HackTheBox - Rope2

Name: HackTheBox - Rope2
Uploaded: 2021-01-16T15:00:30Z
Channel: IppSec
Description: 00:00 - Intro 01:15 - Start of nmap 02:30 - Checking out the webpages, find Gitlab and Page about a custom chrome 03:25 - Viewing the Git log for the cu...

IppSec · Beginner ·🔐 Cybersecurity ·5y ago

00:00 - Intro 01:15 - Start of nmap 02:30 - Checking out the webpages, find Gitlab and Page about a custom chrome 03:25 - Viewing the Git log for the custom v8 javascript project and finding the vulnerability 06:00 - Finding an XSS in Contact Us 08:15 - Using the banners to find what version of Ubuntu the target is using 11:50 - Building v8 in Ubuntu 18.04 18:20 - Warning about needing 4 gigs of memory. 23:30 - Everything is compiled! Start of the exploit, looking at some webpages that help out 24:30 - Starting v8 in gdb, then examining some memory structures 29:00 - Explaining Smi, Immediate…

Watch on YouTube ↗ (saves to browser)

Chapters (29)

Intro

1:15 Start of nmap

2:30 Checking out the webpages, find Gitlab and Page about a custom chrome

3:25 Viewing the Git log for the custom v8 javascript project and finding the vulne

6:00 Finding an XSS in Contact Us

8:15 Using the banners to find what version of Ubuntu the target is using

11:50 Building v8 in Ubuntu 18.04

18:20 Warning about needing 4 gigs of memory.

23:30 Everything is compiled! Start of the exploit, looking at some webpages that h

24:30 Starting v8 in gdb, then examining some memory structures

29:00 Explaining Smi, Immediate Small Integer

30:00 Starting our helper script with number conversions (float/bigint/hex)

34:10 Doing DebugPrints on our float arrays to examine memory

38:40 Digging into the memory to see where Map/Property/Elements/Length are in the m

50:20 Showing Objects in memory

58:15 Precursor material to AddrOf and FakeObject, why type confusion leads to memor

1:06:30 Finding GetLastElement() behaves different on object arrays

1:17:00 Doing Faiths AddrOf and troubleshooting why it doesn't work in ours

1:22:27 Recoding the AddrOf, to start out with an array not object

1:26:45 Explaining the FakeObj Primative

1:33:20 Doing the Read Memory portion

1:37:50 Coding the Write Memory function

1:40:40 Using Web Assembly to create RWX

1:42:30 Doing some memory analysis to find where our RWX location is

1:46:30 Doing some memory analysis to find where the Backing Store address is

1:50:10 Using MSFVenom to create some shellcode to touch a file

1:54:20 Replacing the shellcode with a reverse shell!

1:56:30 Testing on the custom chrome browser

1:58:30 Running our exploit against the target!

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →