HackTheBox - Safe

Name: HackTheBox - Safe
Uploaded: 2019-10-26T15:00:01Z
Channel: IppSec
Description: 00:40 - Begin of nmap 02:31 - Discovering MyApp in the HTML Source 03:30 - Examining MyApp on port 1337 05:30 - Opening myapp up in Ghidra 07:20 - Testi...

IppSec · Intermediate ·🔐 Cybersecurity ·6y ago

00:40 - Begin of nmap 02:31 - Discovering MyApp in the HTML Source 03:30 - Examining MyApp on port 1337 05:30 - Opening myapp up in Ghidra 07:20 - Testing out the buffer overflow 08:40 - Using pattern search to see where we can overwrite RSP 10:15 - Create a PwnTool Skeleton and having it call main instead of crashing 12:30 - Testing calling main (error: need to do recvline to send text) 13:50 - Explaining hijacking the SYSTEM() call 17:11 - Finding a way to put user input into RDI 17:30 - Examining the Test Function which places RSP to RDI 19:50 - Finding a pop r13 as the Test Function jumps…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

0:40 Begin of nmap

2:31 Discovering MyApp in the HTML Source

3:30 Examining MyApp on port 1337

5:30 Opening myapp up in Ghidra

7:20 Testing out the buffer overflow

8:40 Using pattern search to see where we can overwrite RSP

10:15 Create a PwnTool Skeleton and having it call main instead of crashing

12:30 Testing calling main (error: need to do recvline to send text)

13:50 Explaining hijacking the SYSTEM() call

17:11 Finding a way to put user input into RDI

17:30 Examining the Test Function which places RSP to RDI

19:50 Finding a pop r13 as the Test Function jumps to r13

23:30 Putting the gadget togather for code execution

27:00 Setting pwntools to exploit the remote host

28:30 Shell on the box

29:15 Dropping SSH Key to get a normal shell and copying keepass files

31:40 Using keepass2john to create hashes to crack

35:00 Cracking keepass hashes with hashcat

37:50 Using kpcli to export the root password

39:20 Using the root password to su to the root user

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →