HackTheBox - Smasher2

Name: HackTheBox - Smasher2
Uploaded: 2019-12-28T20:12:30Z
Channel: IppSec
Description: 00:58 - Begin of Recon 02:30 - Using Wireshark to see why Nmap said HTTP 403 06:15 - Running GoBuster to identify /backup 07:05 - Performing a DNZ Zone ...

IppSec · Beginner ·🔐 Cybersecurity ·6y ago

00:58 - Begin of Recon 02:30 - Using Wireshark to see why Nmap said HTTP 403 06:15 - Running GoBuster to identify /backup 07:05 - Performing a DNZ Zone Transfer with dig axfr 08:50 - Manually playing with the login form to hunt for SQL Injection 10:50 - Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra 16:42 - Examining /auth endpoint 18:10 - Examining ses.so in Ghidra 20:31 - Renaming variables from Ghidra's decompiler to try to make sense of the code 30:00 - Examining get_internal_usr and pwd to discover the bug 33:20 - Using GDB to debug python and step throu…

Watch on YouTube ↗ (saves to browser)

Chapters (26)

0:58 Begin of Recon

2:30 Using Wireshark to see why Nmap said HTTP 403

6:15 Running GoBuster to identify /backup

7:05 Performing a DNZ Zone Transfer with dig axfr

8:50 Manually playing with the login form to hunt for SQL Injection

10:50 Downloading files out of /backup, opening auth.py with vim and ses.so with ghi

16:42 Examining /auth endpoint

18:10 Examining ses.so in Ghidra

20:31 Renaming variables from Ghidra's decompiler to try to make sense of the code

30:00 Examining get_internal_usr and pwd to discover the bug

33:20 Using GDB to debug python and step through ses.so, which makes analyzing decom

36:50 First time attaching the debugger - Seg faults for some reason.

38:30 Attaching the debugger again, this time it works. Explaining important regist

39:00 Stepping through the code trying to make sense of registers. This part may no

51:50 Logging in with Administrator:Administrator and then looking at auth.py to see

54:25 Getting command execution

55:50 Trying to get a Reverse Shell, discovering a WAF, identifying the bad characte

56:50 Configuring burp to have a hotkey to "Issue Repeater Request" so we don't have

57:18 Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d}

1:01:00 Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key

1:05:05 Running LinPEAS to identify paths to privesc

1:09:10 Downloading the custom Linux Kernel Module: DHID then examine in Ghidra

1:12:00 Looking at Snowscans blog to test the dev_read function

1:14:15 Looking at the dev_mmap call

1:15:20 Looking at MWR LAbs paper on insecure MMAP use in kernel modules

1:16:30 Explaining what we are going to do - Rewrite cr

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →