HackTheBox - Smasher2

00:58 - Begin of Recon 02:30 - Using Wireshark to see why Nmap said HTTP 403 06:15 - Running GoBuster to identify /backup 07:05 - Performing a DNZ Zone Transfer with dig axfr 08:50 - Manually playing with the login form to hunt for SQL Injection 10:50 - Downloading files out of /backup, opening auth.py with vim and ses.so with ghidra 16:42 - Examining /auth endpoint 18:10 - Examining ses.so in Ghidra 20:31 - Renaming variables from Ghidra's decompiler to try to make sense of the code 30:00 - Examining get_internal_usr and pwd to discover the bug 33:20 - Using GDB to debug python and step through ses.so, which makes analyzing decompiled code easier 36:50 - First time attaching the debugger - Seg faults for some reason. 38:30 - Attaching the debugger again, this time it works. Explaining important registers 39:00 - Stepping through the code trying to make sense of registers. This part may not make sense. ### The RDI Value in the STRCMP was from my python script calling ses.so -- RSI is what the program thinks the password is. So if in the Python Script I used ippsec:ippsec, then it would be STRCMP('ippsec','ippsec'). 51:50 - Logging in with Administrator:Administrator and then looking at auth.py to see how the /api works 54:25 - Getting command execution 55:50 - Trying to get a Reverse Shell, discovering a WAF, identifying the bad characters 56:50 - Configuring burp to have a hotkey to "Issue Repeater Request" so we don't have to click send 57:18 - Tips to avoid a web filter/WAF ex: {echo,test}|{ba''se64,-''-d} 1:01:00 - Getting a reverse shell, then upgrading to a SSH Terminal by dropping SSH Key 1:05:05 - Running LinPEAS to identify paths to privesc 1:09:10 - Downloading the custom Linux Kernel Module: DHID then examine in Ghidra 1:12:00 - Looking at Snowscans blog to test the dev_read function 1:14:15 - Looking at the dev_mmap call 1:15:20 - Looking at MWR LAbs paper on insecure MMAP use in kernel modules 1:16:30 - Explaining what we are going to do - Rewrite cr