HackTheBox - Proper

Name: HackTheBox - Proper
Uploaded: 2021-08-21T15:00:35Z
Channel: IppSec
Description: 00:00 - Intro 01:05 - Start of nmap and checking the website 04:10 - Looking at the web console which shows the page making a request to Products-Ajax.p...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·4y ago

00:00 - Intro 01:05 - Start of nmap and checking the website 04:10 - Looking at the web console which shows the page making a request to Products-Ajax.php then playing with the parameters 10:05 - If the hash parameter is missing the application errors and leaks the secret key and identifying how it signs 14:00 - Using SQLMaps Eval parameter to automate the secure hash generation (Calculated Parameter Bypass) 19:30 - Logging into the application with a password from the database and discovering a LFI 23:50 - Creating a python script to automate the LFI Exploitation 32:00 - Script done attemptin…

Watch on YouTube ↗ (saves to browser)

Chapters (21)

Intro

1:05 Start of nmap and checking the website

4:10 Looking at the web console which shows the page making a request to Products-A

10:05 If the hash parameter is missing the application errors and leaks the secret k

14:00 Using SQLMaps Eval parameter to automate the secure hash generation (Calculate

19:30 Logging into the application with a password from the database and discovering

23:50 Creating a python script to automate the LFI Exploitation

32:00 Script done attempting to perform RFI

34:50 Another Stack Trace, identifying a race condition in their check for examining

35:40 Using SMB to steal the hash of the user running the webserver

40:50 Exploiting the race condition with inotify to get the server in order to execu

48:40 Reverse shell returned! Finding the GoLang Program

53:00 Opening the binaries in Ghidra (prior to installing the golang plugin)

55:40 Installing GoTools to make reversing goland suck less

1:01:30 Start of reversing the client binary, explaining some golang oddities

1:12:00 Running the programs on our local windows machine to identify if we reversed i

1:14:15 Back to Ghidra and reversing server.exe to see what it does to clean files

1:19:50 Using IO Ninja Pipe Monitor to snoop in on the pipes

1:27:50 METHOD 1: Stealing the flag by cleaning, copying off, then decrypting locally

1:35:50 METHOD 2: Creating symlinks to trick the server in copying root.txt to a direc

1:50:15 METHOD 3: Tricking server.exe into writing into system32, then using WerTrigge

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →