HackTheBox - Precious

Name: HackTheBox - Precious
Uploaded: 2023-05-20T15:00:04Z
Channel: IppSec
Description: 00:00 - Introduction 01:00 - Start of nmap 02:00 - Checking out the web page and finding command injection in the URL 03:20 - Space appears to be a bad...

IppSec · Beginner ·🔐 Cybersecurity ·2y ago

00:00 - Introduction 01:00 - Start of nmap 02:00 - Checking out the web page and finding command injection in the URL 03:20 - Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work. 07:20 - Trying IFS to be a space but the trailing character makes it difficult 12:00 - Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it 13:00 - The POC puts a space before the exploit which then removes the space being a bad character in our exploit 14:2…

Watch on YouTube ↗ (saves to browser)

Chapters (12)

Introduction

1:00 Start of nmap

2:00 Checking out the web page and finding command injection in the URL

3:20 Space appears to be a bad character with command injection. Normal tricks like

7:20 Trying IFS to be a space but the trailing character makes it difficult

12:00 Taking a step back from the RCE, downloading the PDF to examine metadata and d

13:00 The POC puts a space before the exploit which then removes the space being a b

14:29 Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the ne

20:30 End of edit, shell as ruby, discovering credentials in a config file for henry

22:53 Henry can run sudo, discover he can execute a ruby script

25:50 Looking up a ruby deserialization exploit with YAML

27:35 Finding a different payload and getting a root shell

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →