HackTheBox - Rope2

00:00 - Intro 01:15 - Start of nmap 02:30 - Checking out the webpages, find Gitlab and Page about a custom chrome 03:25 - Viewing the Git log for the custom v8 javascript project and finding the vulnerability 06:00 - Finding an XSS in Contact Us 08:15 - Using the banners to find what version of Ubuntu the target is using 11:50 - Building v8 in Ubuntu 18.04 18:20 - Warning about needing 4 gigs of memory. 23:30 - Everything is compiled! Start of the exploit, looking at some webpages that help out 24:30 - Starting v8 in gdb, then examining some memory structures 29:00 - Explaining Smi, Immediate Small Integer 30:00 - Starting our helper script with number conversions (float/bigint/hex) 34:10 - Doing DebugPrints on our float arrays to examine memory 38:40 - Digging into the memory to see where Map/Property/Elements/Length are in the memory 50:20 - Showing Objects in memory 58:15 - Precursor material to AddrOf and FakeObject, why type confusion leads to memory shenanigans 1:06:30 - Finding GetLastElement() behaves different on object arrays 1:17:00 - Doing Faiths AddrOf and troubleshooting why it doesn't work in ours 1:22:27 - Recoding the AddrOf, to start out with an array not object 1:26:45 - Explaining the FakeObj Primative 1:33:20 - Doing the Read Memory portion 1:37:50 - Coding the Write Memory function 1:40:40 - Using Web Assembly to create RWX 1:42:30 - Doing some memory analysis to find where our RWX location is 1:46:30 - Doing some memory analysis to find where the Backing Store address is 1:50:10 - Using MSFVenom to create some shellcode to touch a file 1:54:20 - Replacing the shellcode with a reverse shell! 1:56:30 - Testing on the custom chrome browser 1:58:30 - Running our exploit against the target!