HackTheBox - Static

Name: HackTheBox - Static
Uploaded: 2021-12-18T14:56:40Z
Channel: IppSec
Description: 00:00 - Intro 01:05 - Start of nmap 02:50 - Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [Mast...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:05 - Start of nmap 02:50 - Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn/ probably reverse proxy [MasterRecon] 04:20 - Corrupted GZIP, using zcat to view it and fixgz to repair 08:30 - Building a Python Script to generate TOTP for MFA (the NTPDate failed because i didn't use -q. Nmap would have worked with -sV) 14:20 - Talking about things I would be monitoring for on Login Forms [Detection] 16:45 - Talking about a common issue when layering VPN's (MTU). Won't fix it right now, since I want to display the weird behavior later 20:15 - VPN Conne…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:05 Start of nmap

2:50 Noticing there is weird behavior on /vpn, it doesn't direct to the folder /vpn

4:20 Corrupted GZIP, using zcat to view it and fixgz to repair

8:30 Building a Python Script to generate TOTP for MFA (the NTPDate failed because

14:20 Talking about things I would be monitoring for on Login Forms [Detection]

16:45 Talking about a common issue when layering VPN's (MTU). Won't fix it right now

20:15 VPN Connection established, looking at routes. Adding additional routes that

28:30 Going over the NMAP ran from the second VPN

30:40 Fully understanding the weird behavior from /vpn earlier on. It is indeed a re

32:00 Exploiting the fact that XDEBUG is enabled on info.php

41:40 Running Chisel to create a pivot rhrough web to access mysql

42:10 The Multiple VPN MTU Issue explained, demonstrating i can't send big packets b

48:00 Finishing with setting up the chisel tunnel

51:45 Switching up chisel to look at PKI.

53:34 Running PHuiP-FPizdaM to exploit PHP-FPM/7.1

57:23 Changing up our Chisel so we can send a reverse shell through the web box

1:01:45 Looking at the ersatool source code to find a printf/format string vulnerabili

1:04:15 Verifying we have the format string vuln and some really basic talk about it

1:07:30 Exploring the memory around our leaked address to defeat ASLR and edit the var

1:10:30 Start of a pwntools script to exploit format string

1:15:48 Pwntools successful leak and calculating offset to the string we want to manip

1:19:05 Explaining how we are going to write to an address and why the null byte is a

1:27:15 Overwriting the ERSA_DIR variable

1:33:55 Tons of funny failing trying to verify this exploit worked

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →