HackTheBox - Retired

Name: HackTheBox - Retired
Uploaded: 2022-08-13T15:03:03Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap 01:50 - Talking about what the page parameter does and why its normally vulnerable to LFI 03:20 - Running gobuster t...

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro 01:00 - Start of nmap 01:50 - Talking about what the page parameter does and why its normally vulnerable to LFI 03:20 - Running gobuster to get a list of files on the webserver while we poke at the LFI 04:45 - Finding an LFI in combination with an EAR (Execute After Read) Vulnerability. Then examining the source code of index.php to see the vulnerability 06:50 - There was an sanitize string function that wasn't recursive, explaining how we could exploit this. 10:00 - Discovering beta.html which is a license upload, grabbing the source code and vulnerable application 13:00 - Grabb…

Watch on YouTube ↗ (saves to browser)

Chapters (24)

Intro

1:00 Start of nmap

1:50 Talking about what the page parameter does and why its normally vulnerable to

3:20 Running gobuster to get a list of files on the webserver while we poke at the

4:45 Finding an LFI in combination with an EAR (Execute After Read) Vulnerability.

6:50 There was an sanitize string function that wasn't recursive, explaining how we

10:00 Discovering beta.html which is a license upload, grabbing the source code and

13:00 Grabbing netstat like information, running processes, and memory maps with our

16:25 Playing with the activate_license executable and finding a buffer overflow

19:50 Using GDB to examine the crash, need to use set follow-fork-mode child to foll

22:55 Crashing the program with a pattern and finding the offset to RSP

23:55 Start of creating our exploit script

24:30 Extracting where activate_license and libc exists within memory using the /pro

22:55 Using objdump to dump the location of system() within the libc version running

27:57 Using ropper to search for gadgets, pop rdi - pop rdx - and one to move values

30:20 Using readelf to look for a writable space within memory for us to write our m

32:00 Building the rop chain to write our command to memory, then call system

37:43 Reverse shell returned running linpeas a

40:00 Failing to run CVE-2022-0847, not sure why

43:50 Discovering a timer that backs up the website as the dev user and its vulnerab

46:20 Examining the ememu directory in dev which is a C Program

47:30 Talking about Binfms and how we will be able to create an interpreter for exte

49:30 Talking about the cap_dac_override permission

50:20 Ex

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →