfuzz

22:45 Investigation TWIRP because port 8545 had that in an error mesage

24:40 Running gobuster to hunt for protobuf files and api endpoints

28:50 Exploring the generated.proto file

32:00 Seeing how TWIRP uses Protobuf files, then making the HTTP Request to pull cre

43:50 Using Hydra to bruteforce an http login form

47:50 Exploring login logic to see how SESSIONS are handled after invalid logins

50:00 Testing /api/totp now that we have a session and finding ways to generate back

54:00 Looking at the authenticated product page

56:00 Playing with the upload form of the protobs interface

59:20 (unintended) Hunting for the uploads/ directory and testing for potential race

1:03:00 Winning the race to get a reverse shell

1:05:15 Doing the firmware upload the intended way.

1:07:20 Using DD to extract data out of binwalk

1:09:50 Exploring the firmware in Ghidra

1:11:50 Testing the firmware signing by opening the ELF in a hex editor and changing a

1:15:10 Editing the string in the system() call test for RRCE

1:19:30 Changing our ping command to be a reverse shell

1:27:00 Reverse shell returned but wanted to see how much of this ELF we messed up by

1:35:00 Checking the MySQL Database for creds

1:41:50 Running pspy to see some hidden crons

1:44:40 Running chisel to forward the MQTT Port back to our box

1:51:10 Using mosquitto_sub to subscribe to a topic and get messages

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →