HackTheBox - Rope

Name: HackTheBox - Rope
Uploaded: 2020-05-23T15:00:08Z
Channel: IppSec
Description: 00:00 - Intro 01:10 - Nmap the box, then play with the WebServer. 404 msg are interesting 05:15 - Discovering Directory Traversal and then grabbing the ...

IppSec · Beginner ·🛡️ AI Safety & Ethics ·5y ago

00:00 - Intro 01:10 - Nmap the box, then play with the WebServer. 404 msg are interesting 05:15 - Discovering Directory Traversal and then grabbing the webserver by going to /proc/self/cwd/ 09:25 - Opening the binary up in Ghidra and exploring the binary to understand what it does 18:35 - Discovering we have control over the first argument in log_access/printf 20:05 - Showing one of my most hated things about debugging forks. Be sure to always kill the process! 21:05 - Using GDB to help us analyze the log_access call, by breaking and examining the stack 24:00 - Begin of PrintF (Format Strings…

Watch on YouTube ↗ (saves to browser)

Chapters (18)

Intro

1:10 Nmap the box, then play with the WebServer. 404 msg are interesting

5:15 Discovering Directory Traversal and then grabbing the webserver by going to /p

9:25 Opening the binary up in Ghidra and exploring the binary to understand what it

18:35 Discovering we have control over the first argument in log_access/printf

20:05 Showing one of my most hated things about debugging forks. Be sure to always

21:05 Using GDB to help us analyze the log_access call, by breaking and examining th

24:00 Begin of PrintF (Format Strings) Exploitation, leak a bunch of memory addresse

28:40 Starting to write an exploit script

30:50 Grabbing /proc/self/maps to obtain a memory map which helps bypass ASLR. Anal

34:30 Back to Coding the exploit script, now that we can grab the process map

41:25 Testing our leaking/rebasing code to verify we are leaking correctly then usin

47:00 Running the exploit, seeing the output of "GET" on the Server's STDOUT... Lots

1:01:30 Replacing GET in our request with commands, to see it is running them. Placin

1:03:50 Changing the exploit to use the target... For some reason we have the wrong li

1:08:25 Going to /proc/self/maps again to leak the path of libc, redownloading it and

1:11:30 Going back.. the issues with debugging the printf exploit, to explain it. The

1:17:00 John can sudo the readlogs binary, analyze it with ghidra/ldd to see it calls

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →